Home > Research > Publications & Outputs > Interventions for Long Term Software Security

Electronic data

  • WeirSPEJournalPaper

    Rights statement: This is the peer reviewed version of the following article: Weir, C, Becker, I, Noble, J, Blair, L, Sasse, MA, Rashid, A. Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers. Softw: Pract Exper. 2019; 1– 24. https://doi.org/10.1002/spe.2774 which has been published in final form at https://onlinelibrary.wiley.com/doi/10.1002/spe.2774 This article may be used for non-commercial purposes in accordance With Wiley Terms and Conditions for self-archiving.

    Accepted author manuscript, 1.21 MB, PDF document

    Available under license: CC BY-NC: Creative Commons Attribution-NonCommercial 4.0 International License

  • Author Preprint: Interventions for Long Term Software Security

    Other version, 1.19 MB, PDF document

    Available under license: CC BY-NC-ND: Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License

Links

Text available via DOI:

View graph of relations

Interventions for Long Term Software Security: Creating a Lightweight Program of Assurance Techniques for Developers

Research output: Contribution to journalJournal article

Published

Standard

Interventions for Long Term Software Security : Creating a Lightweight Program of Assurance Techniques for Developers. / Weir, Charles; Becker, Ingolf; Noble, James; Blair, Lynne; Sasse, M. Angela; Rashid, Awais.

In: Software: Practice and Experience, Vol. 50, No. 3, 01.03.2020, p. 275-298.

Research output: Contribution to journalJournal article

Harvard

Weir, C, Becker, I, Noble, J, Blair, L, Sasse, MA & Rashid, A 2020, 'Interventions for Long Term Software Security: Creating a Lightweight Program of Assurance Techniques for Developers', Software: Practice and Experience, vol. 50, no. 3, pp. 275-298. https://doi.org/10.1002/spe.2774

APA

Weir, C., Becker, I., Noble, J., Blair, L., Sasse, M. A., & Rashid, A. (2020). Interventions for Long Term Software Security: Creating a Lightweight Program of Assurance Techniques for Developers. Software: Practice and Experience, 50(3), 275-298. https://doi.org/10.1002/spe.2774

Vancouver

Author

Weir, Charles ; Becker, Ingolf ; Noble, James ; Blair, Lynne ; Sasse, M. Angela ; Rashid, Awais. / Interventions for Long Term Software Security : Creating a Lightweight Program of Assurance Techniques for Developers. In: Software: Practice and Experience. 2020 ; Vol. 50, No. 3. pp. 275-298.

Bibtex

@article{0015830f9d90423f88a674066ba985cd,
title = "Interventions for Long Term Software Security: Creating a Lightweight Program of Assurance Techniques for Developers",
abstract = "Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team{\textquoteright}s motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a Participatory Action Research field study where we delivered the workshops to three soft- ware development organizations, and evaluated their effectiveness through interviews be- forehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience, and that improvement is long lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.",
keywords = "action research, cybersecurity, developer-centered security, intervention, software developer, software security",
author = "Charles Weir and Ingolf Becker and James Noble and Lynne Blair and Sasse, {M. Angela} and Awais Rashid",
note = "This is the authors' preprint version of the following article: Weir, C, Becker, I, Noble, J, Blair, L, Sasse, MA, Rashid, A. Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers. Softw: Pract Exper. 2019; 1– 24, which has been published in final form at https://onlinelibrary.wiley.com/doi/10.1002/spe.2774 ",
year = "2020",
month = mar,
day = "1",
doi = "10.1002/spe.2774",
language = "English",
volume = "50",
pages = "275--298",
journal = "Software: Practice and Experience",
issn = "0038-0644",
publisher = "John Wiley and Sons Ltd",
number = "3",

}

RIS

TY - JOUR

T1 - Interventions for Long Term Software Security

T2 - Creating a Lightweight Program of Assurance Techniques for Developers

AU - Weir, Charles

AU - Becker, Ingolf

AU - Noble, James

AU - Blair, Lynne

AU - Sasse, M. Angela

AU - Rashid, Awais

N1 - This is the authors' preprint version of the following article: Weir, C, Becker, I, Noble, J, Blair, L, Sasse, MA, Rashid, A. Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers. Softw: Pract Exper. 2019; 1– 24, which has been published in final form at https://onlinelibrary.wiley.com/doi/10.1002/spe.2774

PY - 2020/3/1

Y1 - 2020/3/1

N2 - Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team’s motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a Participatory Action Research field study where we delivered the workshops to three soft- ware development organizations, and evaluated their effectiveness through interviews be- forehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience, and that improvement is long lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.

AB - Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team’s motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a Participatory Action Research field study where we delivered the workshops to three soft- ware development organizations, and evaluated their effectiveness through interviews be- forehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience, and that improvement is long lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.

KW - action research

KW - cybersecurity

KW - developer-centered security

KW - intervention

KW - software developer

KW - software security

U2 - 10.1002/spe.2774

DO - 10.1002/spe.2774

M3 - Journal article

VL - 50

SP - 275

EP - 298

JO - Software: Practice and Experience

JF - Software: Practice and Experience

SN - 0038-0644

IS - 3

ER -