Home > Research > Publications & Outputs > Incorporating Software Security

Electronic data

  • Incorporating Software Security

    Accepted author manuscript, 1.62 MB, PDF document

    Available under license: CC BY: Creative Commons Attribution 4.0 International License

Links

Text available via DOI:

View graph of relations

Incorporating Software Security: Using Developer Workshops to Engage Product Managers

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Published

Standard

Incorporating Software Security: Using Developer Workshops to Engage Product Managers. / Weir, Charles; Becker, Ingolf; Blair, Lynne.
In: Empirical Software Engineering, Vol. 28, No. 2, 21, 31.03.2023.

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Harvard

APA

Vancouver

Weir C, Becker I, Blair L. Incorporating Software Security: Using Developer Workshops to Engage Product Managers. Empirical Software Engineering. 2023 Mar 31;28(2):21. Epub 2022 Dec 24. doi: 10.1007/s10664-022-10252-0

Author

Weir, Charles ; Becker, Ingolf ; Blair, Lynne. / Incorporating Software Security : Using Developer Workshops to Engage Product Managers. In: Empirical Software Engineering. 2023 ; Vol. 28, No. 2.

Bibtex

@article{8be67fa1deef4c5d82c22122770fa4de,
title = "Incorporating Software Security: Using Developer Workshops to Engage Product Managers",
abstract = "Evidence from data breach reports shows that many competent software development teams still do not implement secure, privacy-preserving software, even though techniques to do so are now well-known. A major factor causing this is simply a lack of priority and resources for security, as decided by product managers. So, how can we help developers and product managers to work together to achieve appropriate decisions on security and privacy issues?This paper explores using structured workshops to support teams of developers in engaging product managers with software security and privacy, even in the absence of security professionals. The research used the Design Based Research methodology. This paper describes and justifies our workshop design and implementation, and describes our thematic coding of both participant interviews and workshop discussions to quantify and explore the workshops{\textquoteright} effectiveness. Based on trials in eight organizations, involving 88 developers, we found the workshops effective in helping development teams to identify, promote, and prioritize security issues with product managers. Comparisons between organizations suggested that such workshops are most effective with groups with limited security expertise, and when led by the development team leaders. We also found workshop participants needed minimal guidance to identify security threats, and a wide range of ways to promote possible security improvements.Empowering developers and product managers in this way offers a powerful grassroots approach to improve software security worldwide.",
keywords = "Developer Centered Security, software security, software developer, cybersecurity, software development, SDLC, product management, product manager, Design Based Research",
author = "Charles Weir and Ingolf Becker and Lynne Blair",
year = "2023",
month = mar,
day = "31",
doi = "10.1007/s10664-022-10252-0",
language = "English",
volume = "28",
journal = "Empirical Software Engineering",
issn = "1382-3256",
publisher = "Springer Netherlands",
number = "2",

}

RIS

TY - JOUR

T1 - Incorporating Software Security

T2 - Using Developer Workshops to Engage Product Managers

AU - Weir, Charles

AU - Becker, Ingolf

AU - Blair, Lynne

PY - 2023/3/31

Y1 - 2023/3/31

N2 - Evidence from data breach reports shows that many competent software development teams still do not implement secure, privacy-preserving software, even though techniques to do so are now well-known. A major factor causing this is simply a lack of priority and resources for security, as decided by product managers. So, how can we help developers and product managers to work together to achieve appropriate decisions on security and privacy issues?This paper explores using structured workshops to support teams of developers in engaging product managers with software security and privacy, even in the absence of security professionals. The research used the Design Based Research methodology. This paper describes and justifies our workshop design and implementation, and describes our thematic coding of both participant interviews and workshop discussions to quantify and explore the workshops’ effectiveness. Based on trials in eight organizations, involving 88 developers, we found the workshops effective in helping development teams to identify, promote, and prioritize security issues with product managers. Comparisons between organizations suggested that such workshops are most effective with groups with limited security expertise, and when led by the development team leaders. We also found workshop participants needed minimal guidance to identify security threats, and a wide range of ways to promote possible security improvements.Empowering developers and product managers in this way offers a powerful grassroots approach to improve software security worldwide.

AB - Evidence from data breach reports shows that many competent software development teams still do not implement secure, privacy-preserving software, even though techniques to do so are now well-known. A major factor causing this is simply a lack of priority and resources for security, as decided by product managers. So, how can we help developers and product managers to work together to achieve appropriate decisions on security and privacy issues?This paper explores using structured workshops to support teams of developers in engaging product managers with software security and privacy, even in the absence of security professionals. The research used the Design Based Research methodology. This paper describes and justifies our workshop design and implementation, and describes our thematic coding of both participant interviews and workshop discussions to quantify and explore the workshops’ effectiveness. Based on trials in eight organizations, involving 88 developers, we found the workshops effective in helping development teams to identify, promote, and prioritize security issues with product managers. Comparisons between organizations suggested that such workshops are most effective with groups with limited security expertise, and when led by the development team leaders. We also found workshop participants needed minimal guidance to identify security threats, and a wide range of ways to promote possible security improvements.Empowering developers and product managers in this way offers a powerful grassroots approach to improve software security worldwide.

KW - Developer Centered Security

KW - software security

KW - software developer

KW - cybersecurity

KW - software development

KW - SDLC

KW - product management

KW - product manager

KW - Design Based Research

U2 - 10.1007/s10664-022-10252-0

DO - 10.1007/s10664-022-10252-0

M3 - Journal article

VL - 28

JO - Empirical Software Engineering

JF - Empirical Software Engineering

SN - 1382-3256

IS - 2

M1 - 21

ER -