research-article

Open access

Putting the Sec in DevSecOps: Using Social Practice Theory to Improve Secure Software Development

Authors:

Gail OllisAuthors Info & Claims

NSPW '20: Proceedings of the New Security Paradigms Workshop 2020

Pages 34 - 44

https://doi.org/10.1145/3442167.3442178

Published: 28 January 2021 Publication History

All formats PDF

Abstract

Practices such as open source development, agile, DevOps and DevSecOps mean that cyber security professionals need to find ways to blend cyber security with software development practices. One way of approaching this is as an awareness, education and training problem and many organisations are focusing on training software developers in cyber security. In this paper, however, we make the case for looking more broadly at group rather than individual behaviours, by examining the social practices of software developers. Changing software development practices are shaping the lived experience of software developers and we argue that understanding these practices will enable us to improve secure software development. We use social practice theory as a framework to develop recommendations for aligning and blending cyber security and software development. To achieve this, we carried out a rapid review of research on software development practices and supplemented this with data from ten key informant interviews to ascertain what we need to consider when developing an intervention for secure software development. Finally, we outline how our research could be used to develop a workshop that would facilitate the co-creation of security practices for software development. We conclude with suggestions for future research.

References

[1]

2020. Enabling Open Innovation & Collaboration | The Eclipse Foundation. https://www.eclipse.org/ [Online; accessed 14-Dec-2020].

[2]

2020. EuroPython 2019 Sprints & EuroPython 2019, Basel, Switzerland, 8-14 July 2019. https://ep2019.europython.eu/events/sprints/ [Online; accessed 14-Dec-2020].

[3]

Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle L Mazurek, and Sascha Fahl. 2017. Developers need support, too: A survey of security advice for software developers. In 2017 IEEE Cybersecurity Development (SecDev). IEEE, 22–26.

[4]

Adam Alami, Marisa Leavitt Cohn, and Andrzej Wąsowski. 2019. Why does code review work for open source software communities?. In 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 1073–1083.

Digital Library

[5]

Edward Amoroso. 2018. Recent progress in software security. IEEE Software 35, 2 (2018), 11–13.

[6]

Axelle Apvrille and Makan Pourzandi. 2005. Secure software development by example. IEEE Security & Privacy 3, 4 (2005), 10–17.

Digital Library

[7]

Debi Ashenden and Darren Lawrence. 2013. Can we sell security like soap? A new approach to behaviour change. In Proceedings of the 2013 New Security Paradigms Workshop. 87–94.

Digital Library

[8]

Debi Ashenden and Darren Lawrence. 2016. Security dialogues: Building better relationships between security and business. IEEE Security & Privacy 14, 3 (2016), 82–87.

Digital Library

[9]

Adam Beautement, M Angela Sasse, and Mike Wonham. 2008. The compliance budget: managing security behaviour in organisations. In Proceedings of the 2008 New Security Paradigms Workshop. 47–58.

Digital Library

[10]

Sarah Beecham, Nathan Baddoo, Tracy Hall, Hugh Robinson, and Helen Sharp. 2008. Motivation in Software Engineering: A systematic literature review. Information and software technology 50, 9-10 (2008), 860–878.

[11]

Gerry Gerard Claps, Richard Berntsson Svensson, and Aybüke Aurum. 2015. On the journey to continuous deployment: Technical and social challenges along the way. Information and Software technology 57 (2015), 21–31.

[12]

Robert Davison, France Bélanger, Manju Ahuja, Mary Beth Watson-Manheim, J Alberto Espinosa, William DeLone, and Gwanhoo Lee. 2006. Global boundaries, task processes and IS project success: a field study. Information Technology & People(2006).

[13]

Hans de Bruijn and Marijn Janssen. 2017. Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly 34, 1 (2017), 1–7.

[14]

Breno B Nicolau de França, Helvio Jeronimo, and Guilherme Horta Travassos. 2016. Characterizing DevOps by hearing multiple voices. In Proceedings of the 30th Brazilian symposium on software engineering. 53–62.

Digital Library

[15]

Darshan Desai. 2009. Role of relationship management and value co-creation in social marketing. Social Marketing Quarterly 15, 4 (2009), 112–125.

[16]

Yvonne Dittrich. 2016. What does it mean to use a method? Towards a practice theory for software engineering. Information and Software Technology 70 (2016), 220–231.

Digital Library

[17]

Remo Eckert, Matthias Stuermer, and Thomas Myrach. 2019. Alone or Together? Inter-organizational affiliations of open source communities. Journal of systems and software 149 (2019), 250–262.

[18]

David Evans. 2011. Consuming conventions: sustainable consumption, ecological citizenship and the worlds of worth. Journal of Rural Studies 27, 2 (2011), 109–115.

[19]

Ivan Flechais, M Angela Sasse, and Stephen MV Hailes. 2003. Bringing security home: a process for developing secure and usable systems. In Proceedings of the 2003 workshop on New security paradigms. 49–57.

Digital Library

[20]

Taghi Javdani Gandomani and Mina Ziaei Nafchi. 2016. Agile transition and adoption human-related challenges and issues: A Grounded Theory approach. Computers in Human Behavior 62 (2016), 257–266.

Digital Library

[21]

Anthony Giddens. 1984. The constitution of society: Outline of the theory of structuration. Univ of California Press.

[22]

Git. 2020. –fast-version-control. https://git-scm.com/ [Online; accessed 14-Dec-2020].

[23]

GitHub. 2020. GitHub - tensorflow/tensorflow: An Open Source Machine Learning Framework for Everyone. https://github.com/tensorflow/tensorflow [Online; accessed 14-Dec-2020].

[24]

Daniel Graziotin, Fabian Fagerholm, Xiaofeng Wang, and Pekka Abrahamsson. 2018. What happens when software developers are (un) happy. Journal of Systems and Software 140 (2018), 32–47.

[25]

Bente Halkier. 2001. Risk and food: environmental concerns and consumer practices. International journal of food science & technology 36, 8(2001), 801–812.

[26]

Georg Holtz. 2014. Generating social practices. Journal of Artificial Societies and Social Simulation 17, 1(2014), 17.

[27]

Jon Iden and Bendik Bygstad. 2018. The social interaction of developers and IT operations staff in software development projects. International Journal of Project Management 36, 3 (2018), 485–497.

[28]

IEEE Spectrum. 2020. Interactive: The Top Programming Languages 2019 - IEEE Spectrum. https://spectrum.ieee.org/static/interactive-the-top-programming-languages-2019 [Online; accessed 14-Dec-2020].

[29]

Jack Ingram, Elizabeth Shove, and Matthew Watson. 2007. Products and practices: Selected concepts from science and technology studies and from social theories of consumption and practice. Design issues 23, 2 (2007), 3–16.

[30]

Eirini Kalliamvakou, Daniela Damian, Kelly Blincoe, Leif Singer, and Daniel M German. 2015. Open source-style collaborative development practices in commercial projects using GitHub. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 574–585.

[31]

Laura Kocksch, Matthias Korn, Andreas Poller, and Susann Wagenknecht. 2018. Caring for IT Security: Accountabilities, Moralities, and Oscillations in IT Security Practices. Proceedings of the ACM on Human-Computer Interaction 2, CSCW(2018), 1–20.

Digital Library

[32]

Lawrence M Krauss. 2009. CP Snow in New York. Scientific American 301, 3 (2009), 32–34.

[33]

Sherlock A Licorish and Stephen G MacDonell. 2014. Understanding the attitudes, knowledge sharing behaviors and task performance of core developers: A longitudinal study. Information and Software Technology 56, 12 (2014), 1578–1596.

[34]

Sherlock A Licorish and Stephen G MacDonell. 2017. Exploring software developers’ work practices: Task differences, participation, engagement, and speed of task resolution. Information & Management 54, 3 (2017), 364–382.

Digital Library

[35]

Linux Foundation. 2020. The Linux Foundation – Supporting Open Source Ecosystems. https://www.linuxfoundation.org/ [Online; accessed 14-Dec-2020].

[36]

Welder Pinheiro Luz, Gustavo Pinto, and Rodrigo Bonifácio. 2019. Adopting DevOps in the real world: A theory, a model, and a case study. Journal of Systems and Software 157 (2019), 110384.

[37]

Laura MacLeod, Michaela Greiler, Margaret-Anne Storey, Christian Bird, and Jacek Czerwonka. 2017. Code reviewing in the trenches: Challenges and best practices. IEEE Software 35, 4 (2017), 34–42.

Digital Library

[38]

Greg Marsden, Caroline Mullen, Ian Bache, Ian Bartle, and Matt Flinders. 2014. Carbon reduction and travel behaviour: Discourses, disputes and contradictions in governance. Transport Policy 35(2014), 71–78.

[39]

Lydia Martens. 2012. Practice ‘in talk’and talk ‘as practice’: Dish washing and the reach of language. Sociological Research Online 17, 3 (2012), 103–113.

[40]

Matlab. 2020. MathWorks. https://uk.mathworks.com/products/matlab.html [Online; accessed 14-Dec-2020].

[41]

Christoph Matthies, Johannes Huegle, Tobias Dürschmid, and Ralf Teusner. 2019. Attitudes, beliefs, and development data concerning agile software development practices. In 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering Education and Training (ICSE-SEET). IEEE, 158–169.

Digital Library

[42]

Petra Sylvia Meier, Alan Warde, and John Holmes. 2018. All drinking is not equal: how a social practice theory lens could enhance public health research on alcohol and other health behaviours. Addiction 113, 2 (2018), 206–213.

[43]

Mercurial SCM. 2020. Work easier, Work faster. https://www.mercurial-scm.org [Online; accessed 14-Dec-2020].

[44]

Andre Meyer, Earl T Barr, Christian Bird, and Thomas Zimmermann. 2019. Today was a good day: The daily life of software developers. IEEE Transactions on Software Engineering(2019).

[45]

Nabil M Mohammed, Mahmood Niazi, Mohammad Alshayeb, and Sajjad Mahmood. 2017. Exploring software security approaches in software development lifecycle: A systematic mapping study. Computer Standards & Interfaces 50 (2017), 107–115.

Digital Library

[46]

Håvard Myrbakken and Ricardo Colomo-Palacios. 2017. DevSecOps: a multivocal literature review. In International Conference on Software Process Improvement and Capability Determination. Springer, 17–29.

[47]

Tosin Daniel Oyetoyan, Daniela Soares Cruzes, and Martin Gilje Jaatun. 2016. An empirical study on the relationship between software security skills, usage and training needs in agile settings. In 2016 11th International Conference on Availability, Reliability and Security (ARES). IEEE, 548–555.

[48]

Andy Ozment and Stuart E Schechter. 2006. Milk or wine: does software security improve with age?. In USENIX Security Symposium, Vol. 6.

[49]

Tero Päivärinta and Kari Smolander. 2015. Theorizing about software development practices. Science of Computer Programming 101 (2015), 124–135.

[50]

Carol Passos, Manoel Mendonça, and Daniela S Cruzes. 2014. The role of organizational culture in software development practices: a cross-case analysis of four software companies. In 2014 Brazilian Symposium on Software Engineering. IEEE, 121–130.

Digital Library

[51]

Olgierd Pieczul, Simon Foley, and Mary Ellen Zurko. 2017. Developer-centered Security and the Symmetry of Ignorance. In Proceedings of the 2017 New Security Paradigms Workshop. 46–56.

Digital Library

[52]

Andreas Poller, Laura Kocksch, Sven Türpe, Felix Anand Epp, and Katharina Kinder-Kurlanda. 2017. Can security become a routine? A study of organizational change in an agile software development group. In Proceedings of the 2017 ACM conference on computer supported cooperative work and social computing. 2489–2503.

[53]

Andreas Reckwitz. 2002. Toward a theory of social practices: A development in culturalist theorizing. European journal of social theory 5, 2 (2002), 243–263.

[54]

Kalle Rindell, Sami Hyrynsalmi, and Ville Leppänen. 2018. Aligning security objectives with agile software development. In Proceedings of the 19th International Conference on Agile Software Development: Companion. 1–9.

Digital Library

[55]

Scikit-Learn. 2020. scikit-learn: machine learning in Python. https://scikit-learn.org/stable/index.html. [Online; accessed 14-Dec-2020].

[56]

Helen Sharp, Nathan Baddoo, Sarah Beecham, Tracy Hall, and Hugh Robinson. 2009. Models of motivation in software engineering. Information and software technology 51, 1 (2009), 219–233.

[57]

Helen Sharp, Yvonne Dittrich, and Cleidson RB De Souza. 2016. The role of ethnographic studies in empirical software engineering. IEEE Transactions on Software Engineering 42, 8 (2016), 786–804.

Digital Library

[58]

Helen Sharp, Hugh Robinson, and Mark Woodman. 2000. Software engineering: community and culture. IEEE Software 17, 1 (2000), 40–47.

Digital Library

[59]

Elizabeth Shove. 2010. Beyond the ABC: climate change policy and theories of social change. Environment and planning A 42, 6 (2010), 1273–1285.

[60]

Elizabeth Shove, Mika Pantzar, and Matt Watson. 2012. The dynamics of social practice: Everyday life and how it changes. Sage.

[61]

Mario Silic and Andrea Back. 2016. The influence of risk factors in decision-making process for open source software adoption. International Journal of Information Technology & Decision Making 15, 01(2016), 151–185.

[62]

Fiona Spotswood, Tim Chatterton, Alan Tapp, and David Williams. 2015. Analysing cycling as a social practice: An empirical grounding for behaviour change. Transportation research part F: traffic psychology and behaviour 29 (2015), 22–33.

[63]

Damian Andrew Andrew Tamburri, Fabio Palomba, and Rick Kazman. 2019. Exploring community smells in open-source: An automated approach. IEEE Transactions on software Engineering(2019).

[64]

Nora Tomas, Jingyue Li, and Huang Huang. 2019. An empirical study on culture, automation, measurement, and sharing of DevSecOps. In 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). IEEE, 1–8.

[65]

Amber van der Heijden, Cosmin Broasca, and Alexander Serebrenik. 2018. An empirical perspective on security challenges in large-scale agile software development. In Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement. 1–4.

Digital Library

[66]

Georg Von Krogh, Stefan Haefliger, Sebastian Spaeth, and Martin W Wallin. 2012. Carrots and rainbows: Motivation and social practice in open source software development. MIS quarterly (2012), 649–676.

[67]

Shao-Fang Wen, Mazaher Kianpour, and Stewart Kowalski. 2019. An empirical study of security culture in open source software communities. In 2019 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM). IEEE, 863–870.

Digital Library

[68]

Laurie Williams. 2018. Continuously integrating security. In Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment. 1–2.

Digital Library

[69]

Glenn Wurster and Paul C Van Oorschot. 2008. The developer is the enemy. In Proceedings of the 2008 New Security Paradigms Workshop. 89–97.

Digital Library

[70]

Mary Ellen Zurko and Richard T Simon. 1996. User-centered security. In Proceedings of the 1996 workshop on New security paradigms. 27–33.

Digital Library

Cited By

Ruchi Ranka Sankalp S. Paranjpe Rohit Pachlor (2024)DevSecOps: Improving Software Development Life CycleInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-18739(316-325)Online publication date: 6-Jun-2024
https://doi.org/10.48175/IJARSCT-18739
Sankalp S. Paranjpe Rohit Pachlor (2024)DevSecOps: Improving Software Development Life CycleInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-18379(316-325)Online publication date: 3-Jun-2024
https://doi.org/10.48175/IJARSCT-18379
Nepal SHernandez JLewis RChaudhry AHouck BKnudsen ERojas RTankus BPrafullchandra HCzerwinski M(2024)Burnout in Cybersecurity Incident Responders: Exploring the Factors that Light the FireProceedings of the ACM on Human-Computer Interaction10.1145/36373048:CSCW1(1-35)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637304
Show More Cited By

Recommendations

DevSecOps practices and tools
Abstract
Nowadays, software development happens at a fast pace. At the same time, Information Technology organizations face higher demands and competition while struggling with external threats such as cyberattacks. Therefore, many organizations adopt ...
Software security in agile software development: a literature review of challenges and solutions
XP '18: Proceedings of the 19th International Conference on Agile Software Development: Companion

There has been a surge in number of software security threats and vulnerabilities in recent times. At the same time, expectations towards software and data security are growing. Thus there is a need to ensure that security-related tasks are effectively ...
Agile software development in practice
Agile Processes in Software Engineering and Extreme Programming

Agile software development methods have been around since the mid 1990s. Over these years, teams have evolved the specific software development practices used. Aims: The goal of this paper is to provide a view of the agile practices used by new teams, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

NSPW '20: Proceedings of the New Security Paradigms Workshop 2020

October 2020

143 pages

ISBN:9781450389952

DOI:10.1145/3442167

Copyright © 2020 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 January 2021

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

EPSRC
ESRC

Conference

NSPW '20

NSPW '20: New Security Paradigms Workshop 2020

October 26 - 29, 2020

Online, USA

Acceptance Rates

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
2,103
Total Downloads

Downloads (Last 12 months)574
Downloads (Last 6 weeks)56

Reflects downloads up to 04 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ruchi Ranka Sankalp S. Paranjpe Rohit Pachlor (2024)DevSecOps: Improving Software Development Life CycleInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-18739(316-325)Online publication date: 6-Jun-2024
https://doi.org/10.48175/IJARSCT-18739
Sankalp S. Paranjpe Rohit Pachlor (2024)DevSecOps: Improving Software Development Life CycleInternational Journal of Advanced Research in Science, Communication and Technology10.48175/IJARSCT-18379(316-325)Online publication date: 3-Jun-2024
https://doi.org/10.48175/IJARSCT-18379
Nepal SHernandez JLewis RChaudhry AHouck BKnudsen ERojas RTankus BPrafullchandra HCzerwinski M(2024)Burnout in Cybersecurity Incident Responders: Exploring the Factors that Light the FireProceedings of the ACM on Human-Computer Interaction10.1145/36373048:CSCW1(1-35)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3637304
Tabbassum AMalik VSingh JSurendranath N(2024)Integrating Site Reliability Engineering Principles with DevSecOps for Enhanced Security Posture2024 International Conference on Intelligent Systems and Advanced Applications (ICISAA)10.1109/ICISAA62385.2024.10828869(1-6)Online publication date: 25-Oct-2024
https://doi.org/10.1109/ICISAA62385.2024.10828869
Valdés-Rodríguez YHochstetter-Diez JDiéguez-Rebolledo MBustamante-Mora ACadena-Martínez R(2024)Analysis of Strategies for the Integration of Security Practices in Agile Software Development: A Sustainable SME ApproachIEEE Access10.1109/ACCESS.2024.337238512(35204-35230)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3372385
Prates LPereira R(2024)DevSecOps practices and toolsInternational Journal of Information Security10.1007/s10207-024-00914-z24:1Online publication date: 5-Nov-2024
https://doi.org/10.1007/s10207-024-00914-z
Lumpatki SPatwardhan SKulkarni M(2024)Implementing “DevSecOps as a Culture”—The Concept, Benefits, Execution Strategies, and ChallengesSmart Trends in Computing and Communications10.1007/978-981-97-1326-4_16(189-197)Online publication date: 2-Jun-2024
https://doi.org/10.1007/978-981-97-1326-4_16
Trenchev IDimitrov WDimitrov GOstrovska TTrencheva M(2023)Mathematical Approaches Transform Cybersecurity from Protoscience to ScienceApplied Sciences10.3390/app1311650813:11(6508)Online publication date: 26-May-2023
https://doi.org/10.3390/app13116508
Slesinger IColes-Kemp LPanteli NHansen R(2022)Designing Through The Stack: The Case for a Participatory Digital Security By DesignProceedings of the 2022 New Security Paradigms Workshop10.1145/3584318.3584322(45-59)Online publication date: 24-Oct-2022
https://dl.acm.org/doi/10.1145/3584318.3584322
Ashenden DOllis GReid I(2022)Dancing, not Wrestling: Moving from Compliance to Concordance for Secure Software DevelopmentProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3561145(1-9)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3561145
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten