Incorporating software security: using developer workshops to engage product managers
Abstract
Evidence from data breach reports shows that many competent software development teams still do not implement secure, privacy-preserving software, even though techniques to do so are now well-known. A major factor causing this is simply a lack of priority and resources for security, as decided by product managers. So, how can we help developers and product managers to work together to achieve appropriate decisions on security and privacy issues? This paper explores using structured workshops to support teams of developers in engaging product managers with software security and privacy, even in the absence of security professionals. The research used the Design Based Research methodology. This paper describes and justifies our workshop design and implementation, and describes our thematic coding of both participant interviews and workshop discussions to quantify and explore the workshops’ effectiveness. Based on trials in eight organizations, involving 88 developers, we found the workshops effective in helping development teams to identify, promote, and prioritize security issues with product managers. Comparisons between organizations suggested that such workshops are most effective with groups with limited security expertise, and when led by the development team leaders. We also found workshop participants needed minimal guidance to identify security threats, and a wide range of ways to promote possible security improvements. Empowering developers and product managers in this way offers a powerful grassroots approach to improve software security worldwide.
Bibliography
[1]
Ambreen T, Ikram N, Usman M, and Niazi M Empirical research in requirements engineering: trends and opportunities Requir Eng 2018 23 63-95
[2]
Ashenden D and Lawrence D Can we sell security like soap? A new approach to behaviour change New Secur Paradigms Work 2013 2013 87-94
[3]
Assal H, Chiasson S (2019) Think secure from the beginning: a survey with software developers. In: conference on human factors in computing systems (CHI). ACM.
[4]
Bakker A Design research in education: a practical guide for early career researchers 2018 Abingdon Routledge
[5]
Barab S and Squire K Design-based research: putting a stake in the ground J learn Sci 2004 13 1 1-14
[6]
Barbacci MR, Ellison R, Weinstock CB, Wood WG (2000) Quality attribute workshop participants handbook
[7]
Beck K, Fowler M (2001) Planning extreme programming. Addison-Wesley Professional
[8]
Becker I, Parkin S, Sasse MA (2017) Finding security champions in blends of Organisational culture. In: European workshop on usable security – EuroUSEC.
[9]
Beecham S, Baddoo N, and Hall T Motivation in software engineering: a systematic literature review Inf Softw Technol 2008 50 860-878
[10]
Bell L, Brunton-Spall M, Smith R, and Bird J Agile application security: enabling security in a continuous delivery pipeline 2017 Sebastopol, CA O’Reilly
[11]
Beyer M, Ahmed S, Doerlemann K, Arnell S, Parkin S, Sasse A, Passingham N (2015) Awareness is only the first step: a framework for progressive engagement of staff in cyber security. Business white paper: Hewlett Packard
[12]
Brown AL Design experiments: theoretical and methodological challenges in creating complex interventions in classroom settings J Learn Sci 1992 2 141-178
[13]
Bukhsh FA, Bukhsh ZA, and Daneva M A systematic literature review on requirement prioritization techniques and their empirical evaluation Comput Stand Interfaces 2020 69 103389
[14]
Caputo DD, Pfleeger SL, Sasse MA, Ammann P, Offutt J, and Deng L Barriers to usable security? Three organizational case studies IEEE Secur Priv 2016 14 22-32
[15]
Clarke V, Braun V, Hayfield N (2015) Thematic analysis. In: Smith JA (ed) qualitative psychology: a practical guide to research methods. SAGE publications, pp 222–248
[16]
Collins A (1992) Toward a design science of education. In: New Directions in Educational Technology. Springer, pp 15–22. https://files.eric.ed.gov/fulltext/ED326179.pdf
[17]
Conradi R and Dybå T An empirical study on the utility of formal routines to transfer knowledge and experience ACM SIGSOFT Softw Eng Notes 2001 26 268-276
[18]
Dabbagh M, Lee SP, and Parizi RM Functional and non-functional requirements prioritization: empirical evaluation of IPA, AHP-based, and HAM-based approaches Soft Comput 2016 20 4497-4520
[19]
Davison RM, Martinsons MG, and Kock N Principles of canonical action research Inf Syst J 2004 14 65-86
[20]
De Win B, Scandariato R, Buyens K, Grégoire J, and Joosen W On the secure software development process: CLASP, SDL and touchpoints compared Inf Softw Technol 2009 51 1152-1171
[21]
Denzin N, Lincoln Y (2011) The Sage handbook of qualitative research
[22]
Design-Based Research Collective Design-based research: an emerging paradigm for educational inquiry Educ Res 2003 32 1 5-8
[23]
Dybå T An empirical investigation of the key factors for success in software process improvement IEEE Trans Softw Eng 2005 31 410-424
[24]
Easterbrook S, Singer J, Storey M-A, and Damian D Selecting empirical methods for software engineering research Guide to advanced empirical software engineering 2008 London Springer 285-311
[25]
Ejersbo LR, Engelhardt R, Frølunde L, Hanghøj T, Magnussen R, Misfeldt M (2008) Balancing product design and theoretical insights. In: The Handbook of Design Research Methods in Education. Routledge, pp. 149–164
[26]
Fisher R, Ury WL, Patton B (2011) Getting to yes: negotiating agreement without giving in. Penguin
[27]
Fogg BJ (2009) A behavior model for Persuasive design. In: international conference on Persuasive technology - Persuasive. ACM, pp 40:1–7.
[28]
Franqueira VNL, Tunnicliffe P (2015) To Flip or not to Flip: a critical interpretive synthesis of flipped teaching. In: Smart Education and Smart e-Learning. Springer, pp. 57–67.
[29]
Frey S, Rashid A, Anthonysamy P, Pinto-Albuquerque M, and Naqvi SA The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game IEEE Trans Softw Eng 2017 45 5 521-536
[30]
Gwet KL (2014) Handbook of inter-rater reliability: the definitive guide to measuring the extent of agreement among raters. Advanced Analytics LLC
[31]
Haines S The product Manager’s desk reference, Second ed 2014 New York McGraw-Hill
[32]
Hall T, Sharp H, Beecham S, Baddoo N, and Robinson H What do we know about developer motivation? IEEE Softw 2008 25 92-94
[33]
Herzberg F (2017) Motivation to work. Routledge
[34]
Hubbard DW, Seiersen R (2016) How to measure anything in cybersecurity risk. John Wiley & Sons
[35]
ISO/IEC (2008) 21827:2008 - Systems Security Engineering - Capability Maturity Model
[36]
Kelly AE, Lesh RA, Baek JY (2008) Handbook of design research methods in education: innovations in science, technology, engineering, and mathematics learning and teaching. Routledge
[37]
Kirlappos I, Beautement A, and Sasse MA “Comply or die” is dead: long live security-aware principal agents Financial cryptography and data security 2013 Berlin, Heidelberg Springer 70-82
[38]
Kluyver T, Ragan-kelley B, Pérez F, et al. Jupyter notebooks: a publishing format for reproducible computational workflows Positioning and power in academic publishing: players 2016 Agents and Agendas IOS Press 87-90
[39]
Lopez T, Sharp H, Tun T, Bandara A, Levine M, Nuseibeh B (2019a) Hopefully we are mostly secure: views on secure code in professional practice. In: Workshop on Cooperative and Human Aspects of Software Engineering - CHASE. IEEE, pp. 61–68
[40]
Lopez T, Sharp H, Tun T, et al. Talking about security with professional developers. In: Workshop on Conducting Empirical Studies in Industry - CESSER-IP 2019 Montreal, QC, Canada IEEE Computer Society
[41]
McSweeney B (1999) Security, identity, and interests: a sociology of international relations. Cambridge University Press
[42]
Mead NR, Stehney T (2005) Security quality requirements engineering (SQUARE) methodology. In: SESS 2005 - proceedings of the 2005 workshop on software engineering for secure systems - building trustworthy applications. Pp 1–7.
[43]
Mellado D, Fernández-Medina E, Piattini M (2006) Applying a security requirements engineering process. In: lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics). Pp 192–206
[44]
Microsoft (2018) Microsoft security intelligence report, Volume 23. https://info.microsoft.com/rs/157-gqe-382/images/en-us_cntnt-ebook-sir-volume-23_march2018.pdf. Accessed 6 Mar 2019
[45]
Nhlabatsi A, Nuseibeh B, Yu Y (2012) Security requirements engineering for evolving software systems: a survey. In: Security-Aware Systems Applications and Software Development Methods. IGI Global, pp. 108–128.
[46]
Oxford Languages (2011) Concise Oxford English Dictionary
[47]
Pfleeger SL, Sasse MA, and Furnham A From weakest link to security Hero: transforming staff security behavior J Homel Secur Emerg Manag 2014 11 489-510
[48]
Poller A, Kocksch L, Türpe S, Epp FA, and Kinder-Kurlanda K Can security become a routine? A study of organizational change in an agile software development group Conference on computer supported cooperative work - CSCW 2017 Portland Oregon USA ACM 2489-2503
[49]
Rauf I, Petre M, Tun T, et al. The case for adaptive security interventions ACM Trans Softw Eng Methodol 2022 31 1-52
[50]
RiskBased Security (2020) 2020 Mid Year Data Breach Report
[51]
Shostack A (2014) Threat modeling: designing for security. John Wiley & Sons
[52]
Shreeve B, Hallett J, Edwards M, et al (2020) The best laid plans or lack Thereof: Security Decision-Making of Different Stakeholder Groups. IEEE Trans Softw Eng.
[53]
Springer O, Miler J (2018) The role of a software product manager in various business environments. In: proceedings of the 2018 federated conference on computer science and information systems, FedCSIS 2018. Polish information processing society, pp 985–994
[54]
Stack Overflow (2016) Annual Developer Survey. https://insights.stackoverflow.com/survey/2016. Accessed 17 Jun 2020
[55]
Stenfors T, Kajamaa A, and Bennett D How to … assess the quality of qualitative research Clin Teach 2020 17 596-599
[56]
Such JM, Gouglidis A, Knowles W, et al. Information assurance techniques: perceived cost effectiveness Comput Secur 2016 60 117-133
[57]
Tietjen MA and Myers RM Motivation and job satisfaction Manag Decis 1998 36 226-231
[58]
Türpe S, Kocksch L, Poller A (2016) Penetration tests a turning point in security practices? Organizational challenges and implications in a software development team. In: Workshop on Security Information Workers - SIW. USENIX Association
[59]
van der Linden D, Anthonysamy P, Nuseibeh B, et al (2020) Schrödinger’s security: opening the box on app developers’ security rationale. In: International Conference on Software Engineering - ICSE. IEEE
[60]
Veracode (2018) State of Software Security Report Volume 9. https://info.veracode.com/report-state-of-software-security-volume-9.html. Accessed 6 Feb 2019
[61]
Viera AJ and Garrett JM Understanding Interobserver agreement: the kappa statistic Fam Med 2005 37 5 360-363
[62]
Wang F and Hannafin MJ Design-based research and technology-enhanced learning environments Educ Technol Res Dev 2005 53 5-23
[63]
Weir C, Becker I, Blair L (2021a) A passion for security: intervening to help software developers. In: 2021 IEEE/ACM 43rd international conference on software engineering: software engineering in practice (ICSE-SEIP). IEEE, pp 21–30. :
[64]
Weir C, Becker I, Noble J, et al (2019) Interventions for long-term software security: creating a lightweight program of assurance techniques for developers. Softw - Pract Exp 275–298. :
[65]
Weir C, Hermann B, Fahl S (2020a) From needs to actions to secure apps? The effect of requirements and developer practices on app security. In: 29th USENIX security symposium (USENIX security 20)
[66]
Weir C, Knight J, Ford N (2021b) Developer Security Essentials. https://www.securedevelopment.org/workshops/. Accessed 9 Jun 2021
[67]
Weir C, Noble J, Rashid A (2020b) Challenging software developers: dialectic as a Foundation for Security Assurance Techniques. J Cybersecurity 30.
[68]
Xie J, Lipford HR, Chu B (2011) Why do programmers make security errors? In: IEEE symposium on visual languages and human centric computing. Pittsburg, PA, USA, pp. 161–164. :
[69]
Yskout K, Scandariato R, and Joosen W Do security patterns really help designers? International conference on software engineering - ICSE 2015 Firenze, Italy IEEE 292-302
Index Terms
- Incorporating software security: using developer workshops to engage product managers
Index terms have been assigned to the content through auto-classification.
Recommendations
A passion for security: intervening to help software developers
ICSE-SEIP '21: Proceedings of the 43rd International Conference on Software Engineering: Software Engineering in PracticeWhile the techniques to achieve secure, privacy-preserving software are now well understood, evidence shows that many software development teams do not use them: they lack the 'security maturity' to assess security needs and decide on appropriate tools ...
Interventions for software security: creating a lightweight program of assurance techniques for developers
ICSE-SEIP '19: Proceedings of the 41st International Conference on Software Engineering: Software Engineering in PracticeThough some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the ...
Infiltrating security into development: exploring the world’s largest software security study
ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software EngineeringRecent years have seen rapid increases in cybercrime. The use of effective software security activities plays an important part in preventing the harm involved. Objective research on industry use of software security practices is needed to help ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
© The Author(s) 2022.
Publisher
Kluwer Academic Publishers
United States
Publication History
Published: 24 December 2022
Accepted: 20 October 2022
Author Tags
Qualifiers
- Research-article
Funding Sources
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 21 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in