Visible to the public Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for Developers

TitleInterventions for Software Security: Creating a Lightweight Program of Assurance Techniques for Developers
Publication TypeConference Paper
Year of Publication2019
AuthorsWeir, Charles, Becker, Ingolf, Noble, James, Blair, Lynne, Sasse, Angela, Rashid, Awais
Conference Name2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)
Keywordsaction research, assurance techniques, composability, Developer centered security, development organizations, facilitated workshops, intervention, lightweight program, pubcrawl, Scalability, security culture, security experts, security of data, security professionals, software assurance, software developer, software development teams, software engineering, software security, team
AbstractThough some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight in-terventions, six hours of facilitated workshops delivered over three months, can improve a team's motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. They were then validated in fieldwork with a Participatory Action Research study that de-livered the workshops to three development organizations. This approach has the potential to be applied by many development teams, improving the security of software worldwide.
DOI10.1109/ICSE-SEIP.2019.00013
Citation Keyweir_interventions_2019