Interventions for Long Term Software Security:Creating a Lightweight Program of Assurance Techniques for Developers

Weir, Charles and Becker, Ingolf and Noble, James and Blair, Lynne and Sasse, M. Angela and Rashid, Awais (2020) Interventions for Long Term Software Security:Creating a Lightweight Program of Assurance Techniques for Developers. Software: Practice and Experience, 50 (3). pp. 275-298. ISSN 0038-0644

[img]
Text (WeirSPEJournalPaper)
WeirSPEJournalPaper.pdf - Accepted Version
Available under License Creative Commons Attribution-NonCommercial.

Download (1MB)
[img]
Text (Author Preprint: Interventions for Long Term Software Security)
InterventionsPaperPreReviewVersion.pdf - Other
Available under License Creative Commons Attribution-NonCommercial-NoDerivs.

Download (1MB)

Abstract

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team’s motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a Participatory Action Research field study where we delivered the workshops to three soft- ware development organizations, and evaluated their effectiveness through interviews be- forehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience, and that improvement is long lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.

Item Type:
Journal Article
Journal or Publication Title:
Software: Practice and Experience
Additional Information:
This is the authors' preprint version of the following article: Weir, C, Becker, I, Noble, J, Blair, L, Sasse, MA, Rashid, A. Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers. Softw: Pract Exper. 2019; 1– 24, which has been published in final form at https://onlinelibrary.wiley.com/doi/10.1002/spe.2774
Uncontrolled Keywords:
/dk/atira/pure/subjectarea/asjc/1700/1712
Subjects:
ID Code:
138177
Deposited By:
Deposited On:
23 Oct 2019 12:15
Refereed?:
Yes
Published?:
Published
Last Modified:
26 Nov 2020 06:45