Measuring secure coding practice and culture: A finger pointing at the moon is not the moon

cb
Thumbnail Image
Files
ICSE_Moon.pdf(216.69 KB)
Accepted version
Date
2023-05
Authors
Ryan, Ita
Roedig, Utz
Stol, Klaas-Jan
Journal Title
Journal ISSN
Volume Title
Publisher
IEEE
Published Version
10.1109/ICSE48619.2023.00140
Research Projects
Organizational Units
Journal Issue
Abstract
Software security research has a core problem: it is impossible to prove the security of complex software. A low number of known defects may simply indicate that the software has not been attacked yet, or that successful attacks have not been detected. A high defect count may be the result of white-hat hacker targeting, or of a successful bug bounty program which prevented insecurities from persisting in the wild. This makes it difficult to measure the security of non-trivial software. Researchers instead usually measure effort directed towards ensuring software security. However, different researchers use their own tailored measures, usually devised from industry secure coding guidelines. Not only is there no agreed way to measure effort, there is also no agreement on what effort entails. Qualitative studies emphasise the importance of security culture in an organisation. Where software security practices are introduced solely to ensure compliance with legislative or industry standards, a box-ticking attitude to security may result. The security culture may be weak or non-existent, making it likely that precautions not explicitly mentioned in the standards will be missed. Thus, researchers need both a way to assess software security practice and a way to measure software security culture. To assess security practice, we converted the empirically-established 12 most common software security activities into questions. To assess security culture, we devised a number of questions grounded in prior literature. We ran a secure development survey with both sets of questions, obtaining organic responses from 1,100 software coders in 59 countries. We used proven common activities to assess security practice, and made a first attempt to quantitatively assess aspects of security culture in the broad developer population. Our results show that some coders still work in environments where there is little to no attempt to ensure code security. Security practice and culture do not always correlate, and some organisations with strong secure coding practice have weak secure coding culture. This may lead to problems in defect prevention and sustained software security effort.
Description
Keywords
Security , Secure coding , Security compliance , Security culture , Measuring secure coding
Citation
Ryan, I., Roedig, U. and Stol, K.-J. (2023) ‘Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon’, in 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). Melbourne, Australia: IEEE, pp. 1622–1634. https://doi.org/10.1109/ICSE48619.2023.00140.
Link to publisher’s version
https://doi.org/10.1109/ICSE48619.2023.00140
URI
https://hdl.handle.net/10468/14695
Collections
Computer Science - Conference Items
Copyright
© 2023 IEEE. This Work is licensed under Creative Commons Attribution 4.0 License. https://creativecommons.org/licenses/by/4.0/