Measuring secure coding practice and culture: A finger pointing at the moon is not the moon

dc.contributor.authorRyan, Itaen
dc.contributor.authorRoedig, Utzen
dc.contributor.authorStol, Klaas-Janen
dc.contributor.funderScience Foundation Irelanden
dc.description.abstractSoftware security research has a core problem: it is impossible to prove the security of complex software. A low number of known defects may simply indicate that the software has not been attacked yet, or that successful attacks have not been detected. A high defect count may be the result of white-hat hacker targeting, or of a successful bug bounty program which prevented insecurities from persisting in the wild. This makes it difficult to measure the security of non-trivial software. Researchers instead usually measure effort directed towards ensuring software security. However, different researchers use their own tailored measures, usually devised from industry secure coding guidelines. Not only is there no agreed way to measure effort, there is also no agreement on what effort entails. Qualitative studies emphasise the importance of security culture in an organisation. Where software security practices are introduced solely to ensure compliance with legislative or industry standards, a box-ticking attitude to security may result. The security culture may be weak or non-existent, making it likely that precautions not explicitly mentioned in the standards will be missed. Thus, researchers need both a way to assess software security practice and a way to measure software security culture. To assess security practice, we converted the empirically-established 12 most common software security activities into questions. To assess security culture, we devised a number of questions grounded in prior literature. We ran a secure development survey with both sets of questions, obtaining organic responses from 1,100 software coders in 59 countries. We used proven common activities to assess security practice, and made a first attempt to quantitatively assess aspects of security culture in the broad developer population. Our results show that some coders still work in environments where there is little to no attempt to ensure code security. Security practice and culture do not always correlate, and some organisations with strong secure coding practice have weak secure coding culture. This may lead to problems in defect prevention and sustained software security effort.en
dc.description.statusPeer revieweden
dc.description.versionAccepted Versionen
dc.identifier.citationRyan, I., Roedig, U. and Stol, K.-J. (2023) ‘Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon’, in 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). Melbourne, Australia: IEEE, pp. 1622–1634.
dc.relation.ispartofICSE 2023 , 45th International Conference on Software Engineering, Melbourne, Australia, 14-20 Mayen
dc.relation.projectinfo:eu-repo/grantAgreement/SFI/SFI Centres for Research Training Programme::Data and ICT Skills for the Future/18/CRT/6222/IE/SFI Centre for Research Training in Advanced Networks for Sustainable Societies/en
dc.relation.projectinfo:eu-repo/grantAgreement/SFI/SFI Research Centres/13/RC/2077/IE/CONNECT: The Centre for Future Networks & Communications/en
dc.relation.projectinfo:eu-repo/grantAgreement/SFI/SFI Starting Investigator Research Grant (SIRG)/15/SIRG/3293/IE/Software Development with Alternative Workforces/en
dc.rights© 2023 IEEE. This Work is licensed under Creative Commons Attribution 4.0 License.
dc.subjectSecure codingen
dc.subjectSecurity complianceen
dc.subjectSecurity cultureen
dc.subjectMeasuring secure codingen
dc.titleMeasuring secure coding practice and culture: A finger pointing at the moon is not the moonen
dc.typeConference itemen
Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
216.69 KB
Adobe Portable Document Format
Accepted version
License bundle
Now showing 1 - 1 of 1
Thumbnail Image
2.71 KB
Item-specific license agreed upon to submission