Secure coding in organisations: practice, culture, motivations and tensions
Loading...
Files
Date
2024
Authors
Ryan, Ita
Journal Title
Journal ISSN
Volume Title
Publisher
University College Cork
Published Version
Abstract
This thesis considers how to measure and improve secure software development in organisations. The thesis comprises three studies; a literature review, a large-scale survey of software developers, and a study comprising interviews with software professionals.
The work is motivated by the continuing high prevalence of vulnerabilities in software. The proliferation of cybercrime, cyber espionage and other online issues, and their relationship to insecure software, are examined during the literature review study. The literature review also uncovered two main secure-coding influences on software developers; personal attributes such as knowledge and motivation, and environmental factors like secure coding pressure, resources and support. These observations led to the development of the Software Developer Security Archetypes; a two-dimensional framework designed to provide a vocabulary for thinking about software developers and their software security context. Also in this first study, 25 unhelpful assumptions in software security research were identified and documented. These include, that secure-coding activities will be reflected in artefacts, and that findings from a single study are final.
The literature review suggested that some organisations pay lip service to code security without providing the requisite time and leadership support, a phenomenon sometimes called a ‘checkbox’ attitude to secure coding. The second study was designed to investigate this contradiction and other aspects of secure development. It entailed a secure coding development survey (n=962). Industry-based research was leveraged to construct a lightweight, empirically-based set of questions to measure practice. A further set of questions grounded in the literature review was included to investigate security culture.
Survey respondents worked in environments with a broad range of secure-coding approaches. Comparison of secure coding practice and culture measurements showed indicators of a checkbox attitude to software security in some organisations. Small organisations, isolated and solo developers and freelance workers used fewer secure development practices, and their secure-coding tool use was limited.
Secure coding requires specific technical knowledge. The answers to secure software training questions indicated that only 39.6% of respondents had been offered secure coding training. When offered, training did not always have the qualities required to make it effective, such as relevance and frequency.
The third study comprised a series of interviews with software developers and senior managers, that sought their views on how software-security prioritisation by senior management affects secure development. The factors that motivate senior management in organisations to prioritise software security were investigated. Interview analysis showed that awareness and knowledge of security, breaches in other organisations, and regulatory and legal obligations were considered organisational software security motivators. This research indicates that increasing the software security obligations of organisations and other entities producing software is essential to increased software security. However, such measures may have unintended consequences, such as the stifling of innovation.
Description
Keywords
Secure software development , Software security , Software security culture , Software security training
Citation
Ryan, I. 2024. Secure coding in organisations: practice, culture, motivations and tensions. PhD Thesis, University College Cork.