Unhelpful assumptions in software security research

cb
Thumbnail Image
Files
CCS_Assumptions_Paper-Final.pdf(504.27 KB)
Published Version
Date
2023-11-21
Authors
Ryan, Ita
Roedig, Utz
Stol, Klaas-Jan
Journal Title
Journal ISSN
Volume Title
Publisher
Association for Computing Machinery
Published Version
10.1145/3576915.3623122
Research Projects
Organizational Units
Journal Issue
Abstract
In the study of software security many factors must be considered. Once venturing beyond the simplest of laboratory experiments, the researcher is obliged to contend with exponentially complex conditions. Software security has been shown to be affected by priming, tool usability, library documentation, organisational security culture, the content and format of internet resources, IT team and developer interaction, Internet search engine ordering, developer personality, security warning placement, mentoring, developer experience and more. In a systematic review of software security papers published since 2016, we have identified a number of unhelpful assumptions that are commonly made by software security researchers. In this paper we list these assumptions, describe why they sometimes do not reflect reality, and suggest implications for researchers.
Description
Keywords
Software security , Secure software development
Citation
Ryan, I., Roedig, U and Stol, K.-J. (2023) 'Unhelpful assumptions in software security research', Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Copenhagen, Denmark, 26-30 November, pp. 3460-3474. doi: 10.1145/3576915.3623122
Link to publisher’s version
URI
https://hdl.handle.net/10468/15271
Collections
Computer Science - Conference Items
Copyright
© 2023, the Authors. This work is licensed under a Creative Commons Attribution International 4.0 License.