“ImmediateShortTerm3MthsAfterThatLOL”: Developer secure-coding sentiment, practice and culture in organisations

Ryan, Ita; Roedig, Utz; Stol, Klaas-Jan

“ImmediateShortTerm3MthsAfterThatLOL”: Developer secure-coding sentiment, practice and culture in organisations

cb

Files

icse-seip-2025.pdf(323.79 KB)

Date

2025-05

Authors

Ryan, Ita

Roedig, Utz

Stol, Klaas-Jan

Abstract

As almost all areas of human endeavour undergo rapid digital transformation, secure coding is increasingly important to personal, commercial and national security. Yet studies have shown that software developers do not always prioritise or even understand security. Our large survey of organically sourced coders (n=863) examines how software developers currently experience secure coding in the workplace. We found that developers express an interest in secure coding, display basic security knowledge, and turn to their managers and teams first for help with security concerns. We found that developer secure coding sentiment and security practice do not correlate with organisational statistics such as size, but do correlate weakly with measures of security culture, indicating that organisational security support goes hand-in-hand with secure development. Most developers would look for help in-house if they had security concerns. Investigating the effects of code breaches, we found that for almost half of cases, code security does not increase, or increases only for a short time.

Keywords

Rapid digital transformation , Secure coding

Citation

Ryan, I., Roedig, U. and Stol, K.-J. (2025) '“ImmediateShortTerm3MthsAfterThatLOL”: Developer secure-coding sentiment, practice and culture in organisations', 47th International Conference on Software Engineering (ICSE 2025), 27 April - 3 May, Ottawa, Canada.