Training developers to code securely: Theory and practice

Ryan, Ita; Roedig, Utz; Stol, Klaas-Jan

Training developers to code securely: Theory and practice

cb

Files

056500a037.pdf(494.88 KB)

Published version

Date

2024-08-26

Authors

Ryan, Ita

Roedig, Utz

Stol, Klaas-Jan

Publisher

ACM

Published Version

https://doi.org/10.1145/3643662.3643956

Abstract

Software security is essential. Flaws in software design and coding produce vulnerabilities that can be exploited by hostile actors, resulting in ransomware, espionage and the hacking of critical infrastructure. Meanwhile, DevOps and continuous integration introduce speed imperatives, often bypassing traditional security gates. Software security responsibility is increasingly shifting to software developers. Industry insiders advise that this extra responsibility should be accompanied by developer training. But is it? Analysis of what constitutes good software security training is sparse, and there is little information on the amount and quality of training actually offered to developers in industry. We analyse recent literature to find the positive features of effective secure development training. We examine training information from a large developer survey (n=962) to assess how training in the field matches key positive features. We find that while some developers experience excellent secure-coding training, others receive inadequate training, and the majority receive none.

Keywords

Secure software development , Security , Secure coding training

Citation

Ryan, I., Roedig, U. and Stol, K.-J. (2024) 'Code Securely: Theory and Practice', In 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability (EnCyCriS/SVM ’24), April 15, 2024, Lisbon, Portugal. ACM, New York, NY, USA, (8 pp). https://doi.org/10.1145/3643662.3643956