abstract

First-time Security Audits as a Turning Point?: Challenges for Security Practices in an Industry Software Development Team

Authors:

Andreas Poller,

Laura Kocksch,

Katharina Kinder-Kurlanda,

Felix Anand EppAuthors Info & Claims

CHI EA '16: Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems

Pages 1288 - 1294

https://doi.org/10.1145/2851581.2892392

Published: 07 May 2016 Publication History

Get Access

Abstract

Software development is often accompanied by security audits such as penetration tests, usually performed on behalf of the software vendor. In penetration tests security experts identify entry points for attacks in a software product. Many development teams undergo such audits for the first time if their product is attacked or faces new security concerns. The audits often serve as an eye-opener for development teams: they realize that security requires much more attention. However, there is a lack of clarity with regard to what lasting benefits developers can reap from penetration tests. We report from a one-year study of a penetration test run at a major software vendor, and describe how a software development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but that long-lasting enhancements of development practices are hampered by a lack of dedicated security stakeholders and if security is not properly reflected in the communicative and collaborative structures of the organization.

References

[1]

Rainer Böhme and Márk Félegyházi. 2010. Proc. GameSec '10. Springer Berlin Heidelberg, Chapter Optimal Information Security Investment with Penetration Testing, 21-37.

Digital Library

Google Scholar

[2]

Daniel Geer and John Harthorne. 2002. Penetration testing: a duet. In Computer Security Applications Conference, 2002. Proceedings. 18th Annual. 185-195.

Digital Library

Google Scholar

[3]

Stina Matthiesen, Pernille Bjørn, and Lise Møller Petersen. 2014. "Figure out How to Code with the Hands of Others": Recognizing Cultural Blind Spots in Global Software Development. In Proc. CSCW'14. ACM, New York, NY, USA, 1107-1119.

Digital Library

Google Scholar

[4]

Gary McGraw, Sammy Migues, and Jacob West. 2015. Building Security In Maturity Model (BSIMM) Version 6. Technical Report. Cigital, Inc.

Google Scholar

[5]

Angela Sasse. 2011. Designing for Homer Simpson-D'Oh. Interfaces: The Quarterly Magazine of the BCS Interaction Group 86 (2011), 5-7.

Google Scholar

[6]

Rodrigo Werlinger, Kirstie Hawkey, David Botta, and Konstantin Beznosov. 2009. Security practitioners in context: Their activities and interactions with other stakeholders within organizations. International Journal of Human-Computer Studies 67, 7 (2009), 584 - 606.

Digital Library

Google Scholar

[7]

Shundan Xiao, Jim Witschey, and Emerson Murphy-Hill. 2014. Social Influences on Secure Development Tool Adoption: Why Security Tools Spread. In Proc. CSCW '14. ACM, New York, NY, USA, 1095-1106.

Digital Library

Google Scholar

[8]

Jing Xie, Heather Lipford, and Bei-Tseng Chu. 2012. Evaluating Interactive Support for Secure Programming. In Proc. CHI '12. ACM, New York, NY, USA, 2707-2716.

Digital Library

Google Scholar

Cited By

View all

Brun YLin TSomerville JMyers EEbner N(2023)Blindspots in Python and Java APIs Result in Vulnerable CodeACM Transactions on Software Engineering and Methodology10.1145/357185032:3(1-31)Online publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1145/3571850
Ryan IRoedig UStol K(2023)Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)10.1109/ICSE48619.2023.00140(1622-1634)Online publication date: May-2023
https://doi.org/10.1109/ICSE48619.2023.00140
Rauf IPetre MTun TLopez TNuseibeh B(2023)Security Thinking in Online Freelance Software Development2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS)10.1109/ICSE-SEIS58686.2023.00008(13-24)Online publication date: May-2023
https://doi.org/10.1109/ICSE-SEIS58686.2023.00008
Show More Cited By

Index Terms

First-time Security Audits as a Turning Point?: Challenges for Security Practices in an Industry Software Development Team
1. Software and its engineering

Recommendations

Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group
CSCW '17: Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing

Organizational factors influence the success of security initiatives in software development. Security audits and developer training can motivate development teams to adopt security practices, but their interplay with organizational structures and ...
Software Security Maturity in Public Organisations
ISC 2015: Proceedings of the 18th International Conference on Information Security - Volume 9290

Software security is about building software that will be secure even when it is attacked. This paper presents results from a survey evaluating software security practices in software development lifecycles in 20 public organisations in Norway using the ...
Agile Software Development: The Straight and Narrow Path to Secure Software?

In this article, the authors contrast the results of a series of interviews with agile software development organizations with a case study of a distributed agile development effort, focusing on how information security is taken care of in an agile ...

Comments

Information & Contributors

Information

Published In

CHI EA '16: Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems

May 2016

3954 pages

ISBN:9781450340823

DOI:10.1145/2851581

General Chairs:
Jofish Kaye
Yahoo
,
Allison Druin
University of Maryland / National Park Service
,
Program Chairs:
Cliff Lampe
University of Michigan
,
Dan Morris
Microsoft
,
Juan Pablo Hourcade
University of Iowa

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 May 2016

Check for updates

Author Tags

Qualifiers

Abstract

Conference

CHI'16

Sponsor:

SIGCHI

CHI'16: CHI Conference on Human Factors in Computing Systems

May 7 - 12, 2016

California, San Jose, USA

Acceptance Rates

CHI EA '16 Paper Acceptance Rate 1,000 of 5,000 submissions, 20%;

Overall Acceptance Rate 6,164 of 23,696 submissions, 26%

Upcoming Conference

CHI 2025

Sponsor:
sigchi

ACM CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
231
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)1

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Brun YLin TSomerville JMyers EEbner N(2023)Blindspots in Python and Java APIs Result in Vulnerable CodeACM Transactions on Software Engineering and Methodology10.1145/357185032:3(1-31)Online publication date: 26-Apr-2023
https://dl.acm.org/doi/10.1145/3571850
Ryan IRoedig UStol K(2023)Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)10.1109/ICSE48619.2023.00140(1622-1634)Online publication date: May-2023
https://doi.org/10.1109/ICSE48619.2023.00140
Rauf IPetre MTun TLopez TNuseibeh B(2023)Security Thinking in Online Freelance Software Development2023 IEEE/ACM 45th International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS)10.1109/ICSE-SEIS58686.2023.00008(13-24)Online publication date: May-2023
https://doi.org/10.1109/ICSE-SEIS58686.2023.00008
Rauf IPetre MTun TLopez TLunn PVan Der Linden DTowse JSharp HLevine MRashid ANuseibeh B(2021)The Case for Adaptive Security InterventionsACM Transactions on Software Engineering and Methodology10.1145/347193031:1(1-52)Online publication date: 28-Sep-2021
https://dl.acm.org/doi/10.1145/3471930
Oliveira DLin TRahman MAkefirad REllis DPerez EBobhate RDeLong LCappos JBrun YEbner N(2018)API blindspotsProceedings of the Fourteenth USENIX Conference on Usable Privacy and Security10.5555/3291228.3291253(315-328)Online publication date: 12-Aug-2018
https://dl.acm.org/doi/10.5555/3291228.3291253

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group

Software Security Maturity in Public Organisations

Agile Software Development: The Straight and Narrow Path to Secure Software?

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Share

Share this Publication link

Share on social media

Affiliations