Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021
Tue 25 May 2021 10:30 - 10:50 at Blended Sessions Room 2 - 1.1.2. Developers: Behavior Chair(s): Andrea Zisman
Tue 25 May 2021 22:30 - 22:50 at Blended Sessions Room 2 - 1.1.2. Developers: Behavior

While the techniques to achieve secure, privacy-preserving software are now well understood, evidence shows that many software development teams do not use them: they lack the ‘security maturity’ to assess security needs and decide on appropriate tools and processes; and they lack the ability to negotiate with product management for the required resources.

This paper describes a measuring approach to assess twelve aspects of this security maturity; its use to assess the impact of a lightweight package of workshops designed to increase security maturity; and a novel approach within that package to support developers in resource negotiation. Based on trials in eight organizations, involving over 80 developers, this paper demonstrates that (1) development teams can notably improve their security maturity even in the absence of security specialists; and (2) suitably guided, developers can find effective ways to promote security to product management. Empowering developers to make their own decisions and promote security in this way offers a powerful grassroots approach to improving the security of software worldwide.

Conference Day
Tue 25 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

10:30 - 11:30
1.1.2. Developers: BehaviorTechnical Track / SEIP - Software Engineering in Practice at Blended Sessions Room 2 +12h
Chair(s): Andrea ZismanThe Open University
A Passion for Security: Intervening to Help Software DevelopersSEIP
SEIP - Software Engineering in Practice
Charles WeirLancaster University, Ingolf BeckerUniversity College London, Lynne BlairLancaster University
DOI Pre-print Media Attached
“Do this! Do that!, And nothing will happen” Do specifications lead to securely stored passwords?Technical Track
Technical Track
Joseph HallettUniversity of Bristol, Nikhil PatnaikUniversity of Bristol, Benjamin ShreeveUniversity of Bristol, Awais RashidUniversity of Bristol, UK
Pre-print Media Attached
Why don’t Developers Detect Improper Input Validation?'; DROP TABLE Papers; --ACM SIGSOFT Distinguished PaperArtifact ReusableTechnical TrackArtifact Available
Technical Track
Larissa BrazUniversity of Zurich, Enrico FregnanUniversity of Zurich, Gül CalikliUniversity of Zürich, Alberto BacchelliUniversity of Zurich
Pre-print Media Attached