Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon
Software security research has a core problem: it is impossible to prove the security of complex software. A low number of known defects may simply indicate that the software has not been attacked yet, or that successful attacks have not been detected. A high defect count may be the result of white-hat hacker targeting, or of a successful bug bounty program which prevented insecurities from persisting in the wild. This makes it difficult to measure the security of non-trivial software. Researchers instead usually measure effort directed towards ensuring software security. However, different researchers use their own tailored measures, usually devised from industry secure coding guidelines. Not only is there no agreed way to measure effort, there is also no agreement on what effort entails. Qualitative studies emphasise the importance of ‘security culture’ in an organisation. Where software security practices are introduced solely to ensure compliance with legislative or industry standards, a ‘checkbox’ attitude to security may result. The security culture may be weak or non-existent, making it likely that precautions not explicitly mentioned in the standards will be missed. Thus, researchers need both a way to assess software security practices and a way to measure software security culture. To assess security practice, we converted the empirically-established 12 most common software security activities into questions. To assess security culture, we devised a number of questions grounded in prior literature. We ran a secure development survey with both sets of questions, obtaining organic responses from 1,100 software coders in 59 countries. Our results show that some coders still work in environments where there is little to no attempt to ensure code securely. We used proven common activities to assess security practice, and made the first attempt to devise an instrument to assess security culture. Our analysis found that secure coding practice is not always matched by a secure coding culture, which may lead to problems in defect prevention and sustained security effort.
Thu 18 MayDisplayed time zone: Hobart change
13:45 - 15:15 | SE for security 2Technical Track / Journal-First Papers at Meeting Room 106 Chair(s): Cristian Cadar Imperial College London, UK | ||
13:45 15mTalk | SLR: From Saltzer & Schoeder to 2021… Journal-First Papers Nikhil Patnaik University of Bristol, Andrew C Dwyer University of Durham, Joseph Hallett , Awais Rashid University of Bristol, UK | ||
14:00 15mTalk | On-Demand Security Requirements Synthesis with Relational Generative Adversarial Networks (RelGAN) Technical Track Viktoria Koscinski Rochester Institute of Technology, Sara Hashemi Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology | ||
14:15 15mTalk | Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon Technical Track Ita Ryan University College Cork, Utz Roedig University College Cork, Klaas-Jan Stol Lero; University College Cork; SINTEF Digital Pre-print | ||
14:30 15mTalk | What Challenges Do Developers Face About Checked-in Secrets in Software Artifacts? Technical Track Setu Kumar Basak North Carolina State University, Lorenzo Neil North Carolina State University, Bradley Reaves North Carolina State University, Laurie Williams North Carolina State University Pre-print | ||
14:45 15mTalk | Lejacon: A Lightweight and Efficient Approach to Java Confidential Computing on SGX Technical Track Xinyuan Miao Shanghai Jiao Tong University, Ziyi Lin Alibaba Group, Shaojun Wang Alibaba Group, Lei Yu Alibaba Group, Sanhong Li Alibaba Inc., Zihan Wang Shanghai Jiao Tong University, Pengbo Nie Shanghai Jiao Tong University, Yuting Chen Shanghai Jiao Tong University, Beijun Shen Shanghai Jiao Tong University, He Jiang Dalian University of Technology Pre-print | ||
15:00 15mTalk | Keyword Extraction From Specification Documents for Planning Security Mechanisms Technical Track Jeffy Jahfar Poozhithara Apple Inc. and University of Washington Bothell, Hazeline Asuncion University of Washington Bothell, Brent Lagesse University of Washington Bothell Pre-print | ||