Training Developers to Code Securely: Theory and Practice
Ita Ryan1, Utz Roedig2, Klaas-Jan Stol3. 1: ADVANCE Centre for Research Training, School of Computer Science and IT, University College Cork; 2: School of Computer Science and IT University College Cork; 3: Lero, the SFI Research Centre for Software, School of Computer Science and IT, University College Cork.
Abstract:
Software security is essential. Flaws in software design and coding produce vulnerabilities that can be exploited by hostile actors, resulting in ransomware, espionage and the hacking of critical infrastructure. Meanwhile, DevOps and continuous integration introduce speed imperatives, often bypassing traditional security gates. Software security responsibility is increasingly shifting to software developers. Industry insiders advise that this extra responsibility should be accompanied by developer training. But is it? Analysis of what constitutes good software security training is sparse, and there is little information on the amount and quality of training actually offered to developers in industry. We analyse recent literature to find the positive features of effective secure development training. We examine training information from a large developer survey (n=962) to assess how training in the field matches key positive features. We find that while some developers experience excellent secure-coding training, others receive inadequate training, and the majority receive none.
Mon 15 AprDisplayed time zone: Lisbon change
14:00 - 15:30 | Training, knowledge and Industrial challengesEnCyCriS/SVM at Amadeo de Souza-Cardoso Chair(s): John Eidar Simensen IFE | ||
14:00 20mFull-paper | Building a Cybersecurity Knowledge Graph with CyberGraph EnCyCriS/SVM A: Paolo Falcarin Ca' Foscari University of Venice, A: Fabio Dainese Ca' Foscari University of Venice | ||
14:20 20mFull-paper | Training Developers to Code Securely: Theory and Practice EnCyCriS/SVM A: Ita Ryan University College Cork, A: Utz Roedig University College Cork, A: Klaas-Jan Stol Lero; University College Cork; SINTEF Digital | ||
14:40 20mFull-paper | On DevSecOps and Risk Management in Critical Infrastructures: Practitioners´Insights on Needs and Goals EnCyCriS/SVM A: Xhesika Ramaj Østfold University College (HiØ) / Norwegian University of Science and Technology (NTNU), A: Mary Sánchez-Gordón Østfold University College, A: Vasileios Gkioulos NTNU, A: Ricardo Colomo-Palacios Universidad Politécnica de Madrid | ||
15:00 20mFull-paper | Cyber-incident Response in Industrial Control Systems: Practices and Challenges in the Petroleum Industry EnCyCriS/SVM A: Vahiny Gnanasekaran Norwegian University of Science and Technology NTNU, A: Maria Bartnes Norwegian University of Science and Technology NTNU, A: Tor Olav Grøtan SINTEF Digital, Poul Einar Heegaard Norwegian University of Science and Technology NTNU | ||