ICSE 2025
Sat 26 April - Sun 4 May 2025 Ottawa, Ontario, Canada
ICSE 2025 (series) / Software Engineering in Practice (SEIP) /

''ImmediateShortTerm3MthsAfterThatLOL'': Developer Secure-Coding Sentiment, Practice and Culture in Organisations

Artifact-AvailableArtifact-FunctionalArtifact-ReusableSecurity
Ita Ryan, Utz Roedig, Klaas-Jan Stol
ICSE 2025 SE In Practice (SEIP)
Fri 2 May 2025 15:15 - 15:30 at 210 - Security and Analysis 3 Chair(s): Adriana Sejfia

As almost all areas of human endeavour undergo rapid digital transformation, secure coding is increasingly important to personal, commercial and national security. Yet studies have shown that software developers do not always prioritise or even understand security. Our large survey of organically sourced coders (n=863) examines how software developers currently experience secure coding in the workplace. We found that developers express an interest in secure coding, display basic security knowledge, and turn to their managers and teams first for help with security concerns. We found that developer secure coding traits and security practice do not correlate with organisational statistics such as size, but do correlate weakly with measures of security culture, and in some cases with practice, indicating that organisational security support goes hand-in-hand with secure development. Investigating the effects of code breaches, we found that for almost half of cases, code security does not increase, or increases only for a short time.

Ita Ryan
Ita Ryan
University College Cork
Ireland
Utz Roedig
Utz Roedig
University College Cork
Klaas-Jan Stol
Klaas-Jan Stol
Lero; University College Cork; SINTEF Digital
Ireland

Fri 2 May

Displayed time zone: Eastern Time (US & Canada) change

14:00 - 15:30
Security and Analysis 3Research Track / SE In Practice (SEIP) at 210
Chair(s): Adriana Sejfia University of Edinburgh
14:00
15m
Talk
Automated, Unsupervised, and Auto-parameterized Inference of Data Patterns and Anomaly DetectionSecurityArtifact-FunctionalArtifact-AvailableArtifact-Reusable
Research Track
Qiaolin Qin Polytechnique Montréal, Heng Li Polytechnique Montréal, Ettore Merlo Polytechnique Montreal, Maxime Lamothe Polytechnique Montreal
Pre-print
14:15
15m
Talk
On Prescription or Off Prescription? An Empirical Study of Community-prescribed Security Configurations for KubernetesSecurityArtifact-Available
Research Track
Shazibul Islam Shamim Auburn University, Hanyang Hu Company A, Akond Rahman Auburn University
Pre-print File Attached
14:30
15m
Talk
Similar but Patched Code Considered Harmful -- The Impact of Similar but Patched Code on Recurring Vulnerability Detection and How to Remove ThemSecurity
Research Track
Zixuan Tan Zhejiang University, Jiayuan Zhou Huawei, Xing Hu Zhejiang University, Shengyi Pan Zhejiang University, Kui Liu Huawei, Xin Xia Huawei
Pre-print
14:45
15m
Talk
TIVER: Identifying Adaptive Versions of C/C++ Third-Party Open-Source Components Using a Code Clustering TechniqueSecurityArtifact-FunctionalArtifact-AvailableArtifact-Reusable
Research Track
Youngjae Choi Korea University, Seunghoon Woo Korea University
15:00
15m
Talk
A scalable, effective and simple Vulnerability Tracking approach for heterogeneous SAST setups based on Scope+OffsetSecurity
SE In Practice (SEIP)
James Johnson --, Julian Thome GitLab Inc., Lucas Charles GitLab Inc., Hua Yan GitLab Inc., Jason Leasure GitLab Inc.
Pre-print
15:15
15m
Talk
''ImmediateShortTerm3MthsAfterThatLOL'': Developer Secure-Coding Sentiment, Practice and Culture in OrganisationsArtifact-AvailableArtifact-FunctionalArtifact-ReusableSecurity
SE In Practice (SEIP)
Ita Ryan University College Cork, Utz Roedig University College Cork, Klaas-Jan Stol Lero; University College Cork; SINTEF Digital