'Think secure from the beginning' - A Survey with Software Developers

Hala Assal
Hala Assal

CHI, pp. 2892019.

Cited by: 0|Bibtex|Views23|Links
EI
Keywords:
hci for development secure programming security survey
Weibo:
D2: Software security does not fit in my schedule D3: Sw sec is a burden on top of my main responsibilities D6: We don’t have to worry much about security because frameworks we use handle software security for us D10: If we focus more on software security, we might lose our busin...

Abstract:

Vulnerabilities persist despite existing software security initiatives and best practices. This paper focuses on the human factors of software security, including human behaviour and motivation. We conducted an online survey to explore the interplay between developers and software security processes, e.g., we looked into how developers in...More

Code:

Data:

Introduction
  • Software security focuses on the resistance of applications to vulnerabilities exercised through malicious exploitations or unintentional triggers [2].
  • Recent user-centric research has focused on software developers as users who critically need support when dealing with the implementation of software that adequately addresses security [6, 28, 49].
  • The authors take a human-centric approach to address an under-investigated research area—the interplay between the developer and the process of managing software security.
  • The authors focus on supporting developers avoid unintentional vulnerabilities; malicious developers are out of the scope of this work.
  • RQ1: How does security fit in the development lifecycle in real life? RQ2: What are the current motivators and deterrents to developers paying attention to security? RQ3: Does the development methodology, company size, or adopting Test-Driven Development (TDD) influence software security?
Highlights
  • Software security focuses on the resistance of applications to vulnerabilities exercised through malicious exploitations or unintentional triggers [2]
  • One participant described software security as, “To think about security from the earliest planning phases as possible [...] and continue to focus on security implications throughout the remainder of the development process.” In addition, some participants indicated that security defences should be proactive, and that developers should “think secure from the beginning” and adopt an attacker-mindset
  • A participant said, “rather than asking how will we achieve ‘this’, you ask how will someone exploit ‘this’. [...] when your processes are done in a proper, security conscious way, as much of the potential harm as possible should be mitigated.” Participants discussed various methods to ensure software security, such as internal and external audits, security testing, automated checks, code analysis and reviews, thinking about security when writing code, and incorporating security in design
  • D2: Software security does not fit in my schedule D3: Sw sec is a burden on top of my main responsibilities D6: We don’t have to worry much about security because frameworks [...] we use handle software security for us D10: If we focus more on software security, we might lose our business opportunities D13: I won’t be blamed if a security issue is found in my code D14: It’s unlikely that attackers will attack us D23: I do not have time to address software security D25: There aren’t enough people in my team to address sw sec D26: My team does not have the budget to address sw sec D27: We’re doing fine, I don’t think we should change in terms of software security D29: I tend to resist when I get assigned a security task knowledge or the unavailability of necessary tools, and (2) competing priorities & no plan, where security has a lower disillusioned unequipped for security competing priorities & no plan security is irrelevant
  • We presented a survey study with 123 participants to explore how they address software security, as well as security motivators and deterrents
  • Our work highlights the need to look beyond the individual and to focus on understanding organizational issues that lead to insecure practices
Methods
  • The authors conducted an IRB-approved anonymous online survey with professional software developers using Qualtrics [1].

    Survey Design.
  • The authors asked participants to describe what it means to them “to include security into the development process” to capture their original understanding of software security.
  • The authors did not find evidence that the development methodology influenced teams’ overall effort towards software security, nor did it influence their effort per development stage.
  • It had no influence on software security strategies or deterrents to security.
  • The authors' dataset contained 49 (40%) participants in SMEs and 74 (60%) in LEs
Results
  • Developers’ Work Motivation

    To explore participants general work motivation, the authors generated the Work Self-Determination Index (W-SDI) [62] from the WEIMS.
  • [...] when your processes are done in a proper, security conscious way, as much of the potential harm as possible should be mitigated.” Participants discussed various methods to ensure software security, such as internal and external audits, security testing, automated checks, code analysis and reviews, thinking about security when writing code, and incorporating security in design.
  • Some participants discussed the importance of following best practices, using tools and programming languages approved by their organizations, and receiving support from security experts in their organizations
Conclusion
  • Many participants indicated their companies faced security issues, including security breaches.
  • Seven participants who reported vulnerabilities in shipped code indicated that when deadlines approach, they ship their code with a backdoor to address the security issues later.
  • Developers in the study are not explicitly ignoring security, dismissing it, or considering it outside of their responsibility
  • They are most motivated towards software security when they recognize and identify with its importance.
  • The authors' work highlights the need to look beyond the individual and to focus on understanding organizational issues that lead to insecure practices
Summary
  • Introduction:

    Software security focuses on the resistance of applications to vulnerabilities exercised through malicious exploitations or unintentional triggers [2].
  • Recent user-centric research has focused on software developers as users who critically need support when dealing with the implementation of software that adequately addresses security [6, 28, 49].
  • The authors take a human-centric approach to address an under-investigated research area—the interplay between the developer and the process of managing software security.
  • The authors focus on supporting developers avoid unintentional vulnerabilities; malicious developers are out of the scope of this work.
  • RQ1: How does security fit in the development lifecycle in real life? RQ2: What are the current motivators and deterrents to developers paying attention to security? RQ3: Does the development methodology, company size, or adopting Test-Driven Development (TDD) influence software security?
  • Methods:

    The authors conducted an IRB-approved anonymous online survey with professional software developers using Qualtrics [1].

    Survey Design.
  • The authors asked participants to describe what it means to them “to include security into the development process” to capture their original understanding of software security.
  • The authors did not find evidence that the development methodology influenced teams’ overall effort towards software security, nor did it influence their effort per development stage.
  • It had no influence on software security strategies or deterrents to security.
  • The authors' dataset contained 49 (40%) participants in SMEs and 74 (60%) in LEs
  • Results:

    Developers’ Work Motivation

    To explore participants general work motivation, the authors generated the Work Self-Determination Index (W-SDI) [62] from the WEIMS.
  • [...] when your processes are done in a proper, security conscious way, as much of the potential harm as possible should be mitigated.” Participants discussed various methods to ensure software security, such as internal and external audits, security testing, automated checks, code analysis and reviews, thinking about security when writing code, and incorporating security in design.
  • Some participants discussed the importance of following best practices, using tools and programming languages approved by their organizations, and receiving support from security experts in their organizations
  • Conclusion:

    Many participants indicated their companies faced security issues, including security breaches.
  • Seven participants who reported vulnerabilities in shipped code indicated that when deadlines approach, they ship their code with a backdoor to address the security issues later.
  • Developers in the study are not explicitly ignoring security, dismissing it, or considering it outside of their responsibility
  • They are most motivated towards software security when they recognize and identify with its importance.
  • The authors' work highlights the need to look beyond the individual and to focus on understanding organizational issues that lead to insecure practices
Tables
  • Table1: Summary of participant demographics
  • Table2: Factor analysis for security strategies
  • Table3: Factor analysis for motivation
  • Table4: Factor analysis for security deterrents
Download tables as Excel
Related work
  • In their overview of the usable security field, Garfinkel and Lipford [25] highlight the shortage of human factors security research that focuses on software developers. Naiakshina et al [42] cautioned that researchers do not have the same expertise in studies with developers as with typical endusers, and they discussed how different study designs can help investigate different research questions. Pieczul et al [49] discussed challenges facing usable security research for developers and highlighted the need for deeper understanding of the continuously evolving field of software development. We now discuss recent research on this subject.

    Developers’ Abilities and Expertise. Developers and their lack of security education are frequently cited as the reason for vulnerabilities [47]. The assumption is that if developers learned about security, they could avoid vulnerabilities [11, 69]. Some argue the reason might be because security guidelines do not exist or are not mandated by the companies [67, 70, 73], or that developers might lack the ability [47] or proper expertise [13] to identify vulnerabilities.
Funding
  • Chiasson acknowledges funding from NSERC for her Canada Research Chair and Discovery grants
Reference
  • [n. d.]. Qualtrics. https://www.qualtrics.com.[Accessed June-2018].[2] [n.d.]. Risk Management Guide for Information Technology Systems.
    Findings
  • [3] Y. Acar, M. Backes, S. Fahl, S. Garfinkel, D. Kim, M. L. Mazurek, and C. Stransky. 2017. Comparing the Usability of Cryptographic APIs. In IEEE Symposium on Security and Privacy.
    Google ScholarLocate open access versionFindings
  • [4] Y. Acar, M. Backes, S. Fahl, D. Kim, M. L. Mazurek, and C. Stransky. 2016. You Get Where You’re Looking for: The Impact of Information Sources on Code Security. In IEEE Symp. on Security and Privacy. https://doi.org/10.1109/SP.2016.25
    Locate open access versionFindings
  • [5] Y. Acar, M. Backes, S. Fahl, D. Kim, M. L. Mazurek, and C. Stransky. 2017. How Internet Resources Might Be Helping You Develop Faster but Less Securely. IEEE Security Privacy 15, 2 (2017).
    Google ScholarLocate open access versionFindings
  • [6] Y. Acar, S. Fahl, and M. L. Mazurek. 2016. You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users. In IEEE Cybersecurity Development. https://doi.org/10.1109/SecDev.2016.013
    Findings
  • [7] Y. Acar, C. Stransky, D. Wermke, C. Weir, M. L. Mazurek, and S. Fahl. 2017. Developers Need Support, Too: A Survey of Security Advice for Software Developers. In Cybersecurity Development (SecDev).
    Google ScholarFindings
  • [8] H. Assal and S. Chiasson. 2018. Motivations and Amotivations for Software Security. In SOUPS Workshop on Security Information Workers (WSIW). USENIX Association.
    Google ScholarLocate open access versionFindings
  • [9] H. Assal and S. Chiasson. 201Security in the Software Development Lifecycle. In Symp. on Usable Privacy and Security. USENIX.
    Google ScholarLocate open access versionFindings
  • [10] N. Ayewah, D. Hovemeyer, J. D. Morgenthaler, J. Penix, and W. Pugh. 2008. Using Static Analysis to Find Bugs. IEEE Software 25, 5 (2008). https://doi.org/10.1109/MS.2008.130
    Locate open access versionFindings
  • [11] B. K. Marshall. [n. d.]. Passwords Found in the Wild for January 2013. http://blog.passwordresearch.com/2013/02/.[Accessed April-2017].
    Findings
  • [12] D. Baca, M. Boldt, B. Carlsson, and A. Jacobsson. 2015. A Novel SecurityEnhanced Agile Software Development Process Applied in an Industrial Setting. In Int. Conf. on Availability, Reliability and Security.
    Google ScholarLocate open access versionFindings
  • [13] D. Baca, K. Petersen, B. Carlsson, and L. Lundberg. 2009. Static Code Analysis to Detect Software Security Vulnerabilities - Does Experience Matter?. In Int. Conf. on Availability, Reliability and Security.
    Google ScholarLocate open access versionFindings
  • [14] R. Balebako and L. Cranor. 2014. Improving App Privacy: Nudging App Developers to Protect User Privacy. IEEE Security Privacy 12, 4 (2014).
    Google ScholarLocate open access versionFindings
  • [15] S. Bartsch. 2011. Practitioners’ Perspectives on Security in Agile Development. In Int. Conf. on Availability, Reliability and Security. https://doi.org/10.1109/ARES.2011.82
    Locate open access versionFindings
  • [16] G. Berisha and J. Shiroka Pula. 20Defining Small and Medium Enterprises: A Critical Review. Academic Journal of Business, Administration, Law and Social Sciences 1 (2015).
    Google ScholarLocate open access versionFindings
  • [17] A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. HenriGros, A. Kamsky, S. McPeak, and D. Engler. 2010. A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World. Commununications of the ACM 53, 2 (2010).
    Google ScholarLocate open access versionFindings
  • [18] Harry N Boone and Deborah A Boone. 2012. Analyzing likert data. Journal of extension 50, 2 (2012), 1–5.
    Google ScholarLocate open access versionFindings
  • [19] CERT and CMU. [n. d.]. Cybersecurity Engineering. https://www.cert.org/cybersecurity-engineering/.[Accessed Feb-2017].
    Findings
  • [20] B. Chess and G. McGraw. 2004. Static Analysis for Security. IEEE Security & Privacy 2, 6 (2004). https://doi.org/10.1109/MSP.2004.111
    Locate open access versionFindings
  • [21] D. A. Dillman. 2000. Mail and Internet Surveys: The tailored design method. John Wiley & Sons, Inc.
    Google ScholarFindings
  • [22] EQUIFAX. 2018. 2017 Cybersecurity Incident & Important Consumer Information. https://www.equifaxsecurity2017.com.[Accessed June2018].
    Findings
  • [23] A. Field. 2013. Discovering statistics using IBM SPSS statistics. SAGE Publications Ltd.
    Google ScholarFindings
  • [24] F. Fischer, K. Böttinger, H. Xiao, C. Stransky, Y. Acar, M. Backes, and S. Fahl. 2017. Stack Overflow Considered Harmful? The Impact of Copy Paste on Android Application Security. In IEEE Symp. on Security and Privacy. https://doi.org/10.1109/SP.2017.31
    Locate open access versionFindings
  • [25] S. Garfinkel and H. R. Lipford. 2014. Usable Security: History, Themes, and Challenges. Synthesis Lectures on Information Security, Privacy, and Trust 5, 2 (2014).
    Google ScholarLocate open access versionFindings
  • [26] Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Möller, Yasemin Acar, and Sascha Fahl. 2018. Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). USENIX Association, Baltimore, MD, 265–281. https://www.usenix.org/conference/soups2018/presentation/gorski
    Locate open access versionFindings
  • [27] Government of Canada. 2018. SME Research and Statistics. http://www.ic.gc.ca/eic/site/061.nsf/eng/Home.[Accessed June-2018].
    Findings
  • [28] M. Green and M. Smith. 2016. Developers are Not the Enemy!: The Need for Usable Security APIs. IEEE Security Privacy 14, 5 (2016). https://doi.org/10.1109/MSP.2016.111
    Locate open access versionFindings
  • [29] G. Grieco, G. L. Grinblat, L. Uzal, S. Rawat, J. Feist, and L. Mounier. 2016. Toward Large-Scale Vulnerability Discovery Using Machine Learning. In ACM Conf. on Data and Application Security and Privacy. 12. https://doi.org/10.1145/2857705.2857720
    Locate open access versionFindings
  • [30] H. Assal. 2018. The Human Dimension of Software Security and Factors Affecting Security Processes. Carleton University.
    Google ScholarFindings
  • [31] D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. 2008. Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses. In IEEE Symp. on Security and Privacy (SP). https://doi.org/10.1109/SP.2008.31
    Locate open access versionFindings
  • [32] C. Herley and P. C. v. Oorschot. 2017. SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit. In IEEE S & P. https://doi.org/10.1109/SP.2017.38
    Locate open access versionFindings
  • [33] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. 2004. Securing Web Application Code by Static Analysis and Runtime Protection. In WWW. ACM, 13. https://doi.org/10.1145/988672.988679
    Locate open access versionFindings
  • [34] B. Johnson, Y. Song, E. Murphy-Hill, and R. Bowdidge. 2013. Why don’t software developers use static analysis tools to find bugs?. In 35th International Conference on Software Engineering (ICSE). 672–681. https://doi.org/10.1109/ICSE.2013.6606613
    Locate open access versionFindings
  • [35] N. Jovanovic, C. Kruegel, and E. Kirda. 2006. Pixy: a static analysis tool for detecting Web application vulnerabilities. In IEEE S & P. https://doi.org/10.1109/SP.2006.29
    Locate open access versionFindings
  • [36] H. F. Kaiser. 1970. A Second Generation Little Jiffy. Psychometrika (1970). https://doi.org/10.1007/BF02291817
    Locate open access versionFindings
  • [37] H. F. Kaiser and J. Rice. 1974. Little Jiffy, Mark IV. Educational and Psychological Measurement 34, 1 (1974). https://doi.org/10.1177/001316447403400115
    Locate open access versionFindings
  • [38] T. D. LaToza and B. A. Myers. 2010. On the Importance of Understanding the Strategies That Developers Use. In CHASE. ACM, 4. https://doi.org/10.1145/1833310.1833322
    Locate open access versionFindings
  • [39] J. Lazar, J. H. Feng, and H. Hochheiser. 2010. Research methods in human-computer interaction. John Wiley, Hoboken, NJ.
    Google ScholarFindings
  • [40] H. Lipford, T. Thomas, B. Chu, and E. Murphy-Hill. 2014. Interactive Code Annotation for Security Vulnerability Detection. In ACM SIW. 6. https://doi.org/10.1145/2663887.2663901
    Locate open access versionFindings
  • [41] Microsoft Corp. [n. d.]. Microsoft Security Development Lifecycle. https://www.microsoft.com/en-us/sdl.[Accessed June-2016].
    Findings
  • [42] A. Naiakshina, A. Danilova, C. Tiefenau, and M. Smith. 2018. Deception Task Design in Developer Password Studies: Exploring a Student Sample. In Fourteenth Symposium on Usable Privacy and Security (SOUPS). USENIX Association, Baltimore, MD, 297–313. https://www.usenix.org/conference/soups2018/presentation/naiakshina
    Locate open access versionFindings
  • [43] Anton J Nederhof. 1985. Methods of coping with social desirability bias: A review. European journal of social psychology 15, 3 (1985), 263–280.
    Google ScholarLocate open access versionFindings
  • [44] D. C. Nguyen, D. Wermke, Y. Acar, M. Backes, C. Weir, and S. Fahl. [n. d.]. A Stitch in Time: Supporting Android Developers in WritingSecure Code. In Conf. on Computer and Communications Security. ACM, 13. https://doi.org/10.1145/3133956.3133977
    Locate open access versionFindings
  • [45] V. Okun, A. Delaitre, and P. E. Black. 2013. Report on the Static Analysis Tool Exposition (SATE) IV. In NIST Special Publication 500-297.
    Google ScholarLocate open access versionFindings
  • [46] D. Oliveira, T. Lin, M. Rahman, R. Akefirad, D. Ellis, E. Perez, R. Bobhate, L. DeLong, J. Cappos, and Y. Brun. 2018. API Blindspots: Why Experienced Developers Write Vulnerable Code. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). USENIX Association, Baltimore, MD, 315–328. https://www.usenix.org/conference/soups2018/presentation/oliveira
    Locate open access versionFindings
  • [47] D. Oliveira, M. Rosenthal, N. Morin, K.-C. Yeh, J. Cappos, and Y. Zhuang. 2014. It’s the Psychology Stupid: How Heuristics Explain Software Vulnerabilities and How Priming Can Illuminate Developer’s Blind Spots. In ACSAC. ACM, 10. https://doi.org/10.1145/2664243.2664254
    Locate open access versionFindings
  • [48] OWASP. [n. d.]. OWASP Guide Project. https://www.owasp.org/index.php/Category:OWASPGuideProject.[Accessed Feb-2017].
    Findings
  • [49] O. Pieczul, S. Foley, and M. E. Zurko. 2017. Developer-centered Security and the Symmetry of Ignorance. In NSPW. ACM, 11. https://doi.org/10.1145/3171533.3171539
    Locate open access versionFindings
  • [50] J. Radcliffe. 2011. Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System. https://media.blackhat.com/bh-us-11/ Radcliffe/BHUS11RadcliffeHackingMedicalDevicesWP.pdf.[Accessed
    Findings
  • [51] Rapid 7 Community. 2015. #IoTsec Disclosure: 10 New
    Google ScholarFindings
  • [52] H.-S. Rhee, Y. U. Ryu, and C.-T. Kim. 2012. Unrealistic optimism on information security management. Computers & Security (2012). https://doi.org/10.1016/j.cose.2011.12.001
    Locate open access versionFindings
  • [53] R. M. Ryan and E. L. Deci. 2000. Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. American Psychologist 55, 1 (2000).
    Google ScholarLocate open access versionFindings
  • [54] R. Sass. 2016. How to Balance Between Security and Agile Development the Right Way. https://resources.whitesourcesoftware.com/blog-whitesource/how-to-balance-between-security-and-agiledevelopment-the-right-way.[Accessed May-2018].
    Findings
  • [55] R. Seacord. 2011. Top 10 secure coding practices. https://www.securecoding.cert.org/confluence/display/seccode/Top+10+ Secure+Coding+Practices.[Accessed Feb-2017].
    Findings
  • [56] J. Smith, B. Johnson, E. Murphy-Hill, B. Chu, and H. R. Lipford. 2015. Questions Developers Ask While Diagnosing Potential Security Vulnerabilities with Static Analysis. In JESEC/FSE. ACM, 12. https://doi.org/10.1145/2786805.2786812
    Locate open access versionFindings
  • [57] J. Smith, B. Johnson, E. Murphy-Hill, B. T. Chu, and H. Richter. 2018. How Developers Diagnose Potential Security Vulnerabilities with a Static Analysis Tool. IEEE Transactions on Software Engineering (2018). https://doi.org/10.1109/TSE.2018.2810116
    Locate open access versionFindings
  • [58] J. P. Stevens. 2002. Applied multivariate statistics for the social sciences. New Jersey: Lawrance Erlbaum Association.
    Google ScholarFindings
  • [59] T. Thomas, B. Chu, H. Lipford, J. Smith, and E. Murphy-Hill. 2015. A study of interactive code annotation for access control vulnerabilities. In IEEE Symp. on Visual Languages and Human-Centric Computing. https://doi.org/10.1109/VLHCC.2015.7357200
    Locate open access versionFindings
  • [60] T. W. Thomas, H. Lipford, B. Chu, J. Smith, and E. Murphy-Hill. 2016. What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool. In Symp. on Usable Privacy and Security (SOUPS). USENIX Association.
    Google ScholarFindings
  • [61] T. W. Thomas, M. Tabassum, B. Chu, and H. Lipford. 2018. Security During Application Development: An Application Security Expert Perspective. In Conf. on Human Factors in Computing Systems. ACM, Article 262, 12 pages. https://doi.org/10.1145/3173574.3173836
    Findings
  • [62] M. A. Tremblay, C. M. Blanchard, S. Taylor, L. G. Pelletier, and M. Villeneuve. 2009. Work Extrinsic and Intrinsic Motivation Scale: Its value for organizational psychology research. Canadian Journal of Behavioural Science 41, 4 (2009).
    Google ScholarLocate open access versionFindings
  • [63] O. Tripp, S. Guarnieri, M. Pistoia, and A. Aravkin. 2014. ALETHEIA: Improving the Usability of Static Security Analysis. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 13. https://doi.org/10.1145/2660267.2660339
    Locate open access versionFindings
  • [64] S. Türpe. 2016. Idea: Usable Platforms for Secure Programming–Mining Unix for Insight and Guidelines. In Engineering Secure Software and Systems. Springer Int. Publishing.
    Google ScholarLocate open access versionFindings
  • [65] N. D. Weinstein and W. M. Klein. 1996. Unrealistic Optimism: Present and Future. Journal of Social and Clinical Psychology (1996).
    Google ScholarLocate open access versionFindings
  • [66] C. Weir, A. Rashid, and J. Noble. 2017. I’d Like to Have an Argument, Please: Using Dialectic for Effective App Security. European Workshop on Usable Security (EuroUSEC) (2017).
    Google ScholarLocate open access versionFindings
  • [67] J. Witschey, S. Xiao, and E. Murphy-Hill. 2014. Technical and Personal Factors Influencing Developers’ Adoption of Security Tools. In ACM Workshop on Security Information Workers (SIW). 4. https://doi.org/10.1145/2663887.2663898
    Locate open access versionFindings
  • [68] I. M.Y. Woon and A. Kankanhalli. 2007. Investigation of IS professionals’ intention to practise secure development of applications. International Journal of Human-Computer Studies 65, 1 (2007).
    Google ScholarLocate open access versionFindings
  • [69] G. Wurster and P. C. van Oorschot. 2008. The Developer is the Enemy. In New Security Paradigms Workshop (NSPW). ACM, 9.
    Google ScholarLocate open access versionFindings
  • [70] S. Xiao, J. Witschey, and E. Murphy-Hill. 2014. Social Influences on Secure Development Tool Adoption: Why Security Tools Spread. In CSCW. ACM, 12. https://doi.org/10.1145/2531602.2531722
    Locate open access versionFindings
  • [71] J. Xie, B. Chu, H. R. Lipford, and J. T. Melton. 2011. ASIDE: IDE Support for Web Application Security. In Annual Computer Security Applications Conference (ACSAC). ACM, 10. https://doi.org/10.1145/2076732.2076770
    Locate open access versionFindings
  • [72] J. Xie, H. Lipford, and B.-T. Chu. 2012. Evaluating Interactive Support for Secure Programming. In CHI Conference on Human Factors in Computing Systems. ACM, 10. https://doi.org/10.1145/2207676.2208665
    Locate open access versionFindings
  • [73] J. Xie, H. R. Lipford, and B. Chu. 2011. Why do programmers make security errors?. In VL/HCC. IEEE.
    Google ScholarLocate open access versionFindings
  • [74] F. Yamaguchi, F. Lindner, and K. Rieck. 2011. Vulnerability Extrapolation: Assisted Discovery of Vulnerabilities Using Machine Learning. In USENIX Conference on Offensive Technologies (WOOT). 1.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Best Paper
Best Paper of CHI, 2019
Tags
Comments