A Cross-role and Bi-national Analysis on Security Efforts and Constraints of Software Development Projects
Authors: 
Fumihiro Kanei, Ayako Akiyama Hasegawa, Eitaro Shioji, Mitsuaki AkiyamaAuthors Info & Claims
Pages 349 - 364
Abstract
Software security, which is often regarded as a non-functional requirement, tends to be less prioritized than other explicit requirements in development projects. For designing security measures that can be used in software development, we must understand the obstacles that prevent the adoption of secure software development practices. In this study, we quantitatively analyzed security efforts and constraints of software development projects through an online survey of software development professionals in the US and Japan (N=664). We revealed how certain characteristics of a development project, such as the project’s contractual relationships or the software’s target users, influence security efforts and constraints. In addition, by comparing the survey results of two groups (developers and managers), we revealed how the gap in their security efforts and constraints influences software security. We believe the results provide insights toward designing usable measures to assist security-related decision-making in software development and conducting appropriate surveys targeting software development professionals.
References
[1]
Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L Mazurek, and Christian Stransky. 2018. You get where you’re looking for: The impact of information sources on code security. In Proceedings of the 2016 IEEE Symposium on Security and Privacy(SP ’16). IEEE.
[2]
Yasemin Acar, Sascha Fahl, and Michelle L. Mazurek. 2016. You are not your developer, either: A research agenda for usable security and privacy research beyond end users. In Proceedings of the 2016 IEEE Cybersecurity Development(SecDev ’16). IEEE, 3–8.
[3]
Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle L. Mazurek, and Sascha Fahl. 2017. Developers Need Support, Too: A Survey of Security Advice for Software Developers. In Proceedings of the 2017 IEEE Cybersecurity Development(SecDev ’17). IEEE.
[4]
Noura Alomar, Primal Wijesekera, Edward Qiu, and Serge Egelman. 2020. “You’ve Got Your Nice List of Bugs, Now What?” Vulnerability Discovery and Management Processes in the Wild. In Proceedings of the 16th Symposium on Usable Privacy and Security(SOUPS ’20). USENIX Association, 319–339.
[5]
Hala Assal and Sonia Chiasson. 2018. Security in the Software Development Lifecycle. In Proceedings of the 14th Symposium on Usable Privacy and Security(SOUPS ’18). USENIX Association.
[6]
Hala Assal and Sonia Chiasson. 2019. “Think Secure from the Beginning”: A Survey with Software Developers. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems(CHI ’19). ACM.
[7]
Dejan Baca, Martin Boldt, Bengt Carlsson, and Andreas Jacobsson. 2015. A Novel Security-Enhanced Agile Software Development Process Applied in an Industrial Setting. In Proceedings of the 10th International Conference on Availability, Reliability and Security(ARES ’15). 11–19.
[8]
Steffen Bartsch. 2011. Practitioners’ Perspectives on Security in Agile Development. In Proceedings of the 6th International Conference on Availability, Reliability and Security(ARES ’11). IEEE, 479–484.
[9]
Jens Dibbern, Tim Goles, Rudy Hirschheim, and Bandula Jayatilaka. 2004. Information Systems Outsourcing: A Survey and Analysis of the Literature. SIGMIS Database 35, 4 (2004), 6–102.
[10]
Leandre R Fabrigar, Duane T Wegener, Robert C MacCallum, and Erin J Strahan. 1999. Evaluating the use of exploratory factor analysis in psychological research.Psychological methods 4, 3 (1999), 272.
[11]
Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2010. Toward automated detection of logic vulnerabilities in web applications. In Proceedings of the 19th USENIX Conference on Security Symposium(SEC ’10). USENIX Association, 143–160.
[12]
Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. 2017. Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security. In Proceedings of the 2017 IEEE Symposium on Security and Privacy(SP ’17). IEEE, 121–136.
[13]
Felix Fischer, Huang Xiao, Ching-Yu Kao, Yannick Stachelscheid, Benjamin Johnson, Danial Razar, Paul Fawkesley, Nat Buckley, Konstantin Böttinger, Paul Muntean, and Jens Grossklags. 2019. Stack Overflow Considered Helpful! Deep Learning Security Nudges Towards Stronger Cryptography. In Proceedings of the 28th USENIX Conference on Security Symposium(SEC ’19). USENIX Association, 339–356.
[14]
Gartner. 2019. Newsroom (In Japanese). https://www.gartner.com/jp/newsroom/press-releases/pr-20190221.
[15]
Gartner. 2019. Results Summary: Agile in the Enterprise. https://circle.gartner.com/Portals/2/Resources/pdf/Agile in the Enterprise 2019 - Results Summary (updated).pdf.
[16]
Sonja Glumich, Juanita Riley, Paul Ratazzi, and Amanda Ozanam. 2018. BP: Integrating Cyber Vulnerability Assessments Earlier into the Systems Development Lifecycle: A Methodology to Conduct Early-Cycle Cyber Vulnerability Assessments. In Proceedings of the 2018 IEEE Cybersecurity Development(SecDev ’18). IEEE.
[17]
Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Moeller, Yasemin Acar, and Sascha Fahl. 2018. Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse. In Proceedings of the 14th Symposium on Usable Privacy and Security(SOUPS ’18). USENIX Association.
[18]
Brent Dale Hill. 2011. Sequential Kaiser-meyer-olkin Procedure as an Alternative for Determining the Number of Factors in Common-factor Analysis: a Monte Carlo Simulation. Ph. D. Dissertation. Oklahoma State University.
[19]
Luigi Lo Iacono and Peter Leo Gorski. 2017. I Do and I Understand. Not Yet True for Security APIs. So Sad. In Proceedings of the 2nd European Workshop on Usable Security(EuroUSEC ’17).
[20]
Faris Bugra Kokulu, Ananta Soneji, Tiffany Bao, Yan Shoshitaishvili, Ziming Zhao, Adam Doupé, and Gail-Joon Ahn. 2019. Matched and Mismatched SOCs: A Qualitative Study on Security Operations Center Issues. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security(CCS ’19). ACM.
[21]
V. Benjamin Livshits and Monica S. Lam. 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis. In Proceedings of the 14th Conference on USENIX Security Symposium(SSYM ’05). USENIX Association, 18.
[22]
Siqi Ma, David Lo, Teng Li, and Robert H. Deng. 2016. CDRep: Automatic Repair of Cryptographic Misuses in Android Applications. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security(ASIA CCS ’16). ACM.
[23]
[23] Macromill Group.2020. https://group.macromill.com/.
[24]
Fabio Massacci and Ivan Pashchenko. 2021. Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks. In Proceedings of the 43rd International Conference on Software Engineering(ICSE ’21). IEEE.
[25]
Ministry of Internal Affairs and Communications. 2019. (In Japanese). https://www.soumu.go.jp/johotsusintokei/whitepaper/ja/r01/html/nd112210.html.
[26]
Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, and Matthew Smith. 2020. On Conducting Security Developer Studies with CS Students: Examining a Password-Storage Study with CS Students, Freelancers, and Company Developers. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems(CHI ’20). ACM, 1–13.
[27]
National Institute of Standards and Technology. 2020. Zero Trust Architecture. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf.
[28]
Duc Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, and Sascha Fahl. 2017. A Stitch in Time: Supporting Android Developers in WritingSecure Code. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security(CCS ’17). ACM.
[29]
Daniela Seabra Oliveira, Tian Lin, Muhammad Sajidur Rahman, Rad Akefirad, Donovan Ellis, Eliany Perez, Rahul Bobhate, Lois A. DeLong, Justin Cappos, Yuriy Brun, and Natalie C. Ebner. 2018. API Blindspots: Why Experienced Developers Write Vulnerable Code. In Proceedings of the 14th Symposium on Usable Privacy and Security(SOUPS ’18). USENIX Association.
[30]
Hernan Palombo, Armin Ziaie Tabari, Daniel Lende, Jay Ligatti, and Xinming Ou. 2020. An Ethnographic Understanding of Software (In)Security and a Co-Creation Model to Improve Secure Software Development. In Proceedings of the 16th Symposium on Usable Privacy and Security(SOUPS ’20). USENIX Association.
[31]
Nikhil Patnaik, Joseph Hallett, and Awais Rashid. 2019. Usability Smells: An Analysis of Developers’ Struggle with Crypto Libraries. In Proceedings of the 15th Symposium on Usable Privacy and Security(SOUPS ’19). USENIX Association.
[32]
Andreas Poller, Laura Kocksch, Sven Türpe, Felix Anand Epp, and Katharina Kinder-Kurlanda. 2017. Can Security Become a Routine? A Study of Organizational Change in an Agile Software Development Group. In Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing(CSCW ’17). ACM.
[33]
Lena Reinfelder, Robert Landwirth, and Zinaida Benenson. 2019. Security Managers Are Not The Enemy Either. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems(CHI ’19). ACM, 1–7.
[34]
David Sounthiraraj, Justin Sahs, Garret Greenwood, Zhiqiang Lin, and Latifur Khan. 2014. SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps. In Proceedings of the 21st Annual Network and Distributed System Security Symposium(NDSS ’14). The Internet Society.
[35]
Mohammad Tahaei and Kami Vaniea. 2019. A Survey on Developer-Centred Security. In Proceedings of the 4nd European Workshop on Usable Security(EuroUSEC ’19). IEEE, 129–138.
[36]
Tyler W. Thomas, Madiha Tabassum, Bill Chu, and Heather Lipford. 2018. Security During Application Development: An Application Security Expert Perspective. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems(CHI ’18). ACM, 262.
[37]
Daniel Votipka, Desiree Abrokwa, and Michelle L. Mazurek. 2020. Building and Validating a Scale for Secure Software Development Self-Efficacy. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems(CHI ’20). ACM.
[38]
Daniel Votipka, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Hicks Michael. 2020. Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It. In Proceedings of the 29th Conference on USENIX Security Symposium(SEC ’20). USENIX Association.
[39]
Charles Weir, Ingolf Becker, and Lynne Blair. 2021. A Passion for Security: Intervening to Help Software Developers. In Proceedings of the 43rd International Conference on Software Engineering: Software Engineering In Practice(ICSE-SEIP ’21). IEEE.
[40]
Charles Weir, Lynne Blair, Ingolf Becker, Angela Sasse, and James Noble. 2018. Light-touch Interventions to Improve Software Development Security. In Proceedings of the 2018 IEEE Cybersecurity Development(SecDev ’18). IEEE.
[41]
Jing Xie, Heather Richter Lipford, and Bill Chu. 2011. Why do programmers make security errors?. In Proceedings of the 2011 IEEE Symposium on Visual Languages and Human-Centric Computing(VL/HCC ’11). IEEE.
[42]
Mu Zhang and Heng Yin. 2014. AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications. In Proceedings of the 21st Annual Network and Distributed System Security Symposium(NDSS ’14). The Internet Society.
[43]
Yunhui Zheng and Xiangyu Zhang. 2013. Path Sensitive Static Analysis of Web Applications for Remote Code Execution Vulnerability Detection. In Proceedings of the 35th International Conference on Software Engineering(ICSE ’13). IEEE.
Index Terms
- A Cross-role and Bi-national Analysis on Security Efforts and Constraints of Software Development Projects
Index terms have been assigned to the content through auto-classification.
Recommendations
'Think secure from the beginning': A Survey with Software Developers
CHI '19: Proceedings of the 2019 CHI Conference on Human Factors in Computing SystemsVulnerabilities persist despite existing software security initiatives and best practices. This paper focuses on the human factors of software security, including human behaviour and motivation. We conducted an online survey to explore the interplay ...
Analyzing the Use of Public and In-house Secure Development Guidelines in U.S. and Japanese Industries
CHI '23: Proceedings of the 2023 CHI Conference on Human Factors in Computing SystemsSecure development guidelines contribute to improving software security from the development stage by making developers aware of the risks to be assumed, the necessary security countermeasures, and how to implement them. In this study, we investigated ...
Software security in DevOps: synthesizing practitioners' perceptions and practices
CSED '16: Proceedings of the International Workshop on Continuous Software Evolution and DeliveryIn organizations that use DevOps practices, software changes can be deployed as fast as 500 times or more per day. Without adequate involvement of the security team, rapidly deployed software changes are more likely to contain vulnerabilities due to ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2021
1077 pages
ISBN:9781450385794
DOI:10.1145/3485832
Copyright © 2021 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 06 December 2021
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ACSAC '21
Acceptance Rates
Overall Acceptance Rate 104 of 497 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 413Total Downloads
- Downloads (Last 12 months)146
- Downloads (Last 6 weeks)22
Reflects downloads up to 14 Sep 2024
Other Metrics
Citations
Cited By
View allView Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in