More Web Proxy on the site http://driver.im/

research-article

Influences of developers' perspectives on their engagement with security in code

Authors:

Dirk van der Linden,

Bashar NuseibehAuthors Info & Claims

CHASE '22: Proceedings of the 15th International Conference on Cooperative and Human Aspects of Software Engineering

Pages 86 - 95

https://doi.org/10.1145/3528579.3529180

Published: 19 July 2022 Publication History

Abstract

Background: Recent studies show that secure coding is about not only technical requirements but also developers' behaviour.

Objective: To understand the influence of socio-technical contexts on how developers attend to and engage with security in code, software engineering researchers collaborated with social psychologists on a psychologically-informed study.

Method: In a preregistered, between-group, controlled experiment, 124 developers from multiple freelance communities, were primed toward one of three identities, following which they completed code review tasks with open-ended responses. Qualitative analysis of the rich data focused on the attitudes and reasoning that shaped their identification of security issues within code.

Results: Overall, attention to code security was intermittent and heterogeneous in focus. Although social identity priming did not significantly change the code review, qualitative analysis revealed that developers varied in how they noticed issues in code, how they addressed them, and how they justified their choices.

Conclusion: We found that many developers do think about security - but differently from one another. Hence, effective interventions to promote secure coding must be appropriate to the individual development context. Data is uploaded at: https://osf.io/3jvrk

References

[1]

Y. Acar et al. 2016. You get where you're looking for: The impact of information sources on code security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 289--305.

[2]

Y. Acar et al. 2017. Security developer studies with github users: Exploring a convenience sample. In Thirteenth Symposium on Usable Privacy and Security ({SOUPS} 2017). 81--95.

[3]

A. Avižienis et al. 2004. Dependability and its threats: a taxonomy. In Building the Information Society. Springer, 91--120.

[4]

R. Balebako et al. 2014. The privacy and security behaviors of smartphone app developers. (2014).

[5]

G. Baxter and I. Sommerville. 2011. Socio-technical systems: From design methods to systems engineering. Interacting with computers 23, 1 (2011), 4--17.

[6]

N. Beerepoot and B. Lambregts. 2015. Competition in online job marketplaces: towards a global labour market for outsourcing services? Global Networks 15, 2 (2015), 236--255.

[7]

L. Braz et al. 2021. Why Don't Developers Detect Improper Input Validation?'; DROP TABLE Papers;-. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 499--511.

Digital Library

[8]

Top Coder. 2021. On-Demand Talent Trends Report. Retrieved June 18, 2021 from https://www.topcoder.com/blog/talent-trends-report-part1/

[9]

National Research Council. 2010. Toward Better Usability, Security, and Privacy of Information Technology: Report of a Workshop. National Academies Press.

[10]

A. Danilova et al. 2020. One size does not fit all: a grounded theory and online survey study of developer preferences for security warning types. In 2020 IEEE/ACM 42nd International Conference on Software Engineering. IEEE, 136--148.

Digital Library

[11]

A. Danilova et al. 2021. Code Reviewing as Methodology for Online Security Studies with Developers-A Case Study with Freelancers on Password Storage. In Seventeenth Symposium on Usable Privacy and Security ({SOUPS} 2021). 397--416.

[12]

B. Doosje et al. 1995. Perceived intragroup variability as a function of group status and identification. Vol. 31. Elsevier. 410--436 pages.

[13]

B. Doosje et al. 1998. Guilty by association: When one's group has a negative history. Journal of personality and social psychology 75, 4 (1998), 872.

[14]

J. Hallett et al. 2021. "Do this! Do that!, And Nothing will happen": Do specifications lead to securely stored passwords?. In 43rd International Conference on Software Engineering (43 ed.). Institute of Electrical and Electronics Engineers (IEEE), United States.

Digital Library

[15]

S Alexander Haslam. 2004. Psychology in organizations. Sage.

[16]

G. W Hunt and W. D. Hoyer. 1993. Action identification theory: An examination of consumers' behavioral representations. ACR North American Advances (1993).

[17]

O. Kononenko et al. 2016. Code review quality: How developers see it. In Proceedings of 38th international conference on software engineering. 1028--1038.

Digital Library

[18]

M. Levine et al. 2005. Identity and emergency intervention: How social group membership and inclusiveness of group boundaries shape helping behavior. Personality and social psychology bulletin 31, 4 (2005), 443--453.

[19]

T. Lopez et al. 2018. An investigation of security conversations in stack overflow: Perceptions of security and community involvement. In Proceedings of the 1st International Workshop on Security Awareness from Design to Deployment. 26--32.

Digital Library

[20]

P. E McKight and J. Najab. 2010. Kruskal-wallis test. The corsini encyclopedia of psychology (2010), 1--1.

[21]

D. Mendez et al. 2020. Open science in software engineering. In Contemporary Empirical Methods in Software Engineering. Springer, 477--501.

[22]

A. Naiakshina et al. 2017. Why do developers get password storage wrong? A qualitative usability study. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 311--328.

Digital Library

[23]

A. Naiakshina et al. 2019. "If you want, I can store the encrypted password" A Password-Storage Field Study with Freelance Developers. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. 1--12.

Digital Library

[24]

M. Ottens et al. 2006. Modelling infrastructures as socio-technical systems. International journal of critical infrastructures 2, 2-3 (2006), 133--145.

[25]

OWASP Foundation, the Open Source Foundation for Application Security. [n.d.]. https://owasp.org/. (Accessed on 03/06/2020).

[26]

Frank Piessens. 2019. The Cyber Security Body of Knowledge. University of Bristol, Chapter Software Security. https://www.cybok.org/ Version 1.0.

[27]

T. Postmes et al. 2013. A single-item measure of social identification: Reliability, validity, and utility. British journal of social psychology 52, 4 (2013), 597--617.

[28]

I. Rauf et al. 2021. The Case for Adaptive Security Interventions. ACM Transactions on Software Engineering and Methodology (TOSEM) (2021).

[29]

I Rauf et al. 2022. Challenges of Recruiting Developers in Multidisciplinary Studies. In Accepted for publication in 1st International Workshop on Recruiting Participants for Empirical Software Engineering (RoPES'22.

[30]

P. M Schwartz and D. J Solove. 2011. The PII problem: Privacy and a new concept of personally identifiable information. NYUL rev. 86 (2011), 1814.

[31]

MA. Storey et al. 2020. The who, what, how of software engineering research: a socio-technical framework. Vol. 25. Springer. 4097--4129 pages.

[32]

D. R Thomas. 2006. A general inductive approach for analyzing qualitative evaluation data. American journal of evaluation 27, 2 (2006), 237--246.

[33]

R. Vallacher and D. M Wegner. 1987. What do people think they're doing? Action identification and human behavior. Psychological review 94, 1 (1987), 3.

[34]

D. van der Linden et al. 2020. Schrödinger's security: opening the box on app developers' security rationale. In 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE). IEEE, 149--160.

Digital Library

[35]

D. M. Wegner et al. 1984. The emergence of action. Journal of Personality and Social Psychology 46, 2 (1984), 269.

[36]

C. Wohlin et al. 2012. Experimentation in software engineering. Springer Science & Business Media.

[37]

G. Wurster and P. Van Oorschot. 2008. The developer is the enemy. In Proceedings of the 2008 New Security Paradigms Workshop. 89--97.

[38]

A. Yamashita and L. Moonen. 2013. Surveying developer knowledge and interest in code smells through online freelance marketplaces. In 2nd International Workshop on User Evaluations for Software Engineering Researchers. IEEE, 5--8.

Cited By

Ayala-Rivera VPortillo-Dominguez APasquale L(2024)GDPR compliance via software evolution: Weaving security controls in software designJournal of Systems and Software10.1016/j.jss.2024.112144216(112144)Online publication date: Oct-2024
https://doi.org/10.1016/j.jss.2024.112144

Index Terms

Influences of developers' perspectives on their engagement with security in code
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy

Recommendations

Application Source Code Security Handbook for Developers, Auditors, and Security Professionals
Are you smelling it? Investigating how similar developers detect code smells

ContextA code smell indicates a poor implementation choice that often worsens software quality. Thus, code smell detection is an elementary technique to identify refactoring opportunities in software systems. Unfortunately, there is limited knowledge on ...
CODES: mining source code descriptions from developers discussions
ICPC 2014: Proceedings of the 22nd International Conference on Program Comprehension

Program comprehension is a crucial activity, preliminary to any software maintenance task. Such an activity can be difficult when the source code is not adequately documented, or the documentation is outdated. Differently from the many existing ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CHASE '22: Proceedings of the 15th International Conference on Cooperative and Human Aspects of Software Engineering

May 2022

122 pages

ISBN:9781450393423

DOI:10.1145/3528579

General Chair:
Maria Teresa Baldassarre
University of Bari, Italy
,
Program Chairs:
Lutz Prechelt
Freie Universität Berlin, Germany
,
Gema Rodríguez-Pérez
University of British Columbia (UBC), Canada

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 July 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

SFI
NCSC
UKRI/EPSRC

Conference

ICSE '22

Sponsor:

SIGSOFT

ICSE '22: 44th International Conference on Software Engineering

May 21 - 29, 2022

Pennsylvania, Pittsburgh

Acceptance Rates

Overall Acceptance Rate 47 of 70 submissions, 67%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
159
Total Downloads

Downloads (Last 12 months)46
Downloads (Last 6 weeks)20

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ayala-Rivera VPortillo-Dominguez APasquale L(2024)GDPR compliance via software evolution: Weaving security controls in software designJournal of Systems and Software10.1016/j.jss.2024.112144216(112144)Online publication date: Oct-2024
https://doi.org/10.1016/j.jss.2024.112144

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten