ABSTRACT
Software development is often accompanied by security audits such as penetration tests, usually performed on behalf of the software vendor. In penetration tests security experts identify entry points for attacks in a software product. Many development teams undergo such audits for the first time if their product is attacked or faces new security concerns. The audits often serve as an eye-opener for development teams: they realize that security requires much more attention. However, there is a lack of clarity with regard to what lasting benefits developers can reap from penetration tests. We report from a one-year study of a penetration test run at a major software vendor, and describe how a software development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but that long-lasting enhancements of development practices are hampered by a lack of dedicated security stakeholders and if security is not properly reflected in the communicative and collaborative structures of the organization.
- Rainer Böhme and Márk Félegyházi. 2010. Proc. GameSec '10. Springer Berlin Heidelberg, Chapter Optimal Information Security Investment with Penetration Testing, 21-37. Google ScholarDigital Library
- Daniel Geer and John Harthorne. 2002. Penetration testing: a duet. In Computer Security Applications Conference, 2002. Proceedings. 18th Annual. 185-195. Google ScholarDigital Library
- Stina Matthiesen, Pernille Bjørn, and Lise Møller Petersen. 2014. "Figure out How to Code with the Hands of Others": Recognizing Cultural Blind Spots in Global Software Development. In Proc. CSCW'14. ACM, New York, NY, USA, 1107-1119. Google ScholarDigital Library
- Gary McGraw, Sammy Migues, and Jacob West. 2015. Building Security In Maturity Model (BSIMM) Version 6. Technical Report. Cigital, Inc.Google Scholar
- Angela Sasse. 2011. Designing for Homer Simpson-D'Oh. Interfaces: The Quarterly Magazine of the BCS Interaction Group 86 (2011), 5-7.Google Scholar
- Rodrigo Werlinger, Kirstie Hawkey, David Botta, and Konstantin Beznosov. 2009. Security practitioners in context: Their activities and interactions with other stakeholders within organizations. International Journal of Human-Computer Studies 67, 7 (2009), 584 - 606. Google ScholarDigital Library
- Shundan Xiao, Jim Witschey, and Emerson Murphy-Hill. 2014. Social Influences on Secure Development Tool Adoption: Why Security Tools Spread. In Proc. CSCW '14. ACM, New York, NY, USA, 1095-1106. Google ScholarDigital Library
- Jing Xie, Heather Lipford, and Bei-Tseng Chu. 2012. Evaluating Interactive Support for Secure Programming. In Proc. CHI '12. ACM, New York, NY, USA, 2707-2716. Google ScholarDigital Library
Index Terms
- First-time Security Audits as a Turning Point?: Challenges for Security Practices in an Industry Software Development Team
Recommendations
Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group
CSCW '17: Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social ComputingOrganizational factors influence the success of security initiatives in software development. Security audits and developer training can motivate development teams to adopt security practices, but their interplay with organizational structures and ...
Software Security Maturity in Public Organisations
ISC 2015: Proceedings of the 18th International Conference on Information Security - Volume 9290Software security is about building software that will be secure even when it is attacked. This paper presents results from a survey evaluating software security practices in software development lifecycles in 20 public organisations in Norway using the ...
Agile Software Development: The Straight and Narrow Path to Secure Software?
In this article, the authors contrast the results of a series of interviews with agile software development organizations with a case study of a distributed agile development effort, focusing on how information security is taken care of in an agile ...
Comments