abstract

First-time Security Audits as a Turning Point?: Challenges for Security Practices in an Industry Software Development Team

Authors:
Andreas Poller

Fraunhofer Institute for Secure Information Technology SIT, Darmstadt, Hesse, Germany

Fraunhofer Institute for Secure Information Technology SIT, Darmstadt, Hesse, Germany
View Profile

,
Laura Kocksch

Fraunhofer Institute for Secure Information Technology & Goethe University, Darmstadt, Hesse, Germany

Fraunhofer Institute for Secure Information Technology & Goethe University, Darmstadt, Hesse, Germany
View Profile

,
Katharina Kinder-Kurlanda

GESIS - Leibniz-Institute for the Social Sciences, Köln, Germany

GESIS - Leibniz-Institute for the Social Sciences, Köln, Germany
View Profile

,
Felix Anand Epp

Fraunhofer Institute for Secure Information Technology & Darmstadt University of Applied Sciences, Darmstadt, Hesse, Germany

Fraunhofer Institute for Secure Information Technology & Darmstadt University of Applied Sciences, Darmstadt, Hesse, Germany
View Profile

CHI EA '16: Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing SystemsMay 2016Pages 1288–1294https://doi.org/10.1145/2851581.2892392

Published:07 May 2016Publication History

CHI EA '16: Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems

Pages 1288–1294

ABSTRACT

Software development is often accompanied by security audits such as penetration tests, usually performed on behalf of the software vendor. In penetration tests security experts identify entry points for attacks in a software product. Many development teams undergo such audits for the first time if their product is attacked or faces new security concerns. The audits often serve as an eye-opener for development teams: they realize that security requires much more attention. However, there is a lack of clarity with regard to what lasting benefits developers can reap from penetration tests. We report from a one-year study of a penetration test run at a major software vendor, and describe how a software development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but that long-lasting enhancements of development practices are hampered by a lack of dedicated security stakeholders and if security is not properly reflected in the communicative and collaborative structures of the organization.

References

Rainer Böhme and Márk Félegyházi. 2010. Proc. GameSec '10. Springer Berlin Heidelberg, Chapter Optimal Information Security Investment with Penetration Testing, 21-37. Google ScholarDigital Library
Daniel Geer and John Harthorne. 2002. Penetration testing: a duet. In Computer Security Applications Conference, 2002. Proceedings. 18th Annual. 185-195. Google ScholarDigital Library
Stina Matthiesen, Pernille Bjørn, and Lise Møller Petersen. 2014. "Figure out How to Code with the Hands of Others": Recognizing Cultural Blind Spots in Global Software Development. In Proc. CSCW'14. ACM, New York, NY, USA, 1107-1119. Google ScholarDigital Library
Gary McGraw, Sammy Migues, and Jacob West. 2015. Building Security In Maturity Model (BSIMM) Version 6. Technical Report. Cigital, Inc.Google Scholar
Angela Sasse. 2011. Designing for Homer Simpson-D'Oh. Interfaces: The Quarterly Magazine of the BCS Interaction Group 86 (2011), 5-7.Google Scholar
Rodrigo Werlinger, Kirstie Hawkey, David Botta, and Konstantin Beznosov. 2009. Security practitioners in context: Their activities and interactions with other stakeholders within organizations. International Journal of Human-Computer Studies 67, 7 (2009), 584 - 606. Google ScholarDigital Library
Shundan Xiao, Jim Witschey, and Emerson Murphy-Hill. 2014. Social Influences on Secure Development Tool Adoption: Why Security Tools Spread. In Proc. CSCW '14. ACM, New York, NY, USA, 1095-1106. Google ScholarDigital Library
Jing Xie, Heather Lipford, and Bei-Tseng Chu. 2012. Evaluating Interactive Support for Secure Programming. In Proc. CHI '12. ACM, New York, NY, USA, 2707-2716. Google ScholarDigital Library

Index Terms

First-time Security Audits as a Turning Point?: Challenges for Security Practices in an Industry Software Development Team
1. Software and its engineering

Recommendations

Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group
CSCW '17: Proceedings of the 2017 ACM Conference on Computer Supported Cooperative Work and Social Computing

Organizational factors influence the success of security initiatives in software development. Security audits and developer training can motivate development teams to adopt security practices, but their interplay with organizational structures and ...
Read More
Software Security Maturity in Public Organisations
ISC 2015: Proceedings of the 18th International Conference on Information Security - Volume 9290

Software security is about building software that will be secure even when it is attacked. This paper presents results from a survey evaluating software security practices in software development lifecycles in 20 public organisations in Norway using the ...
Read More
Agile Software Development: The Straight and Narrow Path to Secure Software?

In this article, the authors contrast the results of a series of interviews with agile software development organizations with a case study of a distributed agile development effort, focusing on how information security is taken care of in an agile ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CHI EA '16: Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems
May 2016
3954 pages
ISBN:9781450340823
DOI:10.1145/2851581
General Chairs:
Jofish Kaye
Yahoo
,
Allison Druin
University of Maryland / National Park Service
,
Program Chairs:
Cliff Lampe
University of Michigan
,
Dan Morris
Microsoft
,
Juan Pablo Hourcade
University of Iowa
Copyright © 2016 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 7 May 2016
Check for updates
Author Tags
development practices
organizational factors
penetration testing
qualitative study
secure software engineering
Qualifiers
- abstract
Conference

Acceptance Rates
CHI EA '16 Paper Acceptance Rate1,000of5,000submissions,20%Overall Acceptance Rate6,164of23,696submissions,26%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 5
  Total Citations
  View Citations
- 222
  Total Downloads
- Downloads (Last 12 months)19
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

First-time Security Audits as a Turning Point?: Challenges for Security Practices in an Industry Software Development Team

CHI EA '16: Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group

Software Security Maturity in Public Organisations

Agile Software Development: The Straight and Narrow Path to Secure Software?