Putting Security in Software Development
Authors: Ashenden, D. and Ollis, M.G.
Conference: NSPW 2020
Dates: 26-29 October 2020Abstract:
Practices such as open source development, agile, DevOps and DevSecOps mean that cyber security professionals need to find ways to blend cyber security with software development practices. One way of approaching this is as an awareness, education and training problem and many organisations are focusing on training software developers in cyber security. In this paper, however, we make the case for looking more broadly at group rather than individual behaviours, by examining the social practices of software developers. Changing software development practices are shaping the lived experience of software developers and we argue that understanding these practices will enable us to improve secure software development. We use social practice theory as a framework to develop recommendations for aligning and blending cyber security and software development. To achieve this, we carried out a rapid review of research on software development practices and supplemented this with data from ten key informant interviews to ascertain what we need to consider when developing an intervention for secure software development. Finally, we outline how our research could be used to develop a workshop that would facilitate the co-creation of security practices for software development. We conclude with suggestions for future research.