Influences of developers' perspectives on their engagement with security in code

Rauf, Irum; Lopez, Tamara; Sharp, Helen; Petre, Marian; Tun, Thein; Levine, Mark; Towse, John; Linden, Dirk van der; Rashid, Awais and Nuseibeh, Bashar (2022). Influences of developers' perspectives on their engagement with security in code. In: Proceedings of CHASE ’22: Proceedings of the 15th International Conference on Cooperative and Human Aspects of Software Engineering (CHASE) (CHASE 2022), ACM, New York, NY, USA, pp. 86–95.

DOI: https://doi.org/10.1145/3528579.3529180

Abstract

Background:
Recent studies show that secure coding is about not only technical requirements but also developers' behaviour.

Objective:
To understand the influence of socio-technical contexts on how developers attend to and engage with security in code, software engineering researchers collaborated with social psychologists on a psychologically-informed study.

Method:
In a preregistered, between-group, controlled experiment, 124 developers from multiple freelance communities, were primed toward one of three identities, following which they completed code review tasks with open-ended responses. Qualitative analysis of the rich data focused on the attitudes and reasoning that shaped their identification of security issues within code.

Results:
Overall, attention to code security was intermittent and heterogeneous in focus. Although social identity priming did not significantly change the code review, qualitative analysis revealed that developers varied in how they noticed issues in code, how they addressed them, and how they justified their choices.

Conclusion:
We found that many developers do think about security -- but differently from one another. Hence, effective interventions to promote secure coding must be appropriate to the individual development context. Data is uploaded at: https://osf.io/3jvrk/files/

Viewing alternatives

Metrics

Item Actions

Export

You can export this page using these formats Digital Object Identifier - DOI

About

• Item ORO ID
• 82638
• Item Type
• Conference or Workshop Item
• ISBN
• 978-1-4503-9342-3/22/05
• Project Funding Details

• Funded Project Name	Project ID	Funding Body
  Why Johnny doesn't write secure software? Secure software development by the masses	EP/P011799/1, EP/P011799/2, EP/R013144/1 and EP/T017465/1	UKRI/EPSRC
  Not Set	13/RC/2094 and 16/RC/3918	SFI

• Academic Unit or School
• Faculty of Science, Technology, Engineering and Mathematics (STEM) > Computing and Communications
  Faculty of Science, Technology, Engineering and Mathematics (STEM)
• Research Group
• Software Engineering and Design (SEAD)
• Copyright Holders
• © 2022 Association for Computing Machinery
• Related URLs
• • https://conf.researchr.org/track/chase-2...(Other)
  • https://conf.researchr.org/home/chase-20...(Other)
• Depositing User
• Irum Rauf