1 Introduction
-
RQ1 How can an intervention based on short workshops assist developers in identifying security issues, assessing them, and engaging product managers with those issues?
1.1 Contribution
2 Background
2.1 Adoption of developer security activities
2.2 Motivating change in development teams
2.3 Blockers and motivators
2.4 Product management engagement
2.5 Conclusions
3 Design of the intervention workshops
-
Requirement 1 Understanding security decisions as business decisions;
-
Requirement 2 Identifying types of security issues relevant to their current projects;
-
Requirement 3 Characterizing those issues in terms of their importance to the organization;
-
Requirement 4 Identifying and costing solutions to address the important issues; and
-
Requirement 5 Discussing those issues and solutions in terms meaningful to product managers.
-
Requirement 6 Take less than one working day for a development team to carry out, to keep costs acceptable;
-
Requirement 7 Work with development teams, as a majority of developers work in teams (Stack Overflow 2016);
-
Requirement 8 Work without security specialists, since many teams do not have access to them (Weir et al. 2020a);
-
Requirement 9 Work without product managers present in the workshops, since while it is obviously a benefit to include them, in many cases they may not be available or persuaded to attend;
-
Requirement 10 Support developers currently using few or no assurance techniques, since many teams do not currently use them (Weir et al. 2020a); and
-
Requirement 11 Be leadable by non-researchers, to permit the use of the intervention where the researchers are unavailable (Weir et al. 2019).
3.1 Requirement 1: Understanding security in terms of business decisions
-
There is no need to have a security expert present to make decisions about software security (Requirement 8)
-
Winning, by defending against every threat, is virtually impossible. It is a business decision as to which threats to address, based on which ones are most important to the organization.
3.2 Requirement 2: Security issues relevant to current projects
3.3 Requirement 3: Issues in terms of impact and likelihood
3.4 Requirement 4: Identifying and costing solutions
3.5 Requirement 5: Discussing in terms meaningful to product managers
3.6 Remaining requirements
3.7 Intervention approach and schedule
4 Evaluation methodology
4.1 Introduction to design-based research
4.2 Research questions
-
RQ 1.1 To what extent did the developer teams achieve better product management engagement over security issues as a result of the intervention?
-
RQ 1.2 What did participants identify as ‘selling points’ for improvements in software security?
-
RQ 1.3 In what ways do the intervention results vary with different participant contexts?
-
RQ 1.4 Can having developers consider the positive benefits of security and privacy mitigations lead to improvements in product management engagement?
-
RQ 1.5 Can teams of developers produce threat assessments, risk-impact assessments, and benefit analyses with minimal guidance?
-
RQ 1.6 What are the ‘blockers’ and ‘motivators’ affecting product management engagement and other stakeholders as revealed in the workshops?
4.3 Method implementation
Activity | Description |
---|---|
Threat assessment | Design-level analysis of possible attackers, motives, and vulnerability locations. |
Product management engagement | Working with product managers to make security decisions. |
Level | Description |
---|---|
0 No mention | No reference to it in the interview |
1 Aware | The team showed knowledge of it. |
2 Planned | Existing plans to incorporate it. |
3 Using | The team have used it. |
4 Established | The team use it in each new project. |
Code | Before: | After: | Impact | ||||
---|---|---|---|---|---|---|---|
Rater1 | Rater2 | Combined | Rater1 | Rater2 | Combined | ||
Product management engagement | 0 | 0 | 0 | 4 | 4 | 4 | 4 |
Threat assessment | 1 | 1 | 1 | 3 | 4 | 4 | 3 |
4.4 Example of the impact coding
5 Results
5.1 Summary of participants from each organization
Organization | Group | |
---|---|---|
D | A development team within a university, funded by a government grant to promote business innovation by developing proof of concept (PoC) applications. | Aware of the importance of software security but had little practical knowledge; worked on several different projects at a time. |
E | A government department delivering software for sensitive government applications. The group worked on a high-confidentiality product. | Less experienced than average for the industry, though the session leader is an experienced security specialist. |
F | A small surveying company delivering a Geographical Information System product and related services. | A previous developer had implemented some security aspects; the current team had little knowledge. |
G | A web applications development company delivering a wide variety of applications for clients. | The two leads were expert in software security, but were finding that the effort costs of security were not being included in client pricing. |
H | A small company selling a range of Internet of Things devices and their associated infrastructure. | The group justifiably consider themselves good at software security. |
I | A well-established company providing the infrastructure for a commodity trading. Planning move from perimeter security to cloud-based services. | The company has considerable internal expertise in security. However, the developers were less experienced. |
J | A well-established large company providing web interfaces for retailers. The group involved had the responsibility of creating tools and services to support deployment. | The group was a team of about a dozen developers creating deployment tools, and included two security specialists who led the workshops. |
K | A well-established company with a few hundred employees creating tools for developers. | The group has a strong emphasis on agile development processes, and team interaction. All the participants were developers. |
5.2 Inter-rater reliability
5.3 Impact of the intervention
5.4 Activity impact by group attributes
Categorization | Category | Count in category | Threat Assessment Impact | PM Engagement Impact |
---|---|---|---|---|
Overall | 8 | 1.6 | 2.1 | |
Organization Size | Large | 3 | 1. | 2.7 |
Medium | 3 | 2.3 | 2. | |
Small | 2 | 1.5 | 1.5 | |
Facilitation Style | Dominating | 2 | 2. | |
Listening | 4 | 2.3 | 2.3 | |
Peer | 2 | 2. | 2. | |
Security Maturity | High | 2 | 2. | |
Medium | 4 | 1.8 | 1.5 | |
Low | 2 | 3. | 3.5 | |
Product manager | Yes | 4 | 2.3 | 2. |
No | 4 | 1. | 2.3 | |
Lead facilitator | Line manager | 4 | 3. | 3. |
Security | 2 | 2. | ||
Developer | 2 | 0.5 | 0.5 |
5.5 Selling points for security
Name | Org. | N. | Description | Example Quotes |
---|---|---|---|---|
Security Consultancy | D E F G I | 10 | Being the experts in security; advising the customer; saying ‘No’ to feature requests that compromise security. | The more projects we do the better we’ll get at these things to the point that the security consultancy ends up being part of the package (D) Actually, [security] is not about [us] making the money; it is about making the right money for the client (G) |
Security Management | G H I J K | 8 | Managing security as a continuous service for customers | What you want in a supplier is … they’re proactive in considering the [security] challenges and they’re doing things about it (H) |
Customer Tick-box Requirement | F H I | 7 | Improvements to satisfy standard customer requirements. | People ask if we are ISO 27001 certified (I) Got to have two factor authentication, because that’s what [the customer] does with other systems (F) |
Customer Choice | E F G | 6 | Customer gets value by specifying level of security or order of delivery. | We can sell tiers... this is a basic [security] package; this is our premium package. (G) [Sometimes] they have said ‘we are happy to accept that level of risk’, but there is also quite a willingness to fix a lot of the other issues. (E) |
Robust System | E H J K | 6 | The system will have high availability. | Being proud of … your availability: X nines. We have a track record: 12 months… something to talk about (J). |
Better Security than Competition | H I | 4 | Customers will choose this product because it has better security. | Using [security] as a differentiator from Chinese manufacturers that can build stuff for a fractionof the cost, but wouldn’t necessarily have considered the bigger picture (H) |
Implied Requirement | E F K | 3 | Security enables a new item of functionality. | They’ve said, “could you put in payments?” (F) |
Avoiding Disaster | E K | 2 | Security will prevent a disaster. | Yes, if [a disgruntled employee breech] happens once in five years, but it sets you back 10 years each time so [customers pay to prevent] it. (E) |
5.6 Use of selling points to engage product managers
5.7 Threat assessment with developers
We’ve identified huge risks that they need to consider before they ever get anywhere near an actual working product. (D)
We had a follow-on session afterwards where we took everything away, … and sat down and thought “what do we need to do next”. (E)
5.8 Blockers and motivators related to security promotion
Name | N | Description | Example Quotes |
---|---|---|---|
Communication | 10 | Difficulties in conveying security concepts or getting the right communication to achieve effective decisions | [It] is difficult [to identify security requirements] as it requires a lot of conversation (I) The security thing is a bit of a taboo subject. (H) |
Multiple stakeholders | 6 | Different stakeholders may have different security appetites or needs; coordinating them is hard | For some clients it’s a really easy sell… But there’s other clients: “Do I want to spend marketing budget on this?” (G) |
Freeloaders | 4 | Stakeholders expecting ‘security for free’ | Some of our clients are now saying “You need to provide all this … for nothing because it’s part of the security standard …” (G) |
Unknown cost/impact | 4 | Development teams may not have the ability to estimate costs; or may have inaccurate information about the likelihood of threats | The mistake that customers have made with this app was to assume a small pilot study; then issue it to a big bunch of people… (E) We don’t … give stakeholders an estimation of delivery time. We just chew through [work]. (J) |
PM time | 3 | product managers may not be available or have insufficient time to devote to the topic | Some of us don’t have access to a product owner. € [Customers] keep saying “We haven’t had a chance to review what you sent us…” (D) |
Denial | 2 | Stakeholders refusing to accept a clear need for security | No-one really cares about security until someone leaves their data on a train, anyway. (H) |
Practical | 1 | Practical issues, such as technology export restrictions | If we want to put encryption into the firmware things, we need an export license. (H) |
Name | N | Description | Example Quotes |
---|---|---|---|
Friendly Customers | 5 | Focusing on customers who value security when it is explained to them | Some clients are really good, and they will listen to best practice, and as soon as you start saying this … “Okay, right that’s fine, tick, happy”. (G) |
Policies | 5 | Externally enforced requirements for security | If they’ve been in an organization with a PCI audit… they’ll go to long, long lengths to avoid that. (G) |
Principled Insistence | 5 | Politely insisting on the need for the implementation of specific security features, on principle | I think [customers and product managers] appreciate me saying “I don’t think this is the best practice… You need to spend more money and do it this way”. If I can back that up with the reasoning behind it, that is fine. (G) |
Value | 4 | Collaboratively identifying value for the stakeholders | Things like single sign-on come to mind… We’re improving the security. [It] actually makes life easier. (I) |
Communication | 3 | Improving communication: using handover documents, identifying security scope, and discussing consequences of poor security | [For example] the handover document says, “The first thing you need to do is find a different way to send this”, because … whoever develops this further needs to find a more secure way. (D) |
Logging Decisions | 2 | Keeping a log of security-related decisions, to support discussions and evaluation in future | As long as you have made the decision based on the information … you have a reasoning behind why this is in, or why this isn’t in. (E) |
Structured Workshops | 2 | Using facilitated workshops with stakeholders to inspire thinking on security issues | I’m going to say to [my customer] “We’re gonna have a security workshop. Come on have some lunch, bring [your developers] and we’ll have a [workshop]”. We won’t charge … but at the end of it I’ll bet [they’ll] spend 20 grand because of the kind of client [they are] (G) |
6 Answer to the primary research question
7 Discussion
7.1 Research method
7.2 Trustworthiness criteria and limitations
-
We have no way of evaluating either the completeness or accuracy of the threat assessment results. We believe that the developers’ assessments were sufficient for the purpose of informing security improvements; that the consequences of getting a risk assessment wrong are much less than the consequence of not doing it at all; and that since product managers did engage well with the results (Section 5.6) the assessments were successful. However, this remains an outstanding question for future research.
-
Whilst in most cases product managers did engage with security in the development process (Section 5.6), we have no indication whether the resulting engagement led to more appropriate security in the resulting products. It is logical to assume that it would; but this research provides no evidence to support that assumption.
Criteria | What it means | Addressed in the Paper |
---|---|---|
Credibility | The research findings are plausible and trustworthy | |
Dependability | The extent to which the research could be replicated in similar conditions | |
Confirmability | There is a clear link or relationship between the data and the findings | |
Transferability | Findings may be transferred to another setting, context or group | |
Reflexivity | A continual process of engaging with and articulating the place of the researcher and the context of the research |
7.3 Practical value
7.4 Further work
8 Conclusions
-
Five of the eight groups notably improved their threat assessment activities as a result of the interventions; six improved product management engagement (Section 5.3);
-
Participants identified 50 different selling points, in 8 categories, of which the most prolific was ‘Security Consultancy’, improving customer relationships by impressing them with security expertise (Section 5.5); and
-
Less security-expert groups appeared to benefit most from the workshops, and sessions appeared most effective when facilitated by team managers (Section 5.4).
-
Having developers identify selling points can indeed lead to improvements in product management engagement (Section 5.6);
-
Teams of developers can produce threat assessments, risk-impact assessment, and benefit analyses with minimal guidance (Section 5.7); and
-
A range of blockers, particularly problems with communication, challenge the introduction of security; however, there is a wide range, and similar numbers, of motivators to encourage it (Section 5.8).