Abstract
Despite the availability of various methods and tools to facilitate secure coding, developers continue to write code that contains common vulnerabilities. It is important to understand why technological advances do not sufficiently facilitate developers in writing secure code. To widen our understanding of developers' behaviour, we considered the complexity of the security decision space of developers using theory from cognitive and social psychology. Our interdisciplinary study reported in this article (1) draws on the psychology literature to provide conceptual underpinnings for three categories of impediments to achieving security goals, (2) reports on an in-depth meta-analysis of existing software security literature that identified a catalogue of factors that influence developers' security decisions, and (3) characterises the landscape of existing security interventions that are available to the developer during coding and identifies gaps. Collectively, these show that different forms of impediments to achieving security goals arise from different contributing factors. Interventions will be more effective where they reflect psychological factors more sensitively and marry technical sophistication, psychological frameworks, and usability. Our analysis suggests “adaptive security interventions” as a solution that responds to the changing security needs of individual developers and a present a proof-of-concept tool to substantiate our suggestion.
- Stack Overflow. 2019.Developer Survey Results. Retrieved from https://insights.stackoverflow.com/survey/2019.Google Scholar
- Dave Wichers. 2020.Free for Open Source Application Security Tools | OWASP. Retrieved January, 2020 from https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools.Google Scholar
- OWASP. 2020.Source Code Analysis Tools | OWASP. Retrieved January, 2020 from https://owasp.org/www-community/Source_Code_Analysis_Tools.Google Scholar
- Veracode. 2020.State Of Software Security. Retrieved January, 2020 from https://tinyurl.com/uaa4ock.Google Scholar
- OWASP. 2020.Vulnerability Scanning Tools | OWASP. Retrieved January, 2020 from https://owasp.org/www-community/Vulnerability_Scanning_Tools.Google Scholar
- Fortify. 2020.Fortify Taxonomy: Software Security Errors. Retrieved January, 2020 from https://vulncat.fortify.com/en.w.Google Scholar
- Mohd Syazwan Abdullah, Ian Benest, Andy Evans, and Chris Kimble. 2002. Knowledge modelling techniques for developing knowledge management systems. In 3rd European Conference on Knowledge Management.Google Scholar
- Dominic Abrams, Margaret Wetherell, Sandra Cochrane, Michael A. Hogg, and John C. Turner. 1990. Knowing what to think by knowing who you are: Self-categorization and the nature of norm formation, conformity and group polarization. British J. Soc. Psychol. 29, 2 (1990), 97–119.Google ScholarCross Ref
- Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2017. Comparing the usability of cryptographic apis. In IEEE Symposium on Security and Privacy (SP). IEEE, 154–171.Google ScholarCross Ref
- Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2016. You get where you're looking for: The impact of information sources on code security. In IEEE Symposium on Security and Privacy (SP). IEEE, 289–305.Google ScholarCross Ref
- Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L. Mazurek, and Sascha Fahl. 2017. Security developer studies with github users: Exploring a convenience sample. In 13th Symposium on Usable Privacy and Security (SOUPS'17). 81–95. Google ScholarDigital Library
- Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle L. Mazurek, and Sascha Fahl. 2017. Developers need support, too: A survey of security advice for software developers. In IEEE Cybersecurity Development (SecDev). IEEE, 22–26.Google Scholar
- Icek Ajzen. 1991. The theory of planned behavior. Organiz. Behav. Hum. Decis. Process. 50, 2 (1991), 179–211.Google ScholarCross Ref
- I. Ajzen. 2015. The theory of planned behavior: A bibliography: 1985–2015. Retrieved fromhttps://people.umass.edu/aizen/tpbrefstxt.html.Google Scholar
- Pierre A. Akiki, Arosha K. Bandara, and Yijun Yu. 2014. Adaptive model-driven user interface development systems. ACM Comput. Surv. 47, 1 (2014), 9. Google ScholarDigital Library
- Ahmad Al-Ahmad, Belal Abu Ata, and Abdullah Wahbeh. 2012. Pen testing for web applications. Int. J. Inf. Technol. Web Eng. 7, 3 (2012), 1–13.Google ScholarCross Ref
- Erik M. Altmann, J. Gregory Trafton, and David Z. Hambrick. 2014. Momentary interruptions can derail the train of thought.J. Experim. Psychol.: Gen. 143, 1 (2014), 215.Google ScholarCross Ref
- Rozaliya Amirova. 2020. Attention tracking for developers. In 28th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Prem Devanbu, Myra B. Cohen, and Thomas Zimmermann (Eds.). ACM, 1690–1692. DOI:https://doi.org/10.1145/3368089.3418778 Google ScholarDigital Library
- John Robert Anderson. 1990. The Adaptive Character of Thought. Psychology Press.Google Scholar
- John R. Anderson and Christian J. Lebiere. 2014. The Atomic Components of Thought. Psychology Press.Google Scholar
- Jackie Andrade and Jon May. 2004. BIOS Instant Notes in Cognitive Psychology. Taylor & Francis.Google Scholar
- Brad Arkin, Scott Stender, and Gary McGraw. 2005. Software penetration testing. IEEE Secur. Priv. 3, 1 (2005), 84–87. Google ScholarDigital Library
- Hala Assal and Sonia Chiasson. 2018. Security in the software development lifecycle. In 14th Symposium on Usable Privacy and Security (SOUPS'18). USENIX Association, 281–296. Google ScholarDigital Library
- Halaa Assal and Sonia Chiasson. 2019. “Think secure from the beginning”: A survey with software developers. In CHI Conference on Human Factors in Computing Systems. ACM, 289. Google ScholarDigital Library
- Hala Assal, Sonia Chiasson, and Robert Biddle. 2016. Cesar: Visual representation of source code vulnerabilities. In IEEE Symposium on Visualization for Cyber Security (VizSec). IEEE, 1–8.Google ScholarCross Ref
- Edward Awh, Edward K. Vogel, and S.-H. Oh. 2006. Interactions between attention and working memory. Neuroscience 139, 1 (2006), 201–208.Google ScholarCross Ref
- Dejan Baca, Kai Petersen, Bengt Carlsson, and Lars Lundberg. 2009. Static code analysis to detect software security vulnerabilities-does experience matter? In International Conference on Availability, Reliability and Security. IEEE, 804–810.Google ScholarCross Ref
- Alan Baddeley. 2007. Working Memory, Thought, and Action. Vol. 45. OuP Oxford.Google Scholar
- Rebecca Balebako and Lorrie Cranor. 2014. Improving app privacy: Nudging app developers to protect user privacy. IEEE Secur. Priv. 12, 4 (2014), 55–58.Google ScholarCross Ref
- Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason I. Hong, and Lorrie Cranor. 2014. The privacy and security behaviors of smartphone app developers. In Workshop on Usable Security (USEC).Google ScholarCross Ref
- Gordon Baxter and Ian Sommerville. 2011. Socio-technical systems: From design methods to systems engineering. Interact. Comput. 23, 1 (2011), 4–17. Google ScholarDigital Library
- Sarah Beecham, Nathan Baddoo, Tracy Hall, Hugh Robinson, and Helen Sharp. 2008. Motivation in software engineering: A systematic literature review. Inf. Softw. Technol. 50, 9-10 (2008), 860–878. Google ScholarDigital Library
- Laura M. Bishop, Phillip L. Morgan, Phoebe M. Asquith, George Raywood-Burke, Adam Wedgbury, and Kevin Jones. 2020. Examining human individual differences in cyber security and possible implications for human-machine interface design. In International Conference on Human-computer Interaction. Springer, 51–66.Google ScholarDigital Library
- Matt Bishop. 2010. A clinic for “secure” programming. IEEE Secur. Priv. 8, 2 (2010), 54–56. Google ScholarDigital Library
- Alan F. Blackwell. 2002. First steps in programming: A rationale for attention investment models. In IEEE Symposia on Human Centric Computing Languages and Environments. IEEE, 2–10. Google ScholarDigital Library
- James Blake. 1999. Overcoming the “value-action gap” in environmental policy: Tensions between national policy and local experience. Local Environ. 4, 3 (1999), 257–278.Google ScholarCross Ref
- Andrew Booth, Anthea Sutton, and Diana Papaioannou. 2016. Systematic approaches to a successful literature review. SAGE. Retrieval: https://www.google.co.uk/books/edition/_/JD1DCgAAQBAJ?hl=en&gbpv=0.Google Scholar
- Michael Bosnjak, Icek Ajzen, and Peter Schmidt. 2020. The theory of planned behavior: selected recent advances and applications. Europe's J. Psychol. 16, 3 (2020), 352–356.Google ScholarCross Ref
- Steven A. Brieger. 2019. Social identity and environmental concern: The importance of contextual effects. Environ. Behav. 51, 7 (2019), 828–855.Google ScholarCross Ref
- Rupert Brown. 2020. The social identity approach: Appraising the Tajfellian legacy. British J. Soc. Psychol. 59, 1 (2020), 5–25. DOI:https://doi.org/10.1111/bjso.12349Google ScholarCross Ref
- Marcel Bruch, Eric Bodden, Martin Monperrus, and Mira Mezini. 2010. IDE 2.0: Collective intelligence in software development. In FSE/SDP Workshop on Future of Software Engineering Research. ACM, 53–58. Google ScholarDigital Library
- Evan A. Byrne and Raja Parasuraman. 1996. Psychophysiology and adaptive automation. Biol. Psychol. 42, 3 (1996), 249–268.Google ScholarCross Ref
- Gadiel Sznaier Camps, Nicolas Bohm Agostini, and David Kaeli. 2019. Discovering programmer intention behind written source code. In 18th IEEE International Conference on Machine Learning and Applications (ICMLA). IEEE, 432–437.Google Scholar
- OWASP Foundation. 2020.Category: Vulnerability Scanning Tools - OWASP. Retrieved January 2020 from https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools.Google Scholar
- Mengsu Chen, Felix Fischer, Na Meng, Xiaoyin Wang, and Jens Grossklags. 2019. How reliable is the crowdsourced knowledge of security implementation? In Proceedings of the 41st International Conference on Software Engineering. IEEE Press, 536–547. Google ScholarDigital Library
- Robert B. Cialdini. 1985. Influence. Scott, Foresman and Company, Glenview, IL.Google Scholar
- Robert B. Cialdini, Carl A. Kallgren, and Raymond R. Reno. 1991. A focus theory of normative conduct: A theoretical refinement and reevaluation of the role of norms in human behavior. In Advances in Experimental Social Psychology. Vol. 24. Academic Press, San Diego, CA, 201–234.Google Scholar
- Robert B. Cialdini and Melanie R. Trost. 1998. Social influence: Social norms, conformity and compliance. In Handbook of Social Psychology. Vol. 2, D. T. Gilbert, S. T. Fiske, G. Lindzey (Eds.). McGraw-Hill, Boston, MA, 151–192).Google Scholar
- Andrew Conway, Chris Jarrold, Michael Kane, Akira Miyake, and John Towse. 2008. Variation in Working Memory. Oxford University Press.Google Scholar
- The MITRE Corporation. 2020.Cybersecurity Resources. Retrieved January 2020 from https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-resources.Google Scholar
- Ricardo Couceiro, Gonçalo Duarte, João Durães, João Castelhano, Catarina Duarte, Cesar Teixeira, Miguel Castelo Branco, Paulo Carvalho, and Henrique Madeira. 2019. Pupillography as indicator of programmers' mental effort and cognitive overload. In 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 638–644.Google ScholarCross Ref
- Kevin Crowston and Ericka Eve Kammerer. 1998. Coordination and collective mind in software requirements development. IBM Syst. J. 37, 2 (1998), 227–245. Google ScholarDigital Library
- Shirley Cruz, Fabio Q. B. da Silva, and Luiz Fernando Capretz. 2015. Forty years of research on personality in software engineering: A mapping study. Comput. Hum. Behav. 46 (2015), 94–113. Google ScholarDigital Library
- CVE - Common Vulnerabilities and Exposures (CVE). 2020. Retrieved January 2020 from https://cve.mitre.org/.Google Scholar
- Meredyth Daneman and Patricia A. Carpenter. 1980. Individual differences in working memory and reading. J. Mem. Lang. 19, 4 (1980), 450.Google Scholar
- Rogério de Lemos, Holger Giese, Hausi A. Müller, Mary Shaw, Jesper Andersson, Luciano Baresi, Basil Becker, Nelly Bencomo, Yuriy Brun, Bojan Cukic, Ronald J. Desmarais, Schahram Dustdar, Gregor Engels, Kurt Geihs, Karl M. Göschka, Alessandra Gorla, Vincenzo Grassi, Paola Inverardi, Gabor Karsai, Jeff Kramer, Marin Litoiu, Antónia Lopes, Jeff Magee, Sam Malek, Serge Mankovskii, Raffaela Mirandola, John Mylopoulos, Oscar Nierstrasz, and Ma. 2010. Software engineering for self-adaptive systems: A second research roadmap. In Software Engineering for Self-Adaptive Systems(Dagstuhl Seminar Proceedings, Vol. 10431), Rogério de Lemos, Holger Giese, Hausi A. Müller, and Mary Shaw (Eds.). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, Germany. Retrieved from http://drops.dagstuhl.de/opus/volltexte/2011/3156/.Google Scholar
- A. P. Dijksterhuis and Henk Aarts. 2010. Goals, attention, and (un) consciousness. Ann. Rev. Psychol. 61 (2010), 467–490.Google ScholarCross Ref
- Wenliang Du and Ronghua Wang. 2008. SEED: A suite of instructional laboratories for computer security education. J. Educ. Resour. Comput. 8, 1 (2008), 3. Google ScholarDigital Library
- John Duncan, Hazel Emslie, Phyllis Williams, Roger Johnson, and Charles Freer. 1996. Intelligence and the frontal lobe: The organization of goal-directed behavior. Cog. Psychol. 30, 3 (1996), 257–303.Google ScholarCross Ref
- Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in Android applications. In ACM SIGSAC Conference on Computer & Communications Security. ACM, 73–84. Google ScholarDigital Library
- Hewlett Packard Enterprise. 2015.Awareness is only the first step: A framework for progressive engagement of staff in cyber security. Retrieved from https://www.riscs.org.uk/wp-content/uploads/2015/12/Awareness-is-Only-the-First- 1713Step.pdf.Google Scholar
- Rino Falcone and Cristiano Castelfranchi. 2001. The human in the loop of a delegated agent: The theory of adjustable social autonomy. IEEE Trans. Syst., Man, Cyber.-Part A: Syst. Hum. 31, 5 (2001), 406–418. Google ScholarDigital Library
- Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. 2017. Stack overflow considered harmful? The impact of copy&paste on Android application security. In IEEE Symposium on Security and Privacy (SP). IEEE, 121–136.Google ScholarCross Ref
- Jose Fonseca, Marco Vieira, and Henrique Madeira. 2007. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In 13th Pacific Rim International Symposium on Dependable Computing (PRDC07). IEEE, 365–372. Google ScholarDigital Library
- Michael Frese and Dieter Zapf. 1994. Action as the core of work psychology: A German approach. Handb. Industr. Organiz. Psychol. 4, 2 (1994), 271–340.Google Scholar
- Krzysztof Z. Gajos, Daniel S. Weld, and Jacob O. Wobbrock. 2010. Automatically generating personalized user interfaces with Supple. Artif. Intell. 174, 12-13 (2010), 910–950. Google ScholarDigital Library
- Vaibhav Garg and Jean Camp. 2013. Heuristics and biases: Implications for security design. IEEE Technol. Soc. Mag. 32, 1 (2013), 73–79.Google ScholarCross Ref
- Patrice Godefroid. 2007. Random testing for security: Blackbox vs. whitebox fuzzing. In 2nd International Workshop on Random Testing, co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE'07). ACM, 1–1. Google ScholarDigital Library
- Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Möller, Yasemin Acar, and Sascha Fahl. 2018. Developers deserve security warnings, too: On the Effect of Integrated Security Advice on Cryptographic API Misuse. In 14th Symposium on Usable Privacy and Security (SOUPS'18). 265–281. Google ScholarDigital Library
- Jerold L. Hale, Brian J. Householder, and Kathryn L. Greene. 2002. The theory of reasoned action. Persuas. Handb.: Devel. Theor. Pract. 14 (2002), 259–286.Google Scholar
- Charles Haley, Robin Laney, Jonathan Moffett, and Bashar Nuseibeh. 2008. Security requirements engineering: A framework for representation and analysis. IEEE Trans. Softw. Eng. 34, 1 (2008), 133–153. Google ScholarDigital Library
- Julie M. Haney and Wayne G. Lutters. 2017. Skills and characteristics of successful cybersecurity advocates. In Symposium on Usable Privacy and Security (SOUPS'17).Google Scholar
- Julie M. Haney, Mary Theofanos, Yasemin Acar, and Sandra Spickard Prettyman. 2018. “We make it a big deal in the company”: Security mindsets in organizations that develop cryptographic products. In 14th Symposium on Usable Privacy and Security (SOUPS'18). 357–373. Google ScholarDigital Library
- S. Alexander Haslam. 2001. Psychology in Organizations: The Social Identity Approach. London: Sage, London.Google Scholar
- J.-M. Hoc. 2014. Psychology of Programming. Academic Press.Google Scholar
- Thomas Hofer. 2010. Evaluating Static Source Code Analysis Tools. Technical Report. EPFL, Switzerland.Google Scholar
- Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai. 2003. Web application security assessment by fault injection and behavior monitoring. In 12th International Conference on World Wide Web. ACM, 148–159. Google ScholarDigital Library
- Luigi Lo Iacono and Peter Leo Gorski. 2017. I do and I understand. not yet true for security APIs. So sad. In 2nd European Workshop on Usable Security.DOI:https://doi.org/10.14722/eurousecGoogle ScholarCross Ref
- William James. 2007. The Principles of Psychology. Vol. 1. Cosimo, Inc., 2007.Google Scholar
- Jolanda Jetten, Catherine Haslam, and S. Haslam Alexander. 2012. The Social Cure: Identity, Health and Well-being. Psychology Press.Google Scholar
- Philip N. Johnson-Laird and Ruth M. J. Byrne. 1993. Precis of deduction. Behav. Brain Sci. 16, 2 (1993), 323–333.Google ScholarCross Ref
- Russell L. Jones and Abhinav Rastogi. 2004. Secure coding: Building security into the software development life cycle. Inf. Syst. Secur. 13, 5 (2004), 29–39.Google ScholarCross Ref
- Jan Jurjens. 2006. Security analysis of crypto-based Java programs using automated theorem provers. In 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06). IEEE, 167–176. Google ScholarDigital Library
- Daniel Kahneman and Amos Tversky. 1996. On the reality of cognitive illusions. Psychol. Rev. 103, 3 (1996), 582–591.Google ScholarCross Ref
- Kaarina Karppinen, Lyly Yonkwa, and Mikael Lindvall. 2009. Why developers insert security vulnerabilities into their code. In 2nd International Conference on Advances in Computer-human Interactions. IEEE, 289–294. Google ScholarDigital Library
- Tara Kennedy, Glenn Regehr, Jay Rosenfield, S. Wendy Roberts, and Lorelei Lingard. 2004. Exploring the gap between knowledge and behavior: A qualitative study of clinician action following an educational intervention. Acad. Med. 79, 5 (2004), 386–393.Google ScholarCross Ref
- Iacovos Kirlappos, Simon Parkin, and M. Angela Sasse. 2014. Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security. In Proceedings Workshop on Usable Security. Retrieval https://discovery.ucl.ac.uk/id/eprint/1424472/.Google Scholar
- Barbara Kitchenham and Stuart Charters. 2007. Guidelines for performing systematic literature reviews in software engineering. Citeseer. Retrieval info https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.117.471&rep=rep1&type=pdf.Google Scholar
- Agata Kołakowska. 2016. Towards detecting programmers' stress on the basis of keystroke dynamics. In Federated Conference on Computer Science and Information Systems (FedCSIS). IEEE, 1621–1626.Google ScholarCross Ref
- Anja Kollmuss and Julian Agyeman. 2002. Mind the gap: Why do people act environmentally and what are the barriers to pro-environmental behavior?Environ. Educ. Res. 8, 3 (2002), 239–260.Google Scholar
- Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, et al. 2017. CogniCrypt: Supporting developers in using cryptography. In 32nd IEEE/ACM International Conference on Automated Software Engineering. IEEE Press, 931–936. Google ScholarDigital Library
- Raula Gaikovina Kula, Daniel M. German, Ali Ouni, Takashi Ishio, and Katsuro Inoue. 2018. Do developers update their library dependencies?Empir. Softw. Eng. 23, 1 (2018), 384–417. Google ScholarDigital Library
- Patrick C. Kyllonen and Raymond E. Christal. 1990. Reasoning ability is (little more than) working-memory capacity?!Intelligence 14, 4 (1990), 389–433.Google Scholar
- Per Lenberg, Robert Feldt, and Lars Göran Wallgren. 2015. Behavioral software engineering: A definition and systematic literature review. J. Syst. Softw. 107 (2015), 15–37. Google ScholarDigital Library
- Timothy C. Lethbridge. 2000. Priorities for the education and training of software engineers. J. Syst. Softw. 53, 1 (2000), 53–71. Google ScholarDigital Library
- Peng Li and Baojiang Cui. 2010. A comparative study on software vulnerability static analysis techniques and tools. In IEEE International Conference on Information Theory and Information Security (ICITIS). IEEE, 521–524.Google Scholar
- Simon Y. W. Li, Ann Blandford, Paul Cairns, and Richard M. Young. 2008. The effect of interruptions on postcompletion and other procedural errors: An account based on the activation-based goal memory model.J. Experim. Psychol.: Appl. 14, 4 (2008), 314.Google ScholarCross Ref
- Tong Li, Jennifer Horkoff, and John Mylopoulos. 2018. Holistic security requirements analysis for socio-technical systems. Softw. Syst. Model. 17, 4 (2018), 1253–1285. Google ScholarDigital Library
- Tamara Lopez, Thein Tun, Arosha Bandara, Levine Mark, Bashar Nuseibeh, and Helen Sharp. 2019. An anatomy of security conversations in stack overflow. In IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Society (ICSE-SEIS). IEEE, 31–40. Google ScholarCross Ref
- Tamara Lopez, Thein T. Tun, Arosha Bandara, Mark Levine, Bashar Nuseibeh, and Helen Sharp. 2018. An investigation of security conversations in stack overflow: Perceptions of security and community involvement. In 1st International Workshop on Security Awareness from Design to Deployment. ACM, 26–32. Google ScholarDigital Library
- Kai-Uwe Loser and Martin Degeling. 2014. Security and privacy as hygiene factors of developer behavior in small and agile teams. In IFIP International Conference on Human Choice and Computers. Springer, 255–265.Google ScholarCross Ref
- Shinsuke Matsumoto, Yasutaka Kamei, Akito Monden, Ken-ichi Matsumoto, and Masahide Nakamura. 2010. An analysis of developer metrics for fault prediction. In 6th International Conference on Predictive Models in Software Engineering. ACM, 18. Google ScholarDigital Library
- Gary McGraw. 2006. Software Security: Building Security in. Vol. 1. Addison-Wesley Professional. Google ScholarDigital Library
- Jennifer C. McVay and Michael J. Kane. 2009. Conducting the train of thought: Working memory capacity, goal neglect, and mind wandering in an executive-control task.J. Experim. Psychol.: Learn., Mem., Cogn. 35, 1 (2009), 196.Google ScholarCross Ref
- Susan Michie, Maartje M. Van Stralen, and Robert West. 2011. The behaviour change wheel: A new method for characterising and designing behaviour change interventions. Implement. Sci. 6, 1 (2011), 42.Google ScholarCross Ref
- Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden. 2016. Jumping through hoops: Why do Java developers struggle with cryptography APIs? In 38th International Conference on Software Engineering. ACM, 935–946. Google ScholarDigital Library
- Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, and Matthew Smith. 2020. On conducting security developer studies with CS students: Examining a password-storage study with CS students, freelancers, and company developers. In CHI Conference on Human Factors in Computing Systems. 1–13. Google ScholarDigital Library
- Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel von Zezschwitz, and Matthew Smith. 2019. “If you want, I can store the encrypted password”: A password-storage field study with freelance developers. In CHI Conference on Human Factors in Computing Systems. ACM, 140. Google ScholarDigital Library
- Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, and Matthew Smith. 2017. Why do developers get password storage wrong?: A qualitative usability study. In ACM SIGSAC Conference on Computer and Communications Security. ACM, 311–328. Google ScholarDigital Library
- Stephan Neuhaus, Thomas Zimmermann, Christian Holler, and Andreas Zeller. 2007. Predicting vulnerable software components. In 14th ACM Conference on Computer and Communications Security. ACM, 529–540. Google ScholarDigital Library
- Fergus G. Neville. 2015. Preventing violence through changing social norms. Oxford Textbook of Violence Prevention: Epidemiology, Evidence and Policy, P. Donnelly and C. Ward (Eds.) Oxford University Press, 239–244.Google Scholar
- Duc Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, and Sascha Fahl. 2017. A stitch in time: Supporting Android developers in writingsecure code. In ACM SIGSAC Conference on Computer and Communications Security. ACM, 1065–1077. Google ScholarDigital Library
- Dennis Nigbur, Evanthia Lyons, and David Uzzell. 2010. Attitudes, norms, identity and environmental behaviour: Using an expanded theory of planned behaviour to predict participation in a kerbside recycling programme. British J. Soc. Psychol. 49, 2 (2010), 259–284.Google ScholarCross Ref
- Donald A. Norman. 1981. Categorization of action slips.Psychol. Rev. 88, 1 (1981), 1.Google ScholarCross Ref
- Daniela Oliveira, Marissa Rosenthal, Nicole Morin, Kuo-Chuan Yeh, Justin Cappos, and Yanyan Zhuang. 2014. It's the psychology, stupid: How heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots. In Computer Security Applications Conference. ACM, 296–305. Google ScholarDigital Library
- Daniela Seabra Oliveira, Tian Lin, Muhammad Sajidur Rahman, Rad Akefirad, Donovan Ellis, Eliany Perez, Rahul Bobhate, Lois A. DeLong, Justin Cappos, and Yuriy Brun. 2018. Blindspots: Why experienced developers write vulnerable code. In 14th Symposium on Usable Privacy and Security (SOUPS'18). 315–328. Google ScholarDigital Library
- OWASP. (Accessed on: January, 2020). Source Code Analysis Tools | OWASP. Retrieved from https://owasp.org/www-community/Source_Code_Analysis_Tools.Google Scholar
- OWASP Foundation. 2020. The Open Source Foundation for Application Security. Retrieved from https://owasp.org/.Google Scholar
- OWASP Secure Coding Practices - Quick Reference Guide. 2020. Retrieved January, 2020 from https://www.owasp.org/index.php/ OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide.Google Scholar
- Harold E. Pashler. 1999. The Psychology of Attention. The MIT Press.Google Scholar
- Steven Pemberton. 1996. Programmers are humans too. ACM SIGCHI Bull. 28, 1 (1996), 96. Google ScholarDigital Library
- Thomas F. Pettigrew. 2018. The emergence of contextual social psychology. Personal. Soc. Psychol. Bull. 44, 7 (2018), 963–971.Google ScholarCross Ref
- Shari Lawrence Pfleeger, M. Angela Sasse, and Adrian Furnham. 2014. From weakest link to security hero: Transforming staff security behavior. J. Homel. Secur. Emerg. Manag. 11, 4 (2014), 489–510.Google ScholarCross Ref
- Olgierd Pieczul, Simon Foley, and Mary Ellen Zurko. 2017. Developer-centered security and the symmetry of ignorance. In New Security Paradigms Workshop. 46–56. Google ScholarDigital Library
- Frank Piessens. 2019. The Cyber Security Body of Knowledge, Software Security Knowledge Area Issue 1.0. (2019). Retrieval Info: https://www.cybok.org/media/downloads/cybok_version_1.0.pdf.Google Scholar
- Andreas Poller, Laura Kocksch, Katharina Kinder-Kurlanda, and Felix Anand Epp. 2016. First-time security audits as a turning point?: Challenges for security practices in an industry software development team. In CHI Conference Extended Abstracts on Human Factors in Computing Systems. ACM, 1288–1294. Google ScholarDigital Library
- Andreas Poller, Laura Kocksch, Sven Türpe, Felix Anand Epp, and Katharina Kinder-Kurlanda. 2017. Can security become a routine? A study of organizational change in an agile software development group. In ACM Conference on Computer Supported Cooperative Work and Social Computing. 2489–2503. Google ScholarDigital Library
- Irum Rauf, Elena Troubitsyna, and Ivan Porres. 2019. A systematic mapping study of API usability evaluation methods. Comput. Sci. Rev.iew 33 (2019), 49–68.Google ScholarDigital Library
- Irum Rauf, Dirk van der Linden, Mark Levine, John Towse, Bashar Nuseibeh, and Awais Rashid. 2020. The impact of social considerations on app developers' choices. In 42nd International Conference on Software Engineering Workshops (ICSEW'20). Google ScholarDigital Library
- Stephen Reicher, Russell Spears, and S. Alexander Haslam. 2010. The social identity approach in social psychology. Sage Ident. Handb. (2010), 45–62.Google ScholarCross Ref
- Allecia E. Reid, Robert B. Cialdini, and Leona S. Aiken. 2010. Social norms and health behavior. In Handbook of Behavioral Medicine. Springer, New York, NY.Google Scholar
- Katharina Reinecke and Abraham Bernstein. 2011. Improving performance, perceived usability, and aesthetics with culturally adaptive user interfaces. ACM Trans. Comput.-Hum. interact. 18, 2 (2011). Google ScholarDigital Library
- Christelle Robert, Erika Borella, Delphine Fagot, Thierry Lecerf, and Anik De Ribaupierre. 2009. Working memory and inhibitory control across the life span: Intrusion errors in the Reading Span Test. Mem. Cogn. 37, 3 (2009), 336–345.Google ScholarCross Ref
- Tobias Roehm, Rebecca Tiarks, Rainer Koschke, and Walid Maalej. 2012. How do professional developers comprehend software? In 34th International Conference on Software Engineering (ICSE). IEEE, 255–265. Google ScholarDigital Library
- Mazeiar Salehie and Ladan Tahvildari. 2009. Self-adaptive software: Landscape and research challenges. ACM Trans. Auton. Adapt. Syst. 4, 2 (2009), 14. University of Oulu. Retrieval https://core.ac.uk/download/pdf/344910619.pdf. Google ScholarDigital Library
- Tommi Sallinen. 2020. Secure Coding Intention via Protection Motivation Theory Based Survey. University of Oulu. Retrieval https://core.ac.uk/download/pdf/344910619.pdf.Google Scholar
- Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proc. IEEE 63, 9 (1975), 1278–1308.Google ScholarCross Ref
- Luciano Sampaio and Alessandro Garcia. 2016. Exploring context-sensitive data flow analysis for early vulnerability detection. J. Syst. Softw. 113 (2016), 337–361. Google ScholarDigital Library
- M. Angela Sasse and Awais Rashid. 2019. Human Factors Knowledge Area, Software Security Knowledge Area Issue 1.0. (2019). Retrieval https://www.cybok.org/media/downloads/Human_Factors_issue_1.0.pdf.Google Scholar
- Johann M. Schumann. 2001. Automated Theorem Proving in Software Engineering. Springer Science & Business Media. Google ScholarDigital Library
- Anuj K. Shah and Daniel M. Oppenheimer. 2008. Heuristics made easy: An effort-reduction framework.Psychol. Bull. 134, 2 (2008), 207.Google ScholarCross Ref
- Paschal Sheeran and Thomas L. Webb. 2016. The intention–behavior gap. Soc. Personal. Psychol. Compass 10, 9 (2016), 503–518.Google ScholarCross Ref
- Michael Siegrist and George Cvetkovich. 2000. Perception of hazards: The role of social trust and knowledge. Risk Anal. 20, 5 (2000), 713–720.Google ScholarCross Ref
- Alberto Sillitti, Giancarlo Succi, and Jelena Vlasenko. 2012. Understanding the impact of pair programming on developers' attention: A case study on a large industrial experimentation. In 34th International Conference on Software Engineering, Martin Glinz, Gail C. Murphy, and Mauro Pezzè (Eds.). IEEE Computer Society, 1094–1101. DOI:https://doi.org/10.1109/ICSE.2012.6227110 Google ScholarDigital Library
- Daniel J. Simons and Christopher F. Chabris. 1999. Gorillas in our midst: Sustained inattentional blindness for dynamic events. Perception 28, 9 (1999), 1059–1074.Google ScholarCross Ref
- Eliot R. Smith and Gün R. Semin. 2004. Socially situated cognition: Cognition in its social context. Retrieval https://psycnet.apa.org/record/2005-01913-002.Google Scholar
- Justin Smith, Brittany Johnson, Emerson Murphy-Hill, Bill Chu, and Heather Richter Lipford. 2015. Questions developers ask while diagnosing potential security vulnerabilities with static analysis. In 10th Joint Meeting on Foundations of Software Engineering. ACM, 248–259. Google ScholarDigital Library
- Justin Smith, Brittany Johnson, Emerson Murphy-Hill, Bei-Tseng Chu, and Heather Richter. 2018. How developers diagnose potential security vulnerabilities with a static analysis tool. IEEE Trans. Softw. Eng. 45, 9 (2018), 877–897.Google ScholarDigital Library
- Joanne R. Smith and Winnifred R. Louis. 2008. Do as we say and as we do: The interplay of descriptive and injunctive group norms in the attitude–behaviour relationship. British J. Soc. Psychol. 47, 4 (2008), 647–666.Google ScholarCross Ref
- Joanne R. Smith and Winnifred R. Louis. 2009. Group norms and the attitude–behaviour relationship. Soc. Personal. Psychol. Compass 3, 1 (2009), 19–35.Google ScholarCross Ref
- Erin Treacy Solovey, Francine Lalooses, Krysta Chauncey, Douglas Weaver, Margarita Parasi, Matthias Scheutz, Angelo Sassaroli, Sergio Fantini, Paul Schermerhorn, Audrey Girouard, et al. 2011. Sensing cognitive multitasking for a brain-based adaptive user interface. In SIGCHI Conference on Human Factors in Computing Systems. ACM, 383–392. Google ScholarDigital Library
- Source Code Analysis Tools - OWASP. n.d. Retrieved January, 2020 from https://www.owasp.org/index.php/Source_Code_Analysis_Tools.Google Scholar
- Mohammad Tahaei and Kami Vaniea. 2019. A survey on developer-centred security. In IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 129–138.Google ScholarCross Ref
- Carmen Tanner. 1999. Constraints on environmental behaviour. J. Environ. Psychol. 19, 2 (1999), 145–157.Google ScholarCross Ref
- Blair Taylor and Shiva Azadegan. 2008. Moving beyond security tracks: Integrating security in cs0 and cs1. In ACM SIGCSE Bulletin, Vol. 40. ACM, 320–324. Google ScholarDigital Library
- David R. Thomas. 2006. A general inductive approach for analyzing qualitative evaluation data. Amer. J. Eval. 27, 2 (2006), 237–246.Google ScholarCross Ref
- Tyler W. Thomas, Madiha Tabassum, Bill Chu, and Heather Lipford. 2018. Security during application development: An application security expert perspective. In CHI Conference on Human Factors in Computing Systems. ACM, 262. Google ScholarDigital Library
- J. N. Towse, M. Levine, M. Petre, A. Bandara, T. Lopez, A. Rashid, I. Rauf, H. Sharp, T. Tun, D. van der Linden, and B. Nuseibeh. 2020. The case for understanding secure coding as a psychological enterprise. (2020). Manuscript submitted for publication.Google Scholar
- Endel Tulving. 1993. What is episodic memory?Curr. Direct. Psychol. Sci. 2, 3 (1993), 67–70.Google ScholarCross Ref
- Thein Than Tun, Mu Yang, Arosha K. Bandara, Yijun Yu, Armstrong Nhlabatsi, Niamul Khan, Khaled M. Khan, and Bashar Nuseibeh. 2018. Requirements and specifications for adaptive security: concepts and analysis. In IEEE/ACM 13th International Symposium on Software Engineering for Adaptive and Self-managing Systems (SEAMS). IEEE, 161–171. Google ScholarDigital Library
- John C. Turner, Michael A. Hogg, Penelope J. Oakes, Stephen D. Reicher, and Margaret S. Wetherell. 1987. Rediscovering the Social Group: A Self-categorization Theory.Basil Blackwell.Google Scholar
- John C. Turner, Penelope J. Oakes, S. Alexander Haslam, and Craig McGarty. 1994. Self and collective: Cognition and social context. Personal. Soc. Psychol. Bull.etin 20, 5 (1994), 454–463.Google ScholarCross Ref
- Jay J. Van Bavel and Andrea Pereira. 2018. The partisan brain: An identity-based model of political belief. Trends Cogn. Sci. 22, 3 (2018), 213–224.Google ScholarCross Ref
- Dirk van der Linden, Pauline Anthonysamy, Bashar Nuseibeh, Thein T. Tun, Marian Petre, Mark Levine, John Towse, and Awais Rashid. 2020. Schrödinger's security: Opening the box on app developers' security rationale. In 42nd International Conference on Software Engineering (ICSE). Google ScholarDigital Library
- Dirk van der Linden, Emma Williams, Joseph Hallett, and Awais Rashid. 2020. The impact of surface features on choice of (in) secure answers by Stackoverflow readers. IEEE Trans. Softw. Eng. 1, 1 (2020), 1–1. DOI:10.1109/TSE.2020.2981317Google ScholarCross Ref
- Axel Van Lamsweerde. 2004. Elaborating security requirements by construction of intentional anti-models. In 26th International Conference on Software Engineering. IEEE, 148–157. Google ScholarDigital Library
- Axel Van Lamsweerde and Emmanuel Letier. 1998. Integrating obstacles in goal-driven requirements engineering. In 20th International Conference on Software Engineering. IEEE, 53–62. Google ScholarDigital Library
- Dirk van Moorselaar and Heleen A. Slagter. 2020. Inhibition in selective attention. Ann. New York Acad. Sci. 1464, 1 (2020), 204.Google ScholarCross Ref
- Samuel M. Waldron, John Patrick, Phillip L. Morgan, and Sophia King. 2007. Influencing cognitive strategy by manipulating information access. Comput. J. 50, 6 (2007), 694–702. Google ScholarDigital Library
- Charles Weir, Ingolf Becker, James Noble, Lynne Blair, M. Angela Sasse, and Awais Rashid. 2020. Interventions for software security: Creating a lightweight program of assurance techniques for developers. Softw.: Pract. Exper. 50, 3 (2020), 275–298.Google ScholarCross Ref
- Charles Weir, Lynne Blair, Ingolf Becker, James Noble, Angela Sasse, and Awais Rashid. 2019. Interventions for Software security: Creating a lightweight program of assurance techniques for developers. In 41st International Conference on Software Engineering, Helen Sharpe and Michael Whalen (Eds.). IEEE. Google ScholarDigital Library
- Charles Weir, Awais Rashid, and James Noble. 2016. How to Improve the Security Skills of Mobile App Developers: Comparing and Contrasting Expert Views. In 2nd Workshop on Security Information Workers, WSIW@SOUPS 2016, Denver, CO, USA, June 22, 2016. https://www.usenix.org/conference/soups2016/workshop-program/wsiw16/presentation/weir.Google Scholar
- Charles Weir, Awais Rashid, and James Noble. 2017. I'd like to have an argument, please: Using dialectic for effective app security In EuroUSEC 2017 Internet Society. Retrieval https://research-information.bris.ac.uk/en/publications/id-like-to-have-an-argument-please-using-dialectic-for-effective.Google Scholar
- Rodrigo Werlinger, Kirstie Hawkey, David Botta, and Konstantin Beznosov. 2009. Security practitioners in context: Their activities and interactions with other stakeholders within organizations. Int. J. Hum.-comput. Stud. 67, 7 (2009), 584–606. Google ScholarDigital Library
- Michael Whitney, Heather Lipford-Richter, Bill Chu, and Jun Zhu. 2015. Embedding secure coding instruction into the IDE: A field study in an advanced CS course. In 46th ACM Technical Symposium on Computer Science Education. 60–65. Google ScholarDigital Library
- James A. Whittaker and Richard Ford. 2006. How to think about security. IEEE Secur. Priv. 4, 2 (2006), 68–71. Google ScholarDigital Library
- Craig Williams, Helen M. Hodgetts, Candice Morey, Bill Macken, Dylan M. Jones, Qiyuan Zhang, and Phillip L. Morgan. 2020. Human error in information security: Exploring the role of interruptions and multitasking in action slips. In International Conference on Human-computer Interaction. Springer, 622–629.Google Scholar
- Jim Witschey, Shundan Xiao, and Emerson Murphy-Hill. 2014. Technical and personal factors influencing developers' adoption of security tools. In ACM Workshop on Security Information Workers. ACM, 23–26. Google ScholarDigital Library
- Jim Witschey, Olga Zielinska, Allaire Welk, Emerson Murphy-Hill, Chris Mayhorn, and Thomas Zimmermann. 2015. Quantifying developers' adoption of security tools. In 10th Joint Meeting on Foundations of Software Engineering. ACM, 260–271. Google ScholarDigital Library
- Claes Wohlin. 2014. Guidelines for snowballing in systematic literature studies and a replication in software engineering. In 18th International Conference on Evaluation and Assessment in Software Engineering. 1–10. Google ScholarDigital Library
- Claes Wohlin and Rafael Prikladniki. 2013. Systematic literature reviews in software engineering. Inf. Softw. Technol. 55, 6 (2013), 919–920. Google ScholarDigital Library
- Irene M. Y. Woon and Atreyi Kankanhalli. 2007. Investigation of IS professionals' intention to practise secure development of applications. Int. J. Hum.-comput. Stud. 65, 1 (2007), 29–41. Google ScholarDigital Library
- Shundan Xiao, Jim Witschey, and Emerson Murphy-Hill. 2014. Social influences on secure development tool adoption: Why security tools spread. In 17th ACM Conference on Computer Supported Cooperative Work & Social Computing. ACM, 1095–1106. Google ScholarDigital Library
- Jing Xie, Bill Chu, Heather Richter Lipford, and John T. Melton. 2011. ASIDE: IDE support for web application security. In 27th Annual Computer Security Applications Conference. ACM, 267–276. Google ScholarDigital Library
- Jing Xie, Heather Richter Lipford, and Bill Chu. 2011. Why do programmers make security errors? In IEEE Symposium on Visual Languages and Human-centric Computing (VL/HCC). IEEE, 161–164.Google Scholar
- Limin Yang, Xiangxue Li, and Yu Yu. 2017. VulDigger: A just-in-time and cost-aware tool for digging vulnerability-contributing changes. In IEEE Global Communications Conference. IEEE, 1–7.Google ScholarDigital Library
- Xin-Li Yang, David Lo, Xin Xia, Zhi-Yuan Wan, and Jian-Ling Sun. 2016. What security questions do developers ask? A large-scale study of stack overflow posts. J. Comput. Sci. Technol. 31, 5 (2016), 910–924.Google ScholarCross Ref
- Thomas Zimmermann, Nachiappan Nagappan, and Laurie Williams. 2010. Searching for a needle in a haystack: Predicting security vulnerabilities for Windows Vista. In 3rd International Conference on Software Testing, Verification and Validation (ICST). IEEE, 421–428. Google ScholarDigital Library
Index Terms
- The Case for Adaptive Security Interventions
Recommendations
Best managerial practices in agile development
ACM SE '14: Proceedings of the 2014 ACM Southeast Regional ConferenceAgile development has been gaining momentum over the year. It practices are perceived by some to be the best for software development. This work investigates agile best development and managerial practices, specially the benefits for optimizing the ...
Interventions for software security: creating a lightweight program of assurance techniques for developers
ICSE-SEIP '19: Proceedings of the 41st International Conference on Software Engineering: Software Engineering in PracticeThough some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the ...
Specifying Security Goals of Component Based Systems: An End-User Perspective
ICCBSS '08: Proceedings of the Seventh International Conference on Composition-Based Software Systems (ICCBSS 2008)This paper treats security from a software engineering point of view. Security issues of software components are usually handled at the two levels of development abstractions: by the security experts during the component design, and by the software ...
Comments