“ImmediateShortTerm3MthsAfterThatLOL”: Developer Secure-Coding Sentiment, Practice and Culture in Organisations

Ita Ryan; Utz Roedig; Klaas Jan Stol

doi:10.1109/ICSE-SEIP66354.2025.00054

“ImmediateShortTerm3MthsAfterThatLOL”: Developer Secure-Coding Sentiment, Practice and Culture in Organisations

School of Computer Science and Information Technology

Research output: Chapter in Book/Report/Conference proceedings › Conference proceeding › peer-review

Abstract

As almost all areas of human endeavour undergo rapid digital transformation, secure coding is increasingly important to personal, commercial and national security. Yet studies have shown that software developers do not always prioritise or even understand security. Our large survey of organically sourced coders (n=863) examines how software developers currently experience secure coding in the workplace. We found that developers express an interest in secure coding, display basic security knowledge, and turn to their managers and teams first for help with security concerns. We found that developer secure coding sentiment and security practice do not correlate with organisational statistics such as size, but do correlate weakly with measures of security culture, indicating that organisational security support goes hand-in-hand with secure development. Most developers would look for help in-house if they had security concerns. Investigating the effects of code breaches, we found that for almost half of cases, code security does not increase, or increases only for a short time.

Original language	English
Title of host publication	Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering
Subtitle of host publication	Software Engineering in Practice, ICSE-SEIP 2025
Publisher	Institute of Electrical and Electronics Engineers
Pages	551-562
Number of pages	12
Edition	2025
ISBN (Electronic)	9798331536855
DOIs	https://doi.org/10.1109/ICSE-SEIP66354.2025.00054
Publication status	Published - 2025
Event	47th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025 - Ottawa, Canada Duration: 27 Apr 2025 → 3 May 2025

Conference

Conference	47th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025
Country/Territory	Canada
City	Ottawa
Period	27/04/25 → 3/05/25

Keywords

secure coding
secure software development
software security
software security culture
software security practice

Access to Document

10.1109/ICSE-SEIP66354.2025.00054

Cite this

Ryan, I., Roedig, U., & Stol, K. J. (2025). “ImmediateShortTerm3MthsAfterThatLOL”: Developer Secure-Coding Sentiment, Practice and Culture in Organisations. In Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025 (2025 ed., pp. 551-562). Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/ICSE-SEIP66354.2025.00054

Ryan, Ita ; Roedig, Utz ; Stol, Klaas Jan. / “ImmediateShortTerm3MthsAfterThatLOL” : Developer Secure-Coding Sentiment, Practice and Culture in Organisations. Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025. 2025. ed. Institute of Electrical and Electronics Engineers, 2025. pp. 551-562

@inproceedings{fe05c5d84c0b420d843e18b0b255c2c3,

title = "“ImmediateShortTerm3MthsAfterThatLOL”: Developer Secure-Coding Sentiment, Practice and Culture in Organisations",

abstract = "As almost all areas of human endeavour undergo rapid digital transformation, secure coding is increasingly important to personal, commercial and national security. Yet studies have shown that software developers do not always prioritise or even understand security. Our large survey of organically sourced coders (n=863) examines how software developers currently experience secure coding in the workplace. We found that developers express an interest in secure coding, display basic security knowledge, and turn to their managers and teams first for help with security concerns. We found that developer secure coding sentiment and security practice do not correlate with organisational statistics such as size, but do correlate weakly with measures of security culture, indicating that organisational security support goes hand-in-hand with secure development. Most developers would look for help in-house if they had security concerns. Investigating the effects of code breaches, we found that for almost half of cases, code security does not increase, or increases only for a short time.",

keywords = "secure coding, secure software development, software security, software security culture, software security practice",

author = "Ita Ryan and Utz Roedig and Stol, \{Klaas Jan\}",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 47th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025 ; Conference date: 27-04-2025 Through 03-05-2025",

year = "2025",

doi = "10.1109/ICSE-SEIP66354.2025.00054",

language = "English",

pages = "551--562",

booktitle = "Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering",

publisher = "Institute of Electrical and Electronics Engineers",

address = "United States",

edition = "2025",

}

Ryan, I , Roedig, U & Stol, KJ 2025, “ImmediateShortTerm3MthsAfterThatLOL”: Developer Secure-Coding Sentiment, Practice and Culture in Organisations. in Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025. 2025 edn, Institute of Electrical and Electronics Engineers, pp. 551-562, 47th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025, Ottawa, Canada, 27/04/25. https://doi.org/10.1109/ICSE-SEIP66354.2025.00054

“ImmediateShortTerm3MthsAfterThatLOL”: Developer Secure-Coding Sentiment, Practice and Culture in Organisations. / Ryan, Ita ; Roedig, Utz ; Stol, Klaas Jan.
Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025. 2025. ed. Institute of Electrical and Electronics Engineers, 2025. p. 551-562.

Research output: Chapter in Book/Report/Conference proceedings › Conference proceeding › peer-review

TY - GEN

T1 - “ImmediateShortTerm3MthsAfterThatLOL”

T2 - 47th IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025

AU - Ryan, Ita

AU - Roedig, Utz

AU - Stol, Klaas Jan

PY - 2025

Y1 - 2025

N2 - As almost all areas of human endeavour undergo rapid digital transformation, secure coding is increasingly important to personal, commercial and national security. Yet studies have shown that software developers do not always prioritise or even understand security. Our large survey of organically sourced coders (n=863) examines how software developers currently experience secure coding in the workplace. We found that developers express an interest in secure coding, display basic security knowledge, and turn to their managers and teams first for help with security concerns. We found that developer secure coding sentiment and security practice do not correlate with organisational statistics such as size, but do correlate weakly with measures of security culture, indicating that organisational security support goes hand-in-hand with secure development. Most developers would look for help in-house if they had security concerns. Investigating the effects of code breaches, we found that for almost half of cases, code security does not increase, or increases only for a short time.

AB - As almost all areas of human endeavour undergo rapid digital transformation, secure coding is increasingly important to personal, commercial and national security. Yet studies have shown that software developers do not always prioritise or even understand security. Our large survey of organically sourced coders (n=863) examines how software developers currently experience secure coding in the workplace. We found that developers express an interest in secure coding, display basic security knowledge, and turn to their managers and teams first for help with security concerns. We found that developer secure coding sentiment and security practice do not correlate with organisational statistics such as size, but do correlate weakly with measures of security culture, indicating that organisational security support goes hand-in-hand with secure development. Most developers would look for help in-house if they had security concerns. Investigating the effects of code breaches, we found that for almost half of cases, code security does not increase, or increases only for a short time.

KW - secure coding

KW - secure software development

KW - software security

KW - software security culture

KW - software security practice

UR - https://www.scopus.com/pages/publications/105016117775

U2 - 10.1109/ICSE-SEIP66354.2025.00054

DO - 10.1109/ICSE-SEIP66354.2025.00054

M3 - Conference proceeding

AN - SCOPUS:105016117775

SP - 551

EP - 562

BT - Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering

PB - Institute of Electrical and Electronics Engineers

Y2 - 27 April 2025 through 3 May 2025

ER -

Ryan I , Roedig U , Stol KJ. “ImmediateShortTerm3MthsAfterThatLOL”: Developer Secure-Coding Sentiment, Practice and Culture in Organisations. In Proceedings - 2025 IEEE/ACM 47th International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2025. 2025 ed. Institute of Electrical and Electronics Engineers. 2025. p. 551-562 doi: 10.1109/ICSE-SEIP66354.2025.00054

“ImmediateShortTerm3MthsAfterThatLOL”: Developer Secure-Coding Sentiment, Practice and Culture in Organisations

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this