The State of Secure Coding Practice: Small Organisations and 'Lone, Rogue Coders'

Ita Ryan; Klaas Jan Stol; Utz Roedig

doi:10.1109/EnCyCriS59249.2023.00010

The State of Secure Coding Practice: Small Organisations and 'Lone, Rogue Coders'

School of Computer Science and Information Technology

Research output: Chapter in Book/Report/Conference proceedings › Chapter › peer-review

Abstract

Software security is a rapidly developing problem. Malware, ransomware and spyware routinely leverage vulnerabilities in software to gain access to systems, escalate privileges and run adversarial code. One approach to solving this issue is to use secure software methods, which attempt to guide organisations in improving their software assurance. However, these methods implicitly assume the presence of substantial resources deployed in a compliance-mandated environment. The distinct and often limited environment in which small organisations, independent teams and lone coders operate is not considered. Advice for software security in small teams is almost absent from the literature, as is a way to measure the levels of secure coding in such teams. In order to address this problem, we must begin by understanding it. As part of the analysis of a large survey on current software security practice, we examined the current software security practices of small and open source organisations, and of lone and non-company developers. We present our results in this paper. We hope that they will facilitate the targeting of security advice to these neglected developer categories.

Original language	English
Title of host publication	Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	37-44
Number of pages	8
ISBN (Electronic)	9798350338140
DOIs	https://doi.org/10.1109/EnCyCriS59249.2023.00010
Publication status	Published - 2023
Event	4th IEEE/ACM International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023 - Melbourne, Australia Duration: 15 May 2023 → …

Publication series

Name	Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023

Conference

Conference	4th IEEE/ACM International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023
Country/Territory	Australia
City	Melbourne
Period	15/05/23 → …

Keywords

application security
measuring security
secure application development
secure development
secure development lifecycle
secure development processes
secure development tools
secure programming
security issue
software developer
software programmer
Software security

Access to Document

10.1109/EnCyCriS59249.2023.00010

Cite this

Ryan, I., Stol, K. J., & Roedig, U. (2023). The State of Secure Coding Practice: Small Organisations and 'Lone, Rogue Coders'. In Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023 (pp. 37-44). (Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/EnCyCriS59249.2023.00010

Ryan, Ita ; Stol, Klaas Jan ; Roedig, Utz. / The State of Secure Coding Practice : Small Organisations and 'Lone, Rogue Coders'. Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023. Institute of Electrical and Electronics Engineers Inc., 2023. pp. 37-44 (Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023).

@inbook{9254efc0a84a4f998f621c575a5b7a4d,

title = "The State of Secure Coding Practice: Small Organisations and 'Lone, Rogue Coders'",

abstract = "Software security is a rapidly developing problem. Malware, ransomware and spyware routinely leverage vulnerabilities in software to gain access to systems, escalate privileges and run adversarial code. One approach to solving this issue is to use secure software methods, which attempt to guide organisations in improving their software assurance. However, these methods implicitly assume the presence of substantial resources deployed in a compliance-mandated environment. The distinct and often limited environment in which small organisations, independent teams and lone coders operate is not considered. Advice for software security in small teams is almost absent from the literature, as is a way to measure the levels of secure coding in such teams. In order to address this problem, we must begin by understanding it. As part of the analysis of a large survey on current software security practice, we examined the current software security practices of small and open source organisations, and of lone and non-company developers. We present our results in this paper. We hope that they will facilitate the targeting of security advice to these neglected developer categories.",

keywords = "application security, measuring security, secure application development, secure development, secure development lifecycle, secure development processes, secure development tools, secure programming, security issue, software developer, software programmer, Software security",

author = "Ita Ryan and Stol, \{Klaas Jan\} and Utz Roedig",

note = "Publisher Copyright: {\textcopyright} 2023 IEEE.; 4th IEEE/ACM International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023 ; Conference date: 15-05-2023",

year = "2023",

doi = "10.1109/EnCyCriS59249.2023.00010",

language = "English",

series = "Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "37--44",

booktitle = "Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023",

address = "United States",

}

Ryan, I , Stol, KJ & Roedig, U 2023, The State of Secure Coding Practice: Small Organisations and 'Lone, Rogue Coders'. in Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023. Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023, Institute of Electrical and Electronics Engineers Inc., pp. 37-44, 4th IEEE/ACM International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023, Melbourne, Australia, 15/05/23. https://doi.org/10.1109/EnCyCriS59249.2023.00010

The State of Secure Coding Practice: Small Organisations and 'Lone, Rogue Coders'. / Ryan, Ita ; Stol, Klaas Jan ; Roedig, Utz.
Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023. Institute of Electrical and Electronics Engineers Inc., 2023. p. 37-44 (Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023).

Research output: Chapter in Book/Report/Conference proceedings › Chapter › peer-review

TY - CHAP

T1 - The State of Secure Coding Practice

T2 - 4th IEEE/ACM International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023

AU - Ryan, Ita

AU - Stol, Klaas Jan

AU - Roedig, Utz

PY - 2023

Y1 - 2023

N2 - Software security is a rapidly developing problem. Malware, ransomware and spyware routinely leverage vulnerabilities in software to gain access to systems, escalate privileges and run adversarial code. One approach to solving this issue is to use secure software methods, which attempt to guide organisations in improving their software assurance. However, these methods implicitly assume the presence of substantial resources deployed in a compliance-mandated environment. The distinct and often limited environment in which small organisations, independent teams and lone coders operate is not considered. Advice for software security in small teams is almost absent from the literature, as is a way to measure the levels of secure coding in such teams. In order to address this problem, we must begin by understanding it. As part of the analysis of a large survey on current software security practice, we examined the current software security practices of small and open source organisations, and of lone and non-company developers. We present our results in this paper. We hope that they will facilitate the targeting of security advice to these neglected developer categories.

AB - Software security is a rapidly developing problem. Malware, ransomware and spyware routinely leverage vulnerabilities in software to gain access to systems, escalate privileges and run adversarial code. One approach to solving this issue is to use secure software methods, which attempt to guide organisations in improving their software assurance. However, these methods implicitly assume the presence of substantial resources deployed in a compliance-mandated environment. The distinct and often limited environment in which small organisations, independent teams and lone coders operate is not considered. Advice for software security in small teams is almost absent from the literature, as is a way to measure the levels of secure coding in such teams. In order to address this problem, we must begin by understanding it. As part of the analysis of a large survey on current software security practice, we examined the current software security practices of small and open source organisations, and of lone and non-company developers. We present our results in this paper. We hope that they will facilitate the targeting of security advice to these neglected developer categories.

KW - application security

KW - measuring security

KW - secure application development

KW - secure development

KW - secure development lifecycle

KW - secure development processes

KW - secure development tools

KW - secure programming

KW - security issue

KW - software developer

KW - software programmer

KW - Software security

UR - https://www.scopus.com/pages/publications/85165909253

U2 - 10.1109/EnCyCriS59249.2023.00010

DO - 10.1109/EnCyCriS59249.2023.00010

M3 - Chapter

AN - SCOPUS:85165909253

T3 - Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023

SP - 37

EP - 44

BT - Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 15 May 2023

ER -

Ryan I , Stol KJ , Roedig U. The State of Secure Coding Practice: Small Organisations and 'Lone, Rogue Coders'. In Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023. Institute of Electrical and Electronics Engineers Inc. 2023. p. 37-44. (Proceedings - 2023 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2023). doi: 10.1109/EnCyCriS59249.2023.00010

The State of Secure Coding Practice: Small Organisations and 'Lone, Rogue Coders'

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this