TY - GEN
T1 - Training Developers to Code Securely
T2 - 4th IEEE/ACM International Workshop on Engineering and Cybersecurity of Critical Systems and 2024 IEEE/ACM 2nd International Workshop on Software Vulnerability, EnCyCriS/SVM 2024, held in conjunction with the 46th IEEE/ACM International Conference on Software Engineering, ICSE 2024
AU - Ryan, Ita
AU - Roedig, Utz
AU - Stol, Klaas Jan
N1 - Publisher Copyright:
© 2024 is held by the owner/author(s).
PY - 2024/8/26
Y1 - 2024/8/26
N2 - Software security is essential. Flaws in software design and coding produce vulnerabilities that can be exploited by hostile actors, resulting in ransomware, espionage and the hacking of critical infrastructure. Meanwhile, DevOps and continuous integration introduce speed imperatives, often bypassing traditional security gates. Software security responsibility is increasingly shifting to software developers. Industry insiders advise that this extra responsibility should be accompanied by developer training. But is it? Analysis of what constitutes good software security training is sparse, and there is little information on the amount and quality of training actually offered to developers in industry. We analyse recent literature to find the positive features of effective secure development training. We examine training information from a large developer survey (n=962) to assess how training in the field matches key positive features. We find that while some developers experience excellent secure-coding training, others receive inadequate training, and the majority receive none.
AB - Software security is essential. Flaws in software design and coding produce vulnerabilities that can be exploited by hostile actors, resulting in ransomware, espionage and the hacking of critical infrastructure. Meanwhile, DevOps and continuous integration introduce speed imperatives, often bypassing traditional security gates. Software security responsibility is increasingly shifting to software developers. Industry insiders advise that this extra responsibility should be accompanied by developer training. But is it? Analysis of what constitutes good software security training is sparse, and there is little information on the amount and quality of training actually offered to developers in industry. We analyse recent literature to find the positive features of effective secure development training. We examine training information from a large developer survey (n=962) to assess how training in the field matches key positive features. We find that while some developers experience excellent secure-coding training, others receive inadequate training, and the majority receive none.
KW - secure coding training
KW - secure software development
KW - security
UR - https://www.scopus.com/pages/publications/85203874047
U2 - 10.1145/3643662.3643956
DO - 10.1145/3643662.3643956
M3 - Conference proceeding
AN - SCOPUS:85203874047
T3 - Proceedings - 2024 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems and 2024 IEEE/ACM 2nd International Workshop on Software Vulnerability, EnCyCriS/SVM 2024
SP - 37
EP - 44
BT - Proceedings - 2024 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems and 2024 IEEE/ACM 2nd International Workshop on Software Vulnerability, EnCyCriS/SVM 2024
PB - Association for Computing Machinery, Inc
Y2 - 15 April 2024 through 15 April 2024
ER -