Dates: October 2017 – April 2018
Lead researchers: Dr Charles Weir, Lancaster University
Some software development teams are highly effective at delivering security, but others are not – which can be due to lack of care or expertise. This work proposed that a series of lightweight interventions (six hours of facilitated workshops delivered over three months) can improve a team’s motivation to consider security and awareness of assurance techniques and change its security culture even when no security experts are involved.
Interventions were developed by surveying security professionals, followed by testing in three different organisations. These have now been delivered to many more, ranging from a security-focused government team to a single-programmer team in a small company. The research team worked with more than 90 programmers, testers, project managers, and product managers and in each case, there were identifiable and sustained improvements insecurity-related activities of the team involved.
The researchers have produced ‘Security Essentials’ – a half-day set of structured workshops to inspire and guide developers on security. This is available from the website linked below.
This work highlighted the importance of the relationship between developers and the product management function in every organisation. Further work will focus on this relationship and ways to improve the effectiveness of this dialogue in improving security.
Lightweight, facilitation-based interventions of the kind reported here offer the potential to help software development teams with limited current security skills to improve the security of their products. Wide scale adoption of programs of this kind will empower developers and play a much-needed role in improving software security for all end users. This may be relevant to the DCMS Incentives and Regulation programme of work.
Appreciative Inquiry and Grounded Theory survey of security professionals, Participatory Action Research study
Funders: RISCS, Lancaster University
Find out more: https://www.securedevelopment.org/