Why Johnny Doesn’t Write Secure Software: Secure Software Development by the Masses

Dates: January 2018 – March 2021
Lead researchers: Professor Awais Rashid, University of Bristol, Professor Bashar Nuseibeh, Professor Helen Sharp, Professor Marian Petre, The Open University, Professor John Towse, Professor Mark Levine, Lancaster University


Developing software is no longer the domain of the select few with deep technical skills, training and knowledge. A wide range of people from diverse backgrounds are developing software for smart phones, websites and IoT devices used by millions of people. Johnny is our pseudonym for such developers. Currently, little is understood about the security
behaviours and decision-making processes of such developers engaging in software development. The overall aim is to develop an empirically-grounded theory of secure software development by the masses. The focus is on understanding:

• What typical classes of security vulnerabilities arise from their mistakes,
• Why these mistakes occur, and
• How we may mitigate these issues and promote secure behaviours.

To achieve this, the researchers designed a study meant to understand developers’ reasoning and decision-making across the different kinds of software development tasks they typically engage with and why these mistakes occur. The team found that developers really only consider security when directly facing code (such as when fixing vulnerabilities), and in many cases choices made in secure development that are perceived to be secure, actually are not. The work then investigated how cognitive biases may play into developers’ decision-making on trusting particular people or resources (such as code fragments on Stack Overflow). Findings so far indicate that developers place trusts in people (and the resources they provide) based on their perception of those people, which may not be an accurate view of reality. This provides further in-depth understanding of why these mistakes occur, especially in software development tasks where developers are not directly engaged in writing code.

As part of the project, psychometric instruments were designed to draw out developers’ attitudes towards handling of personal data in their software.

Policy implications

The work is ongoing but findings to date may already be of interest to developers themselves, as well as policy makers intending to support developers in writing more secure software. It has relevance to NCSC’s secure development agenda.

Secure software development is about more than just writing secure code. The choices made by developers have potential to impact the security of their software. A critical, reflective attitude towards these choices could be an important component of promoting secure software development. The project is also exploring novel interventions which could lead to improved security cultures, as developers could engage in more secure behaviours without increasing their task load.

Find out more



Interviews, surveys, online forum discussions.

Funders: EPSRC
External collaborators: The Open University, UK; Lancaster University, UK; LERO (The Irish software research centre); National Institute of Informatics, Japan; Technical University of Darmstadt, Germany; Google.


Posted on

December 9, 2021