Developers Need Support, Too: A Survey of Security Advice for Software Developers

Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

Autoren

  • Yasemin Acar
  • Christian Stransky
  • Dominik Wermke
  • Charles Weir
  • Michelle L. Mazurek
  • Sascha Fahl

Externe Organisationen

  • Universität des Saarlandes
  • Lancaster University
  • University of Maryland
Forschungs-netzwerk anzeigen

Details

OriginalspracheEnglisch
Titel des SammelwerksProceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017
Herausgeber (Verlag)Institute of Electrical and Electronics Engineers Inc.
Seiten22-26
Seitenumfang5
ISBN (elektronisch)9781538634677
PublikationsstatusVeröffentlicht - 20 Okt. 2017
Veranstaltung2017 IEEE Cybersecurity Development Conference, SecDev 2017 - Cambridge, USA / Vereinigte Staaten
Dauer: 24 Sept. 201726 Sept. 2017

Publikationsreihe

NameProceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017

Abstract

Increasingly developers are becoming aware of the importance of software security, as frequent high-profile security incidents emphasize the need for secure code. Faced with this new problem, most developers will use their normal approach: web search. But are the resulting web resources useful and effective at promoting security in practice? Recent research has identified security problems arising from Q&A resources that help with specific secure-programming problems, but the web also contains many general resources that discuss security and secure programming more broadly, and to our knowledge few if any of these have been empirically evaluated. The continuing prevalence of security bugs suggests that this guidance ecosystem is not currently working well enough: either effective guidance is not available, or it is not reaching the developers who need it. This paper takes a first step toward understanding and improving this guidance ecosystem by identifying and analyzing 19 general advice resources. The results identify important gaps in the current ecosystem and provide a basis for future work evaluating existing resources and developing new ones to fill these gaps.

ASJC Scopus Sachgebiete

Zitieren

Developers Need Support, Too: A Survey of Security Advice for Software Developers. / Acar, Yasemin; Stransky, Christian; Wermke, Dominik et al.
Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017. Institute of Electrical and Electronics Engineers Inc., 2017. S. 22-26 8077802 (Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017).

Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

Acar, Y, Stransky, C, Wermke, D, Weir, C, Mazurek, ML & Fahl, S 2017, Developers Need Support, Too: A Survey of Security Advice for Software Developers. in Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017., 8077802, Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017, Institute of Electrical and Electronics Engineers Inc., S. 22-26, 2017 IEEE Cybersecurity Development Conference, SecDev 2017, Cambridge, USA / Vereinigte Staaten, 24 Sept. 2017. https://doi.org/10.1109/SecDev.2017.17
Acar, Y., Stransky, C., Wermke, D., Weir, C., Mazurek, M. L., & Fahl, S. (2017). Developers Need Support, Too: A Survey of Security Advice for Software Developers. In Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017 (S. 22-26). Artikel 8077802 (Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SecDev.2017.17
Acar Y, Stransky C, Wermke D, Weir C, Mazurek ML, Fahl S. Developers Need Support, Too: A Survey of Security Advice for Software Developers. in Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017. Institute of Electrical and Electronics Engineers Inc. 2017. S. 22-26. 8077802. (Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017). doi: 10.1109/SecDev.2017.17
Acar, Yasemin ; Stransky, Christian ; Wermke, Dominik et al. / Developers Need Support, Too : A Survey of Security Advice for Software Developers. Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017. Institute of Electrical and Electronics Engineers Inc., 2017. S. 22-26 (Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017).
Download
@inproceedings{c68589f663f84c59b1598216b237bc59,
title = "Developers Need Support, Too: A Survey of Security Advice for Software Developers",
abstract = "Increasingly developers are becoming aware of the importance of software security, as frequent high-profile security incidents emphasize the need for secure code. Faced with this new problem, most developers will use their normal approach: web search. But are the resulting web resources useful and effective at promoting security in practice? Recent research has identified security problems arising from Q&A resources that help with specific secure-programming problems, but the web also contains many general resources that discuss security and secure programming more broadly, and to our knowledge few if any of these have been empirically evaluated. The continuing prevalence of security bugs suggests that this guidance ecosystem is not currently working well enough: either effective guidance is not available, or it is not reaching the developers who need it. This paper takes a first step toward understanding and improving this guidance ecosystem by identifying and analyzing 19 general advice resources. The results identify important gaps in the current ecosystem and provide a basis for future work evaluating existing resources and developing new ones to fill these gaps.",
author = "Yasemin Acar and Christian Stransky and Dominik Wermke and Charles Weir and Mazurek, {Michelle L.} and Sascha Fahl",
year = "2017",
month = oct,
day = "20",
doi = "10.1109/SecDev.2017.17",
language = "English",
series = "Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "22--26",
booktitle = "Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017",
address = "United States",
note = "2017 IEEE Cybersecurity Development Conference, SecDev 2017 ; Conference date: 24-09-2017 Through 26-09-2017",

}

Download

TY - GEN

T1 - Developers Need Support, Too

T2 - 2017 IEEE Cybersecurity Development Conference, SecDev 2017

AU - Acar, Yasemin

AU - Stransky, Christian

AU - Wermke, Dominik

AU - Weir, Charles

AU - Mazurek, Michelle L.

AU - Fahl, Sascha

PY - 2017/10/20

Y1 - 2017/10/20

N2 - Increasingly developers are becoming aware of the importance of software security, as frequent high-profile security incidents emphasize the need for secure code. Faced with this new problem, most developers will use their normal approach: web search. But are the resulting web resources useful and effective at promoting security in practice? Recent research has identified security problems arising from Q&A resources that help with specific secure-programming problems, but the web also contains many general resources that discuss security and secure programming more broadly, and to our knowledge few if any of these have been empirically evaluated. The continuing prevalence of security bugs suggests that this guidance ecosystem is not currently working well enough: either effective guidance is not available, or it is not reaching the developers who need it. This paper takes a first step toward understanding and improving this guidance ecosystem by identifying and analyzing 19 general advice resources. The results identify important gaps in the current ecosystem and provide a basis for future work evaluating existing resources and developing new ones to fill these gaps.

AB - Increasingly developers are becoming aware of the importance of software security, as frequent high-profile security incidents emphasize the need for secure code. Faced with this new problem, most developers will use their normal approach: web search. But are the resulting web resources useful and effective at promoting security in practice? Recent research has identified security problems arising from Q&A resources that help with specific secure-programming problems, but the web also contains many general resources that discuss security and secure programming more broadly, and to our knowledge few if any of these have been empirically evaluated. The continuing prevalence of security bugs suggests that this guidance ecosystem is not currently working well enough: either effective guidance is not available, or it is not reaching the developers who need it. This paper takes a first step toward understanding and improving this guidance ecosystem by identifying and analyzing 19 general advice resources. The results identify important gaps in the current ecosystem and provide a basis for future work evaluating existing resources and developing new ones to fill these gaps.

UR - http://www.scopus.com/inward/record.url?scp=85035765557&partnerID=8YFLogxK

U2 - 10.1109/SecDev.2017.17

DO - 10.1109/SecDev.2017.17

M3 - Conference contribution

AN - SCOPUS:85035765557

T3 - Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017

SP - 22

EP - 26

BT - Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 24 September 2017 through 26 September 2017

ER -