Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for DevelopersSEIPIndustry Program
Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build – systems that are ever more important to ever more people.
We propose that a series of lightweight interventions – six hours of facilitated workshops delivered over three months – can improve a team’s motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. They were then validated in fieldwork with a Participatory Action Research study that delivered the workshops to three development organizations. This approach has the potential to be applied by many development teams, improving the security of software worldwide.
Wed 29 MayDisplayed time zone: Eastern Time (US & Canada) change
11:00 - 12:30 | Security 1Journal-First Papers / Papers / Technical Track / New Ideas and Emerging Results / Software Engineering in Practice at Van-Horne Chair(s): Corina S. Păsăreanu Carnegie Mellon University Silicon Valley, NASA Ames Research Center | ||
11:00 20mTalk | Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for DevelopersSEIPIndustry Program Software Engineering in Practice Charles Weir Lancaster University, Lynne Blair Lancaster University, Ingolf Becker University College London, M. Angela Sasse University College London, James Noble Victoria University of Wellington, Awais Rashid University of Bristol, UK | ||
11:20 20mTalk | Towards Better Utilizing Static Application Security TestingSEIPIndustry Program Software Engineering in Practice Jinqiu Yang Concordia University, Montreal, Canada, Lin Tan Purdue University, John Peyton HCL America, Kristofer A Duer AppScan Source | ||
11:40 20mTalk | LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment through Program MetricsTechnical Track Technical Track Xiaoning Du Nanyang Technological University, Bihuan Chen Fudan University, Yuekang Li Nanyang Technological University, Jianmin Guo Tsinghua University, Yaqin Zhou Nanyang Technological University, Yang Liu Nanyang Technological University, Singapore, Yu Jiang | ||
12:00 10mTalk | A Screening Test for Disclosed Vulnerabilities in FOSS ComponentsIndustry ProgramJournal-First Journal-First Papers Stanislav Dashevskyi University of Luxembourg, Achim D. Brucker The University of Sheffield, Fabio Massacci University of Trento Link to publication DOI Pre-print | ||
12:10 10mTalk | VULTRON: Catching Vulnerable Smart Contracts Once and for AllNIER New Ideas and Emerging Results Haijun Wang Nanyang Technological University, Yi Li Nanyang Technological University, Shang-Wei Lin Nanyang Technological University, Lei Ma Kyushu University, Yang Liu Nanyang Technological University, Singapore | ||
12:20 10mTalk | Discussion Period Papers | ||