Dancing, not wrestling: moving from compliance to concordance for secure software development

Debi Ashenden*, Miriam Gail Ollis, Iain Reid

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Secure software development has become an increasingly important focus for research in recent years, not least because of advances in technology such as AI, machine learning (AI/ML), robotics, and autonomous systems (RAS). AI/ML and RAS facilitate automated decision-making and have the capability to have a significant impact on society. As such this technology needs to be trustworthy, and secure software development is a key attribute for trustworthiness. Software developers frequently have responsibility and accountability for delivering secure code but limited authority over how this is achieved. Authority tends to lie with cyber security professionals who mandate security processes, tools and training, often with limited success. Our research objective was to better understand how to bridge this gap between software developers and cyber security practitioners so that authority, responsibility and accountability are shared equally. We took inspiration from healthcare research that looks at the relationship between compliance, adherence and concordance. We use this research as a lens through which to analyse qualitative data from 35 interviews with professional software developers. Our research suggests that if software developers and cyber security professionals move to a point of concordance in their interactions it could lead to the negotiation of more realistic cyber security solutions, as well as removing friction from the practice of software developers and ultimately lead to more secure and trustworthy systems.
Original languageEnglish
Title of host publicationASE22: 37th IEEE/ACM International Conference on Automated Software Engineering
PublisherAssociation for Computing Machinery (ACM)
Pages219:1-219:9
Number of pages9
ISBN (Print)9781450394758
DOIs
Publication statusPublished - 5 Jan 2023
EventASE '22: 37th IEEE/ACM International Conference on Automated Software Engineering - Rochester, United States
Duration: 10 Oct 202214 Oct 2022

Conference

ConferenceASE '22: 37th IEEE/ACM International Conference on Automated Software Engineering
Country/TerritoryUnited States
CityRochester
Period10/10/2214/10/22

Cite this