Secure Code Development in Practice

A session exploring attitudes and perceptions toward security in the context of software development practice.

Workshop, 75 min., Discussion

Abstract

How do developers encounter security on the job? In this two-part session, attendees will be prompted to think about what security is and why it is important to developers. Through guided exercises, participants will consider what comprises security for different kinds of systems, and the consequences of security breaches. We will finish with a discussion that relates the approach used in parts one and two to stories taken from the group about encounters with security.

This is not a technical security session but one focused on reflection about attendees' own attitudes and behaviour in development practice around security. The aim is to help attendees learn from each other about how improve secure coding practice.

This workshop has been developed as a part of research that is examining the role motivation plays in the production of secure code and how practitioners can initiate and sustain a secure software culture.

Audience background

Attendees should have a background in professional software development. While other roles may benefit from this session, it is primarily geared toward developers. No specific security expertise is required.

Benefits of participating

* Greater awareness of different approaches to software security.
* Insight into perceptions and attitudes toward security and how these might affect secure coding in practice.
* Suggestions and insights from each other about what it takes to develop and sustain a security culture.

Materials provided

* prompting cards for reflection
* stories drawn from the media about security
* aids for group discussion (pens, paper, sticky notes)

Process

Attendees will form groups of 5 or 6. Materials will be provided to capture discussion. Moderators will support groups as they work through the aims for each part.

== Part 1: Problems in Software ==

In this part, attendees will consider a story about a security breach taken from the media. Attendees will explore details of the story to establish, for example, what happened, what was at stake, what was done to fix the problem, and what could have been done to avoid the problem.

== Part 2: What is Security? ==

In the second part, attendees will be asked to consider security as postive, proactive, and socially constructed. In a guided discussion, each group will examine a second incident account. Moderators will help each group establish what security means to them by exploring the security incident in the context of values associated with systems design. What is important, what matters to the makers and users of systems?

== Discussion: Supporting Secure Coding ==

In a moderated discussion, attendees will apply the approach used in the first two parts to consider a story encountered by one or more participants on the job. Attendees will be guided to reflect on how a broader approach toward thinking about security can be applied to secure coding practice. Can this framework help developers write more secure code? At what point in the development process would it be helpful?

Detailed timetable

75 minute session

00:00 - 00:10 - Introduction

00:10 - 00:30 - Part 1 - Problems in Software
00:30 - 00:50- Part 2 - What is Security?
00:50 - 00:75- Discussion - Supporting Secure Coding

Outputs

- Follow-up email/website link containing: summary of key points from the day and links to resources to support secure coding, such as published guidelines
- Ongoing updates regarding the research project itself, for those who want to stay in touch

History

An early version of this workshop was presented at Extreme Programmers London, in November, 2017

Presenters

  1. Tamara Lopez
    The Open University
  2. Helen Sharp
    The Open University
  3. Thein Tun
    The Open University