Developer Security Toolkit
How the Toolkit Works

Fig. 1. A View on Security in Software Development

In the workplace, developers engage with security in a number of ways. Security is a part of activities in which developers are primarily users or administrators of systems that must remain secure. In these cases, they are expected to comply with policies set in their companies or by their clients.

Developers also take an active role in interpreting and enacting security policies for their companies and clients. This happens when they use secure functions and constructs while coding, but also when they design and architect solutions, or participate in product management or planning meetings.

Our research has identified that a developer responds to the security needs in these situations within common dimensions of development practice. The response is influenced by the task that must be completed, the informal, "small" problems that need to be solved, and the developer's individual orientation toward the situation. Figure 1 indicates how these aspects relate to each other in the context of a specific work episode that involves security.

Security activity in software development takes place against a backdrop of policies and measures that are defined by companies. It is vital to help developers gain a sense for how they can effectively engage with security in different situations. To do this, the four packages in this toolkit prompt various kinds of discussion between practitioners to help them effectively respond to security needs in the workplace: