Motivating Jenny to write Secure Software
Community and Culture of Coding
Many real-world security vulnerabilities in software relate to a few known classes of attack such as code injection. Secure coding practices and technologies for detecting and preventing vulnerabilities in software are likewise established, such as input sanitisation and non-escaping strings. However, it is not clear why many professional software developers do not adopt these practices and technologies as a matter of course. This project examines the role developer motivation plays in the production of secure code.
Motivation significantly influences productivity and code quality in software development projects. Successful developers are motivated to learn new technologies, but are rarely motivated by reading documentation or studying manuals. They engage in peer-to-peer interactions and assessments, two forms of interaction that have been found to bring about lasting cultural change within the wider software developer community. This is evident, for example, in the widespread adoption of object-oriented technologies and agile development practices.
Motivating Jenny will investigate how to initiate and sustain secure software culture, building upon frameworks of personal motivation and team culture (see Figure 1). Two specific aims are to:
- A1. Develop an empirically-grounded model of why and how non-specialist developers can be motivated to adopt secure coding practices and technologies into their software development practice.
- A2. Develop guidelines for creating and propagating a security culture across software teams.
To address these research aims, we will conduct ethnographic and constrained task studies and draw upon classic models of motivation, organisational theory, and social and cultural pyschology. Our engagement with the developer community will consider online and professional settings, in communities such as those found in StackExchange and through collaboration with a range of companies including members of Agile Business Consortium (ABC) Ltd and international partners in Ireland, Brazil and Japan.
This is a joint project between The Open University and Exeter University, and is a sister project of the EPSRC-funded Why Johnny doesn’t write secure software? Secure Software Development by the masses.
Team
- The Open University
- Exeter University
Publications
Related Publications
- França, C. Sharp, H., & Da Silva, F. Q. (2014) Motivated software engineers are engaged and focused, while satisfied ones are happy. In ESEM: Proceedings of the 8th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (no. 32). ACM Press.
- Sharp, H., Baddoo, N., Beecham, S., Hall, T. and Robinson, H.M. (2009) Models of motivation in software engineering. Information and Software Technology 51(1) (pp. 219-233).
- Lopez, T., Petre, M., & Nuseibeh, B. (2016). Examining active error in software development. In VL/HCC: IEEE Symposium on Visual Languages and Human-Centric Computing (pp. 152-156). IEEE Press.
- Lopez, T. (2016). Error Detection and Recovery in Software Development. PhD Thesis, the Open University.
- Sach, R.J. (2013) The Impact of Feedback on the Motivation of Software Engineers. PhD Thesis, the Open University.
- Sharp, H., Dittrich, Y. and deSouza, C. (2016) The Role of Ethnographic Studies in Empirical Software Engineering. IEEE Transactions on Software Engineering. IEEE Press.
- Tun, T. T., Jackson, M., Laney, R., Nuseibeh, B., & Yu, Y. (2009). Are your lights off? Using problem frames to diagnose system failures. In RE'09: 17th IEEE International Requirements Engineering Conference (pp. 343-348). IEEE Press.
News
- Invited Talk: Helen Sharp, Motivating Jenny to Write Secure Software: Community and Culture of Coding, RISCS Community Meeting, UCL, 22 June 2017
- Panel: Helen Sharp and Bashar Nuseibeh, Every little helps? Supporting the transition to secure software development processes, RISCS Community Meeting, UCL, 22 June 2017