First-time security audits as a turning point? Challenges for security practices in an industry software development team

Andreas Poller; Laura Kocksch; Katharina Kinder-Kurlanda; Felix Epp

doi:10.1145/2851581.2892392

First-time security audits as a turning point? Challenges for security practices in an industry software development team

Andreas Poller, Laura Kocksch, Katharina Kinder-Kurlanda, Felix Epp

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

Abstract

Software development is often accompanied by security audits such as penetration tests, usually performed on behalf of the software vendor. In penetration tests security experts identify entry points for attacks in a software product. Many development teams undergo such audits for the first time if their product is attacked or faces new security concerns. The audits often serve as an eye-opener for development teams: they realize that security requires much more attention. However, there is a lack of clarity with regard to what lasting benefits developers can reap from penetration tests. We report from a one-year study of a penetration test run at a major software vendor, and describe how a software development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but that long-lasting enhancements of development practices are hampered by a lack of dedicated security stakeholders and if security is not properly reflected in the communicative and collaborative structures of the organization.

Original language	English
Title of host publication	CHI EA 2016 : #chi4good - Extended Abstracts, 34th Annual CHI Conference on Human Factors in Computing Systems
Number of pages	7
Publisher	Association for Computing Machinery
Publication date	7 May 2016
Pages	1288-1294
ISBN (Electronic)	9781450340823
DOIs	https://doi.org/10.1145/2851581.2892392
Publication status	Published - 7 May 2016
Externally published	Yes
MoE publication type	A4 Article in conference proceedings
Event	34th Annual CHI Conference on Human Factors in Computing Systems, CHI EA 2016 - San Jose, United States Duration: 7 May 2016 → 12 May 2016

Publication series

Name	Conference on Human Factors in Computing Systems - Proceedings
Volume	07-12-May-2016

Bibliographical note

Publisher Copyright:
© 2016 Authors.

Fields of Science

Development practices
Organizational factors
Penetration testing
Qualitative study
Secure software engineering

Access to Document

10.1145/2851581.2892392

Cite this

Poller, A., Kocksch, L., Kinder-Kurlanda, K., & Epp, F. (2016). First-time security audits as a turning point? Challenges for security practices in an industry software development team. In CHI EA 2016: #chi4good - Extended Abstracts, 34th Annual CHI Conference on Human Factors in Computing Systems (pp. 1288-1294). (Conference on Human Factors in Computing Systems - Proceedings; Vol. 07-12-May-2016). Association for Computing Machinery. https://doi.org/10.1145/2851581.2892392

Poller, Andreas ; Kocksch, Laura ; Kinder-Kurlanda, Katharina et al. / First-time security audits as a turning point? Challenges for security practices in an industry software development team. CHI EA 2016: #chi4good - Extended Abstracts, 34th Annual CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, 2016. pp. 1288-1294 (Conference on Human Factors in Computing Systems - Proceedings).

@inproceedings{93e23f0d776b42838a7c04ba0950c911,

title = "First-time security audits as a turning point? Challenges for security practices in an industry software development team",

abstract = "Software development is often accompanied by security audits such as penetration tests, usually performed on behalf of the software vendor. In penetration tests security experts identify entry points for attacks in a software product. Many development teams undergo such audits for the first time if their product is attacked or faces new security concerns. The audits often serve as an eye-opener for development teams: they realize that security requires much more attention. However, there is a lack of clarity with regard to what lasting benefits developers can reap from penetration tests. We report from a one-year study of a penetration test run at a major software vendor, and describe how a software development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but that long-lasting enhancements of development practices are hampered by a lack of dedicated security stakeholders and if security is not properly reflected in the communicative and collaborative structures of the organization.",

keywords = "Development practices, Organizational factors, Penetration testing, Qualitative study, Secure software engineering",

author = "Andreas Poller and Laura Kocksch and Katharina Kinder-Kurlanda and Felix Epp",

note = "Publisher Copyright: {\textcopyright} 2016 Authors.; 34th Annual CHI Conference on Human Factors in Computing Systems, CHI EA 2016 ; Conference date: 07-05-2016 Through 12-05-2016",

year = "2016",

month = may,

day = "7",

doi = "10.1145/2851581.2892392",

language = "English",

series = "Conference on Human Factors in Computing Systems - Proceedings",

publisher = "Association for Computing Machinery",

pages = "1288--1294",

booktitle = "CHI EA 2016",

address = "United States",

}

Poller, A, Kocksch, L, Kinder-Kurlanda, K & Epp, F 2016, First-time security audits as a turning point? Challenges for security practices in an industry software development team. in CHI EA 2016: #chi4good - Extended Abstracts, 34th Annual CHI Conference on Human Factors in Computing Systems. Conference on Human Factors in Computing Systems - Proceedings, vol. 07-12-May-2016, Association for Computing Machinery, pp. 1288-1294, 34th Annual CHI Conference on Human Factors in Computing Systems, CHI EA 2016, San Jose, United States, 07/05/2016. https://doi.org/10.1145/2851581.2892392

First-time security audits as a turning point? Challenges for security practices in an industry software development team. / Poller, Andreas; Kocksch, Laura; Kinder-Kurlanda, Katharina et al.
CHI EA 2016: #chi4good - Extended Abstracts, 34th Annual CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, 2016. p. 1288-1294 (Conference on Human Factors in Computing Systems - Proceedings; Vol. 07-12-May-2016).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

TY - GEN

T1 - First-time security audits as a turning point? Challenges for security practices in an industry software development team

AU - Poller, Andreas

AU - Kocksch, Laura

AU - Kinder-Kurlanda, Katharina

AU - Epp, Felix

PY - 2016/5/7

Y1 - 2016/5/7

N2 - Software development is often accompanied by security audits such as penetration tests, usually performed on behalf of the software vendor. In penetration tests security experts identify entry points for attacks in a software product. Many development teams undergo such audits for the first time if their product is attacked or faces new security concerns. The audits often serve as an eye-opener for development teams: they realize that security requires much more attention. However, there is a lack of clarity with regard to what lasting benefits developers can reap from penetration tests. We report from a one-year study of a penetration test run at a major software vendor, and describe how a software development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but that long-lasting enhancements of development practices are hampered by a lack of dedicated security stakeholders and if security is not properly reflected in the communicative and collaborative structures of the organization.

AB - Software development is often accompanied by security audits such as penetration tests, usually performed on behalf of the software vendor. In penetration tests security experts identify entry points for attacks in a software product. Many development teams undergo such audits for the first time if their product is attacked or faces new security concerns. The audits often serve as an eye-opener for development teams: they realize that security requires much more attention. However, there is a lack of clarity with regard to what lasting benefits developers can reap from penetration tests. We report from a one-year study of a penetration test run at a major software vendor, and describe how a software development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but that long-lasting enhancements of development practices are hampered by a lack of dedicated security stakeholders and if security is not properly reflected in the communicative and collaborative structures of the organization.

KW - Development practices

KW - Organizational factors

KW - Penetration testing

KW - Qualitative study

KW - Secure software engineering

UR - https://www.scopus.com/pages/publications/85014667456

U2 - 10.1145/2851581.2892392

DO - 10.1145/2851581.2892392

M3 - Conference contribution

AN - SCOPUS:85014667456

T3 - Conference on Human Factors in Computing Systems - Proceedings

SP - 1288

EP - 1294

BT - CHI EA 2016

PB - Association for Computing Machinery

T2 - 34th Annual CHI Conference on Human Factors in Computing Systems, CHI EA 2016

Y2 - 7 May 2016 through 12 May 2016

ER -

Poller A, Kocksch L, Kinder-Kurlanda K, Epp F. First-time security audits as a turning point? Challenges for security practices in an industry software development team. In CHI EA 2016: #chi4good - Extended Abstracts, 34th Annual CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery. 2016. p. 1288-1294. (Conference on Human Factors in Computing Systems - Proceedings). doi: 10.1145/2851581.2892392

First-time security audits as a turning point? Challenges for security practices in an industry software development team

Abstract

Publication series

Bibliographical note

Fields of Science

Access to Document

Other files and links

Cite this