First-time security audits as a turning point? Challenges for security practices in an industry software development team

Andreas Poller, Laura Kocksch, Katharina Kinder-Kurlanda, Felix Epp

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

2 Citations (Scopus)

Abstract

Software development is often accompanied by security audits such as penetration tests, usually performed on behalf of the software vendor. In penetration tests security experts identify entry points for attacks in a software product. Many development teams undergo such audits for the first time if their product is attacked or faces new security concerns. The audits often serve as an eye-opener for development teams: they realize that security requires much more attention. However, there is a lack of clarity with regard to what lasting benefits developers can reap from penetration tests. We report from a one-year study of a penetration test run at a major software vendor, and describe how a software development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but that long-lasting enhancements of development practices are hampered by a lack of dedicated security stakeholders and if security is not properly reflected in the communicative and collaborative structures of the organization.

Original languageEnglish
Title of host publicationACM SIGCHI Annual Conference on Human Factors in Computing Systems
PublisherAssociation for Computing Machinery (ACM)
Pages1288-1294
Number of pages7
ISBN (Electronic)978-1-4503-4082-3
DOIs
Publication statusPublished - 7 May 2016
MoE publication typeA4 Article in a conference publication
EventACM SIGCHI Annual Conference on Human Factors in Computing Systems - San Jose, United States
Duration: 7 May 201612 May 2016
Conference number: 34
https://chi2016.acm.org/wp/

Conference

ConferenceACM SIGCHI Annual Conference on Human Factors in Computing Systems
Abbreviated titleACM CHI
CountryUnited States
CitySan Jose
Period07/05/201612/05/2016
Internet address

Keywords

  • Development practices
  • Organizational factors
  • Penetration testing
  • Qualitative study
  • Secure software engineering

Fingerprint Dive into the research topics of 'First-time security audits as a turning point? Challenges for security practices in an industry software development team'. Together they form a unique fingerprint.

Cite this