Abstract

Development teams are increasingly expected to deliver secure code, but how can they best achieve this? Traditional security practice, which emphasizes ‘telling developers what to do’ using checklists, processes and errors to avoid, has proved difficult to introduce. From analysis of industry interviews with a dozen experts in app development security, we find that secure development requires ‘dialectic’: a challenging dialog between the developers and a range of counterparties, continued throughout the development cycle. Analysing a further survey of 16 industry developer security advocates, we identify the six assurance techniques that are most effective at achieving this dialectic in existing development teams, and conclude that the introduction of these techniques is best driven by the developers themselves. Concentrating on these six assurance techniques, and the dialectical interactions they involve, has the potential to increase the security of development activities and thus improve software security for everyone.

中文翻译：

---

具有挑战性的软件开发人员：辩证法是安全保证技术的基础

摘要

人们越来越期望开发团队提供安全的代码，但是他们如何才能最好地实现这一目标呢？事实证明，传统的安全实践很难采用检查表，流程和避免发生的错误来“告诉开发人员该怎么做”。通过对数十位应用程序开发安全专家的行业访谈分析，我们发现安全开发需要“方言”：开发人员与一系列交易方之间的富有挑战性的对话，贯穿整个开发周期。通过对16位行业开发商安全倡导者的进一步调查分析，我们确定了在现有开发团队中最有效地实现这种辩证法的六种保证技术，并得出结论，这些技术的引入最好由开发商自己来推动。