Is Secure Coding Education in the Industry Needed? An Investigation Through a Large Scale Survey

TL;DR

This study investigates the awareness and adherence of industrial software developers to secure coding guidelines through a large-scale survey, highlighting the need for improved security education and providing actionable recommendations.

Contribution

It emphasizes the importance of secure coding education for developers and offers fifteen practical items for industry implementation, supported by open survey data.

Findings

Low awareness of secure coding guidelines among developers

Non-compliance reasons include lack of training and awareness

Recommendations for targeted security education

Abstract

The Department of Homeland Security in the United States estimates that 90% of software vulnerabilities can be traced back to defects in design and software coding. The financial impact of these vulnerabilities has been shown to exceed 380 million USD in industrial control systems alone. Since software developers write software, they also introduce these vulnerabilities into the source code. However, secure coding guidelines exist to prevent software developers from writing vulnerable code. This study focuses on the human factor, the software developer, and secure coding, in particular secure coding guidelines. We want to understand the software developers' awareness and compliance to secure coding guidelines and why, if at all, they aren't compliant or aware. We base our results on a large-scale survey on secure coding guidelines, with more than 190 industrial software developers. Our work's main contribution motivates the need to educate industrial software developers on secure coding guidelines, and it gives a list of fifteen actionable items to be used by practitioners in the industry. We also make our raw data openly available for further research.