Raising Secure Coding Awareness for Software Developers in the Industry

TL;DR

This paper discusses how to improve software developers' awareness of secure coding practices in industry by selecting appropriate guidelines and using serious games for training.

Contribution

It provides an overview of research questions related to choosing secure coding guidelines and raising developer awareness through serious games.

Findings

Secure coding guidelines are often abstract and language-specific guidelines are scarce.

Serious games can be an effective tool for training developers in secure coding.

The paper highlights the need for methodologies to effectively communicate secure coding practices.

Abstract

Many industrial IT security standards and policies mandate the usage of a secure coding methodology in the software development process. This implies two different aspects: first, secure coding must be based on a set of secure coding guidelines, and second software developers must be aware of these secure coding practices. On the one side, secure coding guidelines seems a bit like a black-art: while there exist abstract guidelines that are widely accepted, low-level secure coding guidelines for different programming languages are scarce. On the other side, once a set of secure coding guidelines is chosen, a good methodology is needed to make them known by the people which should be using them, i.e. software developers. Motivated both by the secure coding requirements from industry standards and also by the mandate to train staff on IT security by the global industry initiative "Charter of Trust", this paper presents an overview of important research questions on how to choose secure coding guidelines and on how to raise software developer awareness for secure coding using serious games.