Measuring Developers' Software Security Skills, Usage, and Training Needs

Measuring Developers' Software Security Skills, Usage, and Training Needs

Tosin Daniel Oyetoyan (Western Norway University of Applied Sciences, Norway), Martin Gilje Gilje Jaatun (SINTEF Digital, Norway) and Daniela Soares Cruzes (SINTEF Digital, Norway)
Copyright: © 2019 |Pages: 27
DOI: 10.4018/978-1-5225-6313-6.ch011
OnDemand PDF Download:
No Current Special Offers


Software security does not emerge fully formed by divine intervention in deserving software development organizations; it requires that developers have the required theoretical background and practical skills to enable them to write secure software, and that the software security activities are actually performed, not just documented procedures that sit gathering dust on a shelf. In this chapter, the authors present a survey instrument that can be used to investigate software security usage, competence, and training needs in agile organizations. They present results of using this instrument in two organizations. They find that regardless of cost or benefit, skill drives the kind of activities that are performed, and secure design may be the most important training need.
Chapter Preview


Software security has existed as a distinct field of research for over a decade, and reached prominence with the publication of the book “Software Security” (Gary McGraw, 2006).

The studies by Ayalew et al. (2013), Baca and Carlsson (2011), and Morrison et al. (2017) have investigated security activities from cost and benefit dimensions to advise on frameworks and selection of security activities that can be integrated to agile software development. Jaatun et al. (2015) have used BSIMM to measure security practices but with focus on security maturity at an organisational level. Other studies not directly related to our work have looked into market skills relevant for cybersecurity jobs. For example, Potter and Vickers (2015) used a questionnaire to answer and address the question of what skills does a security professional need in the current information technology environment, and they explored this question by looking at the current state of the Australian industry. Fontenele (Fontenele, 2017) developed a conceptual model and an ontological methodology to aid a robust discovery of the fittest expertise driven by the specific needs of cyber security projects, as well as benchmarking expertise shortages.

Our work differs from these studies as we have measured developers’ skills and training needs along software security activities.

Complete Chapter List

Search this Book: