Dancing, not Wrestling: Moving from Compliance to Concordance for Secure Software Development

Abstract

Secure software development has become an increasingly important focus for research in recent years, not least because of advances in technology such as AI, machine learning (AI/ML), robotics, and autonomous systems (RAS). AI/ML and RAS facilitate automated decision-making and have the capability to have a significant impact on society. As such this technology needs to be trustworthy, and secure software development is a key attribute for trustworthiness. Software developers frequently have responsibility and accountability for delivering secure code but limited authority over how this is achieved. Authority tends to lie with cyber security professionals who mandate security processes, tools and training, often with limited success. Our research objective was to better understand how to bridge this gap between software developers and cyber security practitioners so that authority, responsibility and accountability are shared equally. We took inspiration from healthcare research that looks at the relationship between compliance, adherence and concordance. We use this research as a lens through which to analyse qualitative data from 35 interviews with professional software developers. Our research suggests that if software developers and cyber security professionals move to a point of concordance in their interactions it could lead to the negotiation of more realistic cyber security solutions, as well as removing friction from the practice of software developers and ultimately lead to more secure and trustworthy systems.