Devs are SHEEP. Which is good when the leader writes secure code
Boffins study developers and find good examples will be followed by the herd
Programmers with security chops are seen as more productive and influential workers whom other coders strive to emulate, according to security researchers from North Carolina State University and Microsoft Research.
A sextet of security researchers has produced a trio of studies on the topic, finding that programmers are influenced strongly by their peers and will begin testing for and fixing bugs if their respected peers are already doing so.
The first paper [Quantifying Developers’ Adoption of Security Tools pdf] found that “Security tools are an important part of secure software development, but many developers do not use them, even when they believe security is important.”
“As we expected, developers who perceive security to be important are more likely to use security tools than those who do not.
“But that was not the strongest predictor of security tool use, it was instead developers’ ability to observe their peers using security tools.”
Many of those using the tools have some form of security education or are in process of gaining one. The team says this means organisations will do well to hire an infosec nerd to infect the programmer team.
Security-focused programmers are also more “prestigious” to a large extent and were seen as legends of the tech shop.
Hacker coders are also faster at their job, and are better people performers.
Security toolsmiths should, however, consider building tools that tailor vulnerability and patch information to the infosec chops of coders, such that n00bs are given information about how vulnerabilities and patches are related, while l33t h4x0rz get bare-bones non-cluttered data.
The creators would also do well to make their security tools shinier in a bid to increase observability which the work suggests leads to increased adoption within programming teams.
The researchers make no comment regarding the use of matrix-style wallpapers or cyber DDoS attack maps.
Full details of the three reports can be found here. ®