Gutfleisch, M;
Schöps, M;
Horstmann, SA;
Wichmann, D;
Angela Sasse, M;
(2023)
Security Champions Without Support: Results from a Case Study with OWASP SAMM in a Large-Scale E-Commerce Enterprise.
In:
Proceedings of the 2023 European Symposium on Usable Security (EuroUSEC 2023).
(pp. pp. 260-276).
ACM (Association for Computing Machinery): Copenhagen, Denmark.
Preview |
PDF
Sasse_Security Champions Without Support- Results from a Case Study with OWASP SAMM in a Large-Scale E-Commerce Enterprise_VoR.pdf - Published Version Download (968kB) | Preview |
Abstract
Developer-centered security research has identified a variety of reasons why software developers do not follow recommended security practices: lack of knowledge, outdated information sources, time pressure, and low usability of security mechanisms and tools. Contextual factors play an important role in security, but few studies have investigated security interventions with developers in organizational settings. In this case study, we track the impact of appointing security champions in a large e-commerce company with five software development teams, using the OWASP Security Assurance Maturity Model (OWASP SAMM) to measure the extent to which security practices were adopted. We also elicited the experiences of the security champions and developers in each team in 15 qualitative interviews. The results of the OWASP SAMM assessment show the adoption of secure practices varied widely between the different teams. Results from the interviews revealed different levels of security knowledge and commitment to the role between the security champions - but they agree in their perceived lack of support from company security experts and management. We conclude that secure software development requires more than appointing individuals such as security champions - to transform software development practices requires an organization-wide commitment, including access to resources and support.
| Type: | Proceedings paper |
|---|---|
| Title: | Security Champions Without Support: Results from a Case Study with OWASP SAMM in a Large-Scale E-Commerce Enterprise |
| Event: | EuroUSEC 2023: The 2023 European Symposium on Usable Security |
| Open access status: | An open access version is available from UCL Discovery |
| DOI: | 10.1145/3617072.3617115 |
| Publisher version: | https://doi.org/10.1145/3617072.3617115 |
| Language: | English |
| Additional information: | © 2023 Owner/Author. This work is licensed under a Creative Commons Attribution-ShareAlike International 4.0 License (https://creativecommons.org/licenses/by-sa/4.0/deed.en). |
| Keywords: | Security, Software Engineering, Usable Security, Case Study, Security Frameworks, OWASP |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
| URI: | https://discovery.ucl.ac.uk/id/eprint/10181281 |
Archive Staff Only
 |
View Item |
