{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T03:21:52Z","timestamp":1771989712750,"version":"3.50.1"},"reference-count":61,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2020,9,14]],"date-time":"2020-09-14T00:00:00Z","timestamp":1600041600000},"content-version":"vor","delay-in-days":257,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,1,1]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Development teams are increasingly expected to deliver secure code, but how can they best achieve this? Traditional security practice, which emphasizes \u2018telling developers what to do\u2019 using checklists, processes and errors to avoid, has proved difficult to introduce. From analysis of industry interviews with a dozen experts in app development security, we find that secure development requires \u2018dialectic\u2019: a challenging dialog between the developers and a range of counterparties, continued throughout the development cycle. Analysing a further survey of 16 industry developer security advocates, we identify the six assurance techniques that are most effective at achieving this dialectic in existing development teams, and conclude that the introduction of these techniques is best driven by the developers themselves. Concentrating on these six assurance techniques, and the dialectical interactions they involve, has the potential to increase the security of development activities and thus improve software security for everyone.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaa007","type":"journal-article","created":{"date-parts":[[2020,9,14]],"date-time":"2020-09-14T16:24:16Z","timestamp":1600100656000},"source":"Crossref","is-referenced-by-count":12,"title":["Challenging software developers: dialectic as a foundation for security assurance techniques"],"prefix":"10.1093","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3051-4195","authenticated-orcid":false,"given":"Charles","family":"Weir","sequence":"first","affiliation":[{"name":"Security Lancaster, InfoLab21, Lancaster University, Lancaster, UK"}]},{"given":"Awais","family":"Rashid","sequence":"additional","affiliation":[{"name":"Bristol Cyber Security Group, University of Bristol, UK"}]},{"given":"James","family":"Noble","sequence":"additional","affiliation":[{"name":"School of Engineering and Computer Science, Victoria University, Wellington, NZ"}]}],"member":"286","published-online":{"date-parts":[[2020,9,14]]},"reference":[{"key":"2020091412240746200_tyaa007-B1","year":"2017"},{"key":"2020091412240746200_tyaa007-B2","year":"2018"},{"key":"2020091412240746200_tyaa007-B3","year":"2018"},{"key":"2020091412240746200_tyaa007-B4","year":"2015"},{"key":"2020091412240746200_tyaa007-B5","volume-title":"Constructing Grounded Theory","author":"Charmaz","year":"2014"},{"key":"2020091412240746200_tyaa007-B6","author":"Weir","year":"2016"},{"key":"2020091412240746200_tyaa007-B7","first-page":"49","author":"Weir","year":"2016"},{"key":"2020091412240746200_tyaa007-B8","doi-asserted-by":"crossref","first-page":"860","DOI":"10.1016\/j.infsof.2007.09.004","article-title":"Motivation in software engineering: a systematic literature review","volume":"50","author":"Beecham","year":"2008","journal-title":"Inform Software Technol"},{"key":"2020091412240746200_tyaa007-B9","doi-asserted-by":"crossref","first-page":"180","DOI":"10.1108\/13665621011028620","article-title":"Learning to be a programmer in a complex organization","volume":"22","author":"Johnson","year":"2010","journal-title":"J Workplace Learn"},{"key":"2020091412240746200_tyaa007-B10","author":"Enes","year":"2005"},{"key":"2020091412240746200_tyaa007-B11","doi-asserted-by":"crossref","first-page":"389","DOI":"10.1007\/s10606-015-9230-9","article-title":"How do users discover new tools in software development and beyond?","volume":"24","author":"Murphy-Hill","year":"2015","journal-title":"Comp Supp Coop Work"},{"key":"2020091412240746200_tyaa007-B12","author":"Balebako","year":"2014"},{"key":"2020091412240746200_tyaa007-B13","first-page":"289","author":"Acar","year":"2016"},{"key":"2020091412240746200_tyaa007-B14","first-page":"292","author":"Yskout","year":"2015"},{"key":"2020091412240746200_tyaa007-B15","first-page":"161","author":"Xie","year":"2011"},{"key":"2020091412240746200_tyaa007-B16","first-page":"374","author":"Votipka","year":"2018"},{"key":"2020091412240746200_tyaa007-B17","volume-title":"Agile Application Security: Enabling Security in a Continuous Delivery Pipeline","author":"Bell","year":"2017"},{"key":"2020091412240746200_tyaa007-B18","volume-title":"Computer Security, 2nd edn","author":"Gollmann","year":"2011"},{"key":"2020091412240746200_tyaa007-B19","volume-title":"Secrets and Lies: Digital Security in a Networked World","author":"Schneier","year":"2011"},{"key":"2020091412240746200_tyaa007-B20","volume-title":"Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd edn","author":"Anderson","year":"2008"},{"key":"2020091412240746200_tyaa007-B21","volume-title":"24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them","author":"Howard","year":"2009"},{"key":"2020091412240746200_tyaa007-B22"},{"key":"2020091412240746200_tyaa007-B23","first-page":"22","article-title":"Developers need support, too: a survey of security advice for software developers","author":"Acar","year":"2017","journal-title":"IEEE Secure Development Conference. Boston, MA, USA;"},{"key":"2020091412240746200_tyaa007-B24","volume-title":"Learning iOS Security","author":"Banks","year":"2015"},{"key":"2020091412240746200_tyaa007-B25","volume-title":"Core Security Patterns","author":"Steel","year":"2006"},{"key":"2020091412240746200_tyaa007-B26"},{"key":"2020091412240746200_tyaa007-B27"},{"key":"2020091412240746200_tyaa007-B28"},{"key":"2020091412240746200_tyaa007-B29","volume-title":"Android Hacker\u2019s Handbook","author":"Drake","year":"2014"},{"key":"2020091412240746200_tyaa007-B30","author":"Barua"},{"key":"2020091412240746200_tyaa007-B31","first-page":"307","author":"Do","year":"2017"},{"key":"2020091412240746200_tyaa007-B32","first-page":"98","author":"Lerch","year":"2014"},{"key":"2020091412240746200_tyaa007-B33","first-page":"947","author":"Near","year":"2016"},{"key":"2020091412240746200_tyaa007-B34","author":"Nguyen","year":"2017"},{"key":"2020091412240746200_tyaa007-B35","first-page":"227","author":"Pribik","year":"2012"},{"key":"2020091412240746200_tyaa007-B36","author":"Smeets","year":"2015"},{"key":"2020091412240746200_tyaa007-B37","first-page":"267","author":"Xie","year":"2011"},{"key":"2020091412240746200_tyaa007-B38","author":"Xie","year":"2012"},{"key":"2020091412240746200_tyaa007-B39"},{"key":"2020091412240746200_tyaa007-B40","doi-asserted-by":"crossref","first-page":"268","DOI":"10.1145\/503271.503246","article-title":"An empirical study on the utility of formal routines to transfer knowledge and experience","volume":"26","author":"Conradi","year":"2001","journal-title":"ACM SIGSOFT Software Engineering Notes"},{"key":"2020091412240746200_tyaa007-B41","first-page":"12","author":"Geer","year":"2010"},{"key":"2020091412240746200_tyaa007-B42","author":"McGraw","year":"2016"},{"key":"2020091412240746200_tyaa007-B43"},{"key":"2020091412240746200_tyaa007-B44","doi-asserted-by":"crossref","first-page":"84","DOI":"10.1109\/MC.2016.30","article-title":"Four software security findings","volume":"49","author":"McGraw","year":"2016","journal-title":"Computer"},{"key":"2020091412240746200_tyaa007-B45","author":"T\u00fcrpe","year":"2016"},{"key":"2020091412240746200_tyaa007-B46","first-page":"2489","author":"Poller","year":"2017"},{"key":"2020091412240746200_tyaa007-B47","doi-asserted-by":"crossref","first-page":"82","DOI":"10.1109\/MSP.2016.57","article-title":"Security dialogues: building better relationships between security and business","volume":"14","author":"Ashenden","year":"2016","journal-title":"IEEE Security & Privacy"},{"key":"2020091412240746200_tyaa007-B48","author":"Lopez","year":"2019"},{"key":"2020091412240746200_tyaa007-B49","doi-asserted-by":"crossref","first-page":"117","DOI":"10.1016\/j.cose.2016.03.009","article-title":"Information assurance techniques: perceived cost effectiveness","volume":"60","author":"Such","year":"2016","journal-title":"Comp Security"},{"key":"2020091412240746200_tyaa007-B50","volume-title":"The Discovery of Grounded Theory: Strategies for Qualitative Research","author":"Glaser","year":"1973"},{"key":"2020091412240746200_tyaa007-B51","first-page":"120","author":"Stol","year":"2015"},{"key":"2020091412240746200_tyaa007-B52","volume-title":"Appreciative Inquiry: A Positive Revolution in Change","author":"Cooperrider","year":"2005"},{"key":"2020091412240746200_tyaa007-B53","first-page":"144","year":"2008"},{"key":"2020091412240746200_tyaa007-B54"},{"key":"2020091412240746200_tyaa007-B55","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1016\/j.cose.2015.03.001","article-title":"Incorporating attacker capabilities in risk estimation and mitigation","volume":"51","author":"Ben Othmane","year":"2015","journal-title":"Comp Security"},{"key":"2020091412240746200_tyaa007-B56","volume-title":"The Pragmatic Programmer: From Journeyman to Master","author":"Hunt","year":"2000"},{"key":"2020091412240746200_tyaa007-B57","first-page":"413","author":"Weir","year":"1999"},{"key":"2020091412240746200_tyaa007-B58","volume-title":"Lateral Thinking: Creativity Step by Step","author":"De Bono","year":"1970"},{"key":"2020091412240746200_tyaa007-B59","doi-asserted-by":"crossref","first-page":"59","DOI":"10.1177\/1525822X05279903","article-title":"How many interviews are enough? An experiment with data saturation and variability","volume":"18","author":"Guest","year":"2006","journal-title":"Field Methods"},{"key":"2020091412240746200_tyaa007-B60","first-page":"12","author":"Weir","year":"2018"},{"key":"2020091412240746200_tyaa007-B61","author":"Rashid","year":"2016"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa007\/33746013\/tyaa007.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/6\/1\/tyaa007\/33746013\/tyaa007.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,9,14]],"date-time":"2020-09-14T16:24:29Z","timestamp":1600100669000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaa007\/5905456"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,1,1]]},"references-count":61,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2020,1,1]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaa007","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2020]]},"published":{"date-parts":[[2020,1,1]]},"article-number":"tyaa007"}}