Games and interactions to motivate the secure and analytical mindsets of developers

Abstract

Today, poor developer security mindsets, lack of secure programming knowledge, and difficult to use secure development tools, result in vulnerabilities introduced into code. To resolve these issues, we must assist developers in improving their practice. We do this by investigating and designing interactions that motivate developers to be more security conscious as they work. We conduct three different experiments, evaluating the impact on developer practice. First, we develop our Citadel Programming Lab to teach secure programming through a serious game. We find the game, embedded within a lab, is a suitable design to assist and motivate developers with secure development concepts. Second, we explore development Issue Prioritisation using security processes. We find that using security analysis frameworks may be difficult for non-experts and that increased communication is important. Third, we evaluate Peer-Testing, a platform supporting students in developing, testing, and reviewing coursework code. We find benefits of peer assessment to program testing, elicits new interactions between students, and establishes critical analytical review processes. We find developers desire more help with security and critical evaluation, and over our research we create and evaluate the value in new interactions which assist and improve developer practice.