- NSF-PAR ID:
- 10165776
- Date Published:
- Journal Name:
- IEEE SecDev
- Volume:
- 2019
- Page Range / eLocation ID:
- 129 - 140
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
Compliance reviews within a software organization are internal attempts to verify regulatory and security requirements during product development before its release. However, these reviews are not enough to adequately assess and address regulatory and security requirements throughout a software’s development lifecycle. We believe requirements engineers can benefit from an improved understanding of how software practitioners treat and perceive compliance requirements. This paper describes an interview study seeking to understand how regulatory and security standard requirements are addressed, how burdensome they may be for businesses, and how our participants perceived them in the software development lifecycle. We interviewed 15 software practitioners from 13 organizations with different roles in the software development process and working in various industry domains, including big tech, healthcare, data analysis, finance, and small businesses. Our findings suggest that, for our participants, the software release process is the ultimate focus for regulatory and security compliance reviews. Also, most participants suggested that having a defined process for addressing compliance requirements was freeing rather than burdensome. Finally, participants generally saw compliance requirements as an investment for both employees and customers. These findings may be unintuitive, and we discuss seven lessons this work may hold for requirements engineering.more » « less
-
null (Ed.)We conducted an ethnographic study of a software development company to explore if and how a development team adopts security practices into the development lifecycle. A PhD student in computer science with prior training in qualitative research methods was embedded in the company for eight months. The researcher joined the company as a software engineer and participated in all development activities as a new hire would, while also making observations on the development practices. During the fieldwork, we observed a positive shift in the development team's practices regarding secure development. Our analysis of data indicates that the shift can be attributed to enabling all software engineers to see how security knowledge could be applied to the specific software products they worked on. We also observed that by working with other developers to apply security knowledge under the concrete context where the software products were built, developers who possessed security expertise and wanted to push for more secure development practices (security advocates) could be effective in achieving this goal. Our data point to an interactive learning process where software engineers in a development team acquire knowledge, apply it in practice, and contribute to the team, leading to the creation of a set of preferred practices, or "culture" of the team. This learning process can be understood through the lens of the situated learning framework, where it is recognized that knowledge transfer happens within a community of practice, and applying the knowledge is the key in individuals (software engineers) acquiring it and the community (development team) embodying such knowledge in its practice. Our data show that enabling a situated learning environment for security gives rise to security-aware software engineers. We discuss the roles of management and security advocates in driving the learning process to start a security culture in a software company.more » « less
-
Ethics is and should be intrinsic to engineering. However, many engineering students do not recognize that every engineering decision contains ethical dimensions and that underlying values and current sociopolitical and cultural contexts can influence those decisions. One potential way to enhance engineering students’ ethical development is through extra-curricular activities (ECAs). ECAs can include many topics and interests, such as student societies (e.g., fraternities and sororities) and cultural and social organizations (e.g., Society of Hispanic Professional Engineers, Latinos in Science and Engineering, Society of Women Engineers). Previous studies emphasize that participation in student organizations plays an important role in the ethical development of students. Despite this important role, it is not clear whether some student organizations are more successful at enhancing ethical development of engineering students than others, or if it is the act of participation in these organizations itself has an effect on students’ ethical development. We hypothesize that the more organizations students participate in, the higher their ethical development will be. As such, we ask, does participation in more organizations enhances students’ overall moral development? To respond to this question, we distributed a survey to senior engineering students (n=165) at one Midwestern university in the spring of 2020. The survey captured demographics information, membership in student organizations, and the standardized Defining Issue Test-2 (DIT-2), which measures students’ ethical developmental indices (Personal Interest, Maintaining Norms, Post-conventional Thinking Score, and N2Score). The preliminary results suggest that there are significant differences between the groups of students who participated in one organization and two organizations as well as between one organization and three or more organizations, with the largest difference between those who participated in one organization and those who participated in three or more organizations. This suggests that it is possible that students with low PI scores become involved in more student organizations. This project studies student organizations as key sites for ethical learning. The research suggests that students should be encouraged to participate in more student organizations in order to promote their overall ethical development.more » « less
-
Cellular service providers continuously upgrade their network software on base stations to introduce new service features, fix software bugs, enhance quality of experience to users, or patch security vulnerabilities. A software upgrade typically requires the network element to be taken out of service, which can potentially degrade the service to users. Thus, the new software is deployed across the network using a rolling upgrade model such that the service impact during the roll-out is minimized. A sequential roll-out guarantees minimal impact but increases the deployment time thereby incurring a significant human cost and time in monitoring the upgrade. A network-wide concurrent roll-out guarantees minimal deployment time but can result in a significant service impact. The goal is to strike a balance between deployment time and service impact during the upgrade. In this paper, we first present our findings from analyzing upgrades in operational networks and discussions with network operators and exposing the challenges in rolling software upgrades. We propose a new framework Concord to effectively coordinate software upgrades across the network that balances the deployment time and service impact. We evaluate Concord using real-world data collected from a large operational cellular network and demonstrate the benefits and tradeoffs. We also present a prototype deployment of Concord using a small-scale LTE testbed deployed indoors in a corporate building.more » « less
-
Abstract Professionals need to collaborate with multiple stakeholders in product development to stay competitive and to innovate. Through their values and mission, companies develop a specific working environment that can lead to the development of design methods and tools. In this article, we study design team dynamics of professional engineers working in two different organizations. We aim at identifying differences in team behaviors between teams drawn from two different organizations. The goal is twofold. At a theoretical level, we aim at gaining a better understanding of the effect of work culture on design team behaviors. At a methodological level, we explore whether grouping teams from different organizations into a single larger sample to obtain better reliability is relevant. To do this, we compared two cohorts of teams based on which company engineers worked at. Both companies are international organizations employing more than 50,000 collaborators worldwide. Teams of three engineers worked on designing a next-generation personal assistant and entertainment system for the year 2025. We analyzed each team’s design interactions and behaviors using quantitative tools (Multiple Factor Analysis and Correspondence Analysis). Results from this exploratory analysis highlight different behaviors between cohorts as well as a common overall approach to team design thinking.