Organisations Must Embrace a Software Security Culture

By Ita Ryan, PhD software security researcher at UCC

When considering online security issues, the focus is often on overall cybersecurity rather than on vulnerable software. Software security involves designing and writing software so that it is resistant to attack by bad actors. Anyone who has been paying attention to the never-ending cycle of vulnerability-patch-vulnerability-patch in modern software will be aware that software security remains an unsolved problem.

Laboratory research has revealed that most software developers will not even attempt to code securely unless asked [1]. Not surprising, because coding securely takes understanding, effort and time. Time is something that nobody has. Software developers are notoriously under constant pressure to implement new features to tight deadlines.

Our research suggests that a quarter of organisations undertake few or no software security practices [2]. At least 20% of organisations that do engage in software security practice have a poor software security culture. Discussion of software security is absent. Time spent on it is minimal. Developers struggle with large numbers of vulnerability tickets, with no in-house experts to lean on for support. Some have worked with management teams that actively subvert software security precautions [3]. This is the ultimate indicator that good software security culture is absent.

A recent study has verified what experts long suspected; thinking about software security up-front from the beginning of a project yields simpler, more robust security solutions [4]. Yet our research indicates that management teams may take the view that it is easier to address issues after they occur than it is to build security in from the beginning. When the risk of developing insecure software is added to an organisational risk register, it is frequently considered as an in-house risk that may expose the organisation to ransomware or other attack. But in fact, developing and releasing insecure software creates a societal risk. It is often the organisation’s customers who are most exposed.

One-year ransomware payouts passed the one billion dollar mark for the first time in 2023. Prominent contributors to this figure were zero-day vulnerabilities in the GoAnywhere and MOVEit file transfer software systems, which were exploited by the Clop ransomware gang. Meanwhile, zero-days in Barracuda, VMware and other software facilitated espionage activity in the U.S., Asia and elsewhere by actors from hostile nations. These and many other instances showed once again the role of software vulnerabilities in digital fragility.

In recent remarks, Erik Goldstein of the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. demanded a “philosophical shift” [5] Instead of expecting generally ill-equipped businesses to engage in an unwinnable patching race, organisations should supply secure software that does not need constant remediation. New legislation from the U.S., Europe and other countries will place more of the financial burden of ransomware, cyberespionage and other cybercrime on organisations that release insecure software [6] .

The climate is changing. Software security practice must evolve. It is no longer enough to tick software security boxes in a compliance-heavy regime. It is more productive to create a positive software security culture, giving developers enough time, budget, and support. This should herald the dawn of a new, and better, era in secure programming.

[1] See the series of studies on password storage by Naiakshina et al., beginning with ‘Why do developers get password storage wrong? A qualitative usability study’, ACM Conference on Computer and Communications Security (CCS), 2017. Laboratory studies with students, freelancers and professional developers all found that simply asking developers to code securely has a strong impact on whether they attempt to do so.

[2] Ryan et al., ‘Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon’, International Conference on Software Engineering (ICSE), 2023.

[3] A recent qualitative study by Ryan et al., currently undergoing peer review.

[4] Fulton et al., ‘Understanding the How and the Why: Exploring Secure Development Practices through a Course Competition’, ACM CCS, 2022.



Ita Ryan MSc SFI Centre for Research Training in Advanced Networks for Sustainable Societies (ADVANCE) University College Cork