Project Summary
The project aims to identify developer software security personas that describe a variety of developer characteristics relating to their motivation, attitudes, needs, goals, and behaviour towards software security. Personas are archetypical users whose goals and characteristics represent the needs of larger groups of users. We are developing personas based on data collected from interviews and surveys with developers. The anticipated benefit of our developer security personas is to guide the design of security-related tools with specific, not generic, developer users in mind to increase the usefulness and effectiveness of security-related tools designed for the user group.
Project Description
Software developers are key players in the security ecosystem as they produce code that runs on millions of devices. Yet, we continue to see insecure code developed and deployed regularly despite support infrastructures, tools, and research into common errors. The relatively new field of Developer-Centred Security aims to understand the context in which developers produce security-relevant code and provide tools and processes that better support both developers and secure code production. However, much of the literature considers developers to be homogeneous and interchangeable. Solutions that treat developers as a homogeneous group are likely to be less effective than tailored solutions because they do not address differences between developers.
This work aims to develop empirically grounded developer security archetypes, or “personas,” that describe differences between developer types based on their motivation, knowledge and work environment. The personas will define developer security archetypes about how they perceive security issues in software development and the related behaviour. The purpose of the personas is to tailor the design of Interventions and tools to the appropriate archetypes to enhance secure software development. While using developer personas to support the design of tools and interventions, we can reflect on which developer archetype they primarily assist for maximum effectiveness.