Am I Responsible for End-User's Security? A Programmer's Perspective
This addresses the gap in understanding programmer perspectives on security responsibility, which could influence stakeholder roles in software development, though it is incremental as it builds on prior conflicting views.
The study investigated programmers' perceptions of their responsibility for end-user security in software development, finding that most programmers believe they are responsible but often do not follow necessary security practices.
Previous research has pointed that software applications should not depend on programmers to provide security for end-users as majority of programmers are not experts of computer security. On the other hand, some studies have revealed that security experts believe programmers have a major role to play in ensuring the end-users' security. However, there has been no investigation on what programmers perceive about their responsibility for the end-users' security of applications they develop. In this work, by conducting a qualitative experimental study with 40 software developers, we attempted to understand the programmer's perception on who is responsible for ensuring end-users' security of the applications they develop. Results revealed majority of programmers perceive that they are responsible for the end-users' security of applications they develop. Furthermore, results showed that even though programmers aware of things they need to do to ensure end-users' security, they do not often follow them. We believe these results would change the current view on the role that different stakeholders of the software development process (i.e. researchers, security experts, programmers and Application Programming Interface (API) developers) have to play in order to ensure the security of software applications.