Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Penetration tests a turning point in security practices? Organizational challenges and implications in a software development team

: Türpe, Sven; Kocksch, Laura; Poller, Andreas

Fulltext urn:nbn:de:0011-n-4390569 (189 KByte PDF)
MD5 Fingerprint: 43601dea9e5212075e76a190688aa93a
Created on: 5.4.2017

USENIX Association:
SOUPS 2016, Twelfth Symposium on Usable Privacy and Security. Proceedings. Online resource : June 22-24, 2016, Denver, CO, USA
Berkeley, CA, USA: USENIX, 2016
ISBN: 978-1-931971-31-7
4 pp.
Symposium on Usable Privacy and Security (SOUPS) <12, 2016, Denver/Colo.>
Bundesministerium für Bildung und Forschung BMBF
Conference Paper, Electronic Publication
Fraunhofer SIT ()
development practices; secure software engineering; penetration testing; organizational factors; structure-agency-duality; qualitative study

Many software vendors conduct or commission penetration testing of their products. In a penetration test security experts identify entry points for attacks in a software product. The audits can be an eye-opener for development teams: they realize that security requires much more attention. However, it is unclear what lasting benefits developers can reap from penetration tests. We report from a one-year study of a penetration test and its aftermath at a major software vendor, and ask how an agile development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but long-lasting change of development practices is hampered if security is not properly reflected in the communicative and collaborative structures of the organization, e.g. by a dedicated stakeholder. Based on our findings we suggest improvements to current penetration test consultancies by addressing communication and organizational factors in software development.