Penetration Tests a Turning Point in Security Practices? Organizational Challenges and Implications in a Software Development Team

Sven Türpe, Laura Kocksch, and Andreas Poller, Fraunhofer SIT

Many software vendors conduct or commission penetration testing of their products. In a penetration test security experts identify entry points for attacks in a software product. The audits can be an eye-opener for development teams: they realize that security requires much more attention. However, it is unclear what lasting bene fits developers can reap from penetration tests. We report from a one-year study of a penetration test and its aftermath at a major software vendor, and ask how an agile development team managed to incorporate the test findings. Results suggest that penetration tests improve developers' security awareness, but long-lasting change of development practices is hampered if security is not properly reflected in the communicative and collaborative structures of the organization, e.g. by a dedicated stakeholder. Based on our findings we suggest improvements to current penetration test consultancies by addressing communication and organizational factors in software development.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {197850,
author = {Sven Türpe and Laura Kocksch and Andreas Poller},
title = {Penetration Tests a Turning Point in Security Practices? Organizational Challenges and Implications in a Software Development {Team}},
booktitle = {Twelfth Symposium on Usable Privacy and Security (SOUPS 2016)},
year = {2016},
address = {Denver, CO},
url = {https://www.usenix.org/conference/soups2016/workshop-program/wsiw16/presentation/turpe},
publisher = {USENIX Association},
month = jun
}
Download
Türpe PDF