Dancing, not Wrestling: Moving from Compliance to Concordance for Secure Software Development

Secure software development has become an increasingly important focus for research in recent years, not least because of advances in technology such as AI, machine learning (AI/ML), robotics, and autonomous systems (RAS). AI/ML and RAS facilitate automated decision-making and have the capability to have a significant impact on society. As such this technology needs to be trustworthy, and secure software development is a key attribute for trustworthiness. Software developers frequently have responsibility and accountability for delivering secure code but limited authority over how this is achieved. Authority tends to lie with cyber security professionals who mandate security processes, tools and training often with limited success. In an effort to find ways to improve secure software development we take inspiration from healthcare research that looks at the relationship between compliance, adherence and concordance. We use this research as a lens through which to analyse qualitative data from 35 interviews with professional software developers. We argue that compliance and adherence causes friction with the social practice of software development. We conclude that if software developers and cyber security professionals could move to a point of concordance it could lead to the negotiation of more realistic cyber security solutions, as well as removing friction from the practice of software developers and ultimately lead to the development of more secure and trustworthy systems.