Ranking Secure Coding Guidelines for Software Developer Awareness Training in the Industry

Authors Tiago Gasiba , Ulrike Lechner , Jorge Cuellar , Alae Zouitni

Thumbnail PDF


  • Filesize: 0.51 MB
  • 11 pages

Document Identifiers

Author Details

Tiago Gasiba
  • Siemens AG, München, Germany
  • Universität der Bundeswehr München, Germany
Ulrike Lechner
  • Universität der Bundeswehr München, Germany
Jorge Cuellar
  • Siemens AG, München, Germany
  • Universität Passau, Germany
Alae Zouitni
  • Universität Passau, Germany


We would like to thank the anonymous reviewers for the valuable comments and careful reviews. We would also like to thank all survey participants as well as our colleagues Holger Dreger and Thomas Diefenbach for many fruitful discussions.

Cite AsGet BibTex

Tiago Gasiba, Ulrike Lechner, Jorge Cuellar, and Alae Zouitni. Ranking Secure Coding Guidelines for Software Developer Awareness Training in the Industry. In First International Computer Programming Education Conference (ICPEC 2020). Open Access Series in Informatics (OASIcs), Volume 81, pp. 11:1-11:11, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2020)


Secure coding guidelines are essential material used to train and raise awareness of software developers on the topic of secure software development. In industrial environments, since developer time is costly, and training and education is part of non-productive hours, it is important to address and stress the most important topics first. In this work, we devise a method, based on publicly available real-world vulnerability databases and secure coding guideline databases, to rank important secure coding guidelines based on defined industry-relevant metrics. The goal is to define priorities for a teaching curriculum on raising cybersecurity awareness of software developers on secure coding guidelines. Furthermore, we do a small comparison study by asking computer science students from university on how they rank the importance of secure coding guidelines and compare the outcome to our results.

Subject Classification

ACM Subject Classification
  • Security and privacy → Software security engineering
  • Security and privacy → Web application security
  • Applied computing → Interactive learning environments
  • Applied computing → E-learning
  • education
  • teaching
  • training
  • secure coding
  • industry
  • cybersecurity
  • capture-the-flag
  • game analysis
  • game design
  • cybersecurity challenge


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Luca Allodi, Sebastian Banescu, Henning Femmer, and Kristian Beckers. Identifying relevant information cues for vulnerability assessment using cvss. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, CODASPY '18, pages 119-126, New York, NY, USA, 2018. ACM. URL: https://doi.org/10.1145/3176258.3176340.
  2. Motor Industry Software Reliability Association. Guidelines for the use of the c language in critical systems. Standard, Motor Industry Software Reliability Association, Nuneaton, Warwickshire, UK, March 2012. Google Scholar
  3. Motor Industry Software Reliability Association. Additional security guidelines for misra c:2012. Standard, Motor Industry Software Reliability Association, Nuneaton, Warwickshire, UK, March 2016. Google Scholar
  4. Roberto Bagnara, Abramo Bagnara, and Patricia Hill. The MISRA C coding standard and its role in the development and analysis of safety- and security-critical embedded software. CoRR, abs/1809.00821, 2018. URL: http://arxiv.org/abs/1809.00821.
  5. International Electrotechnical Commission. Industrial communication networks - network and system security - part 2-1: Establishing an industrial automation and control system security program. Standard, International Electrotechnical Commission, October 2010. Google Scholar
  6. International Electrotechnical Commission. Security for industrial automation and control systems - part 4-1: Secure product development lifecycle requirements. Standard, International Electrotechnical Commission, January 2018. Google Scholar
  7. Felix Fischer, Konstantin Böttinger, Huang Xiao, Christian Stransky, Yasemin Acar, Michael Backes, and Sascha Fahl. Stack overflow considered harmful? the impact of copy&paste on android application security. In IEEE Symposium on Security and Privacy, pages 121-136, San Jose, CA, USA, 2017. IEEE Computer Society. URL: https://doi.org/10.1109/SP.2017.31.
  8. Software Assurance Forum for Excellence in Code. Safecode - fundamental practices for secure software development - essential elements of a secure development life-cycle program, 3rd ed. Standard, NIST, March 2018. Google Scholar
  9. Pascal Gadient, Mohammad Ghafari, Patrick Frischknecht, and Oscar Nierstrasz. Security code smells in android ICC. CoRR, abs/1811.12713:3046–3076, 2018. URL: http://arxiv.org/abs/1811.12713.
  10. Tiago Gasiba, Kristian Beckers, Santiago Suppan, and Filip Rezabek. On the requirements for serious games geared towards software developers in the industry. In Daniela E. Damian, Anna Perini, and Seok-Won Lee, editors, 27th IEEE International Requirements Engineering Conference, RE 2019, Jeju Island, Korea (South), September 23-27, 2019. IEEE, 2019. URL: https://ieeexplore.ieee.org/xpl/conhome/8910334/proceeding.
  11. John Goodall, Hassan Radwan, and Lenny Halseth. Visual analysis of code security. In Proceedings of the Seventh International Symposium on Visualization for Cyber Security, VizSec '10, pages 46-51, New York, NY, USA, 2010. ACM. URL: https://doi.org/10.1145/1850795.1850800.
  12. Katerina Goseva-Popstojanova and Andrei Perhinschi. On the capability of static code analysis to detect security vulnerabilities. Inf. Softw. Technol., 68(C):18-33, December 2015. URL: https://doi.org/10.1016/j.infsof.2015.08.002.
  13. Norman Hansch and Zinaida Benenson. Specifying it security awareness. In 25th International Workshop on Database and Expert Systems Applications, Munich, Germany, pages 326-330, September 2014. URL: https://doi.org/10.1109/DEXA.2014.71.
  14. Hannes Holm and Khalid Afridi. An expert-based investigation of the common vulnerability scoring system. Computers & Security, 53, May 2015. URL: https://doi.org/10.1016/j.cose.2015.04.012.
  15. Siv Houmb, Virginia Franqueira, and Erlend Engum. Quantifying security risk level from cvss estimates of frequency and impact. Journal of Systems and Software, 83:1622-1634, September 2010. URL: https://doi.org/10.1016/j.jss.2009.08.023.
  16. Hongyi Hu, Bryan Eastes, and Michelle Mazurek. Toward a field study on the impact of hacking competitions on secure development. In The 4th Workshop on Security Information Workers Baltimore Marriott Waterfront, Baltimore, MD, USA, August 2018. Google Scholar
  17. Russell Jones and Abhinav Rastogi. Secure coding: Building security into the software development life cycle. Information Systems Security, 13(5):29-39, 2004. Google Scholar
  18. Ankur Joshi, Saket Kale, Satish Chandel, and Dinesh Pal. Likert scale: Explored and explained. British Journal of Applied Science & Technology, 7:396-403, January 2015. URL: https://doi.org/10.9734/BJAST/2015/14975.
  19. Maurice Kendall. A New Measure of Rank Correlation. Biometrika, 30(1-2):81-93, June 1938. URL: https://doi.org/10.1093/biomet/30.1-2.81.
  20. Ryo Kurachi, Hiroaki Takada, Masato Tanabe, Jun Anzai, Kentaro Takei, Takaaki Iinuma, Manabu Maeda, and Hideki Matsushima. Improving secure coding rules for automotive software by using a vulnerability database. In IEEE International Conference on Vehicular Electronics and Safety (ICVES), pages 1-8, September 2018. URL: https://doi.org/10.1109/ICVES.2018.8519496.
  21. Na Meng, Stefan Nagy, Danfeng Daphne Yao, Wenjie Zhuang, and Gustavo Arango. Secure coding practices in java: challenges and vulnerabilities. In IEEE/ACM 40th International Conference on Software Engineering (ICSE), pages 372-383, May 2018. URL: https://doi.org/10.1145/3180155.3180201.
  22. MITRE-Corporation. Common weaknesses enumeration, 2019. URL: https://cwe.mitre.org/.
  23. MITRE-Corporation. CVE details, 2019. URL: https://www.cvedetails.com/.
  24. Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, and Matthew Smith. Deception task design in developer password studies: Exploring a student sample. In Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018), pages 297-313, Baltimore, MD, 2018. USENIX Association. URL: https://www.usenix.org/conference/soups2018/presentation/naiakshina.
  25. National Institute of Standards and Technology. Nist special publication 800-37, guide for applying the risk management framework to federal information systems a security life cycle approach. Standard, NIST, February 2010. Google Scholar
  26. International Standards Organization. ISO/IEC 27002:2013 - Information technology - Security techniques - Code of practice for information security controls. Standard, International Standards Organization, October 2013. Google Scholar
  27. Blerim Rexha, Arbnor Halili, Korab Rrmoku, and Dren Imeraj. Impact of secure programming on web application vulnerabilities. In 2015 IEEE International Conference on Computer Graphics, Vision and Information Security (CGVIS), pages 61-66, November 2015. URL: https://doi.org/10.1109/CGVIS.2015.7449894.
  28. IEEE Spectrum. The Top Programming Languages 2018. https://spectrum.ieee.org/static/interactive-the-top-programming-languages-2018, 2019. [Online; accessed 27-October-2019]. URL: https://spectrum.ieee.org/static/interactive-the-top-programming-languages-2018.
  29. PCI SSC. Payment Card Industry - Payment Application Data Security Standard - Requiremenst and Security Assessment Procedures, v3.1. Standard, PCI SSC, May 2015. Google Scholar
  30. Madiha Tabassum, Stacey Watson, Bill Chu, and Heather Richter Lipford. Evaluating two methods for integrating secure programming education. In Proceedings of the 49th ACM Technical Symposium on Computer Science Education, SIGCSE 2018, Baltimore, MD, USA, February 21-24, 2018, pages 390-395, 2018. URL: https://doi.org/10.1145/3159450.3159511.
  31. Carnegie Mellon University. Secure Coding Standards. https://wiki.sei.cmu.edu/confluence/display/seccode, 2019. [Online; accessed 19-March-2019]. URL: https://wiki.sei.cmu.edu/confluence/display/seccode.
  32. Michael Whitney, Heather Richter Lipford, Bill Chu, and Tyler Thomas. Embedding secure coding instruction into the ide: Complementing early and intermediate cs courses with eside. Journal of Educational Computing Research, 56:073563311770881, May 2017. URL: https://doi.org/10.1177/0735633117708816.
  33. Xin-Li Yang, David Lo, Xin Xia, Zhi-Yuan Wan, and Jian-Ling Sun. What security questions do developers ask? a large-scale study of stack overflow posts. Journal of Computer Science and Technology, 31(5):910-924, September 2016. URL: https://doi.org/10.1007/s11390-016-1672-0.
  34. Tianyi Zhang, Ganesha Upadhyaya, Anastasia Reinhardt, Hridesh Rajan, and Miryung Kim. Are code examples on an online q&a forum reliable?: A study of api misuse on stack overflow. In Proceedings of the 40th International Conference on Software Engineering, ICSE '18, pages 886-896, New York, NY, USA, 2018. ACM. URL: https://doi.org/10.1145/3180155.3180260.