Co-Creation in Secure Software Development: Applied Ethnography and the Interface of Software and Development

Long-term ethnographic research conducted at a software company examined how security concerns and practices became part of software development. Participant observation over a two-year period was done by researchers with cybersecurity backgrounds and training in both computer science and qualitative research, with ongoing analysis done by a larger interdisciplinary team. In situ researchers joined as software engineers and participated in daily work activities while observing development practices and analyzing software (in)security. The first year of research found that improving security during software development can be helped by a co-creation model, whereby security experts work directly with software developers to provide security tools applicable to the specific software within the workflow. Researchers-as-developers fostered conversations, concerns, and considerations of how to implement security within the process of development. The second year used a situated learning approach to understand the interface between software development, security, and the development team. Through an interactive learning process, software engineers gathered knowledge and applied it, helping to foster greater concerns for security as part of the overall "culture" of development within the company. This locally situated co-creation approach has resonances with participatory approaches in business anthropology and implications for how to promote the co-creation of knowledge and expertise more broadly.