Umeå University's logo

A lasting challenge in software development projects is ensuring security. As we increasingly rely on digital solutions, the risk of security vulnerabilities increases. To address this, OWASP developed the Application Security Verification Standard (ASVS), a checklist for developers to create secure applications. However, security tools are only effective when developers understand and can use them correctly. This study investigates how developers can improve their security awareness through interaction with OWASP ASVS. It aims to measure the developer experience (DevEx) of working with OWASP ASVS and identify improvements needed to enhance developers’ security awareness. The chosen method involved interviews with developers to understand their current approaches to security and their awareness levels. Specific sections of the standard were selected for developers to interact with, using the think-aloud method to capture their reflections. Participants were then asked follow-up questions about their experiences. The results revealed significant variations in security maturity across companies. While developers expressed a willingness to learn more about security, OWASP ASVS primarily highlighted areas requiring attention rather than providing actionable guidance. The standard alone was insufficient for adapting its requirements to developers’ ongoing projects. In conclusion, company culture plays a crucial role in shaping developer experience in security. Security needs to be prioritised, and internal education is often lacking. Future work could explore the long-term effects of security education, with OWASP ASVS serving as a foundation.