Developer Essentials:Top Five Interventions to Support Secure Software Development

Cyber security is a big and increasing problem. Almost every week we hear of a new exploit or security breach that leads to major concerns about our digital infrastructure. Software systems are at the very heart of this digital infrastructure. Therefore, while there may be many commercial, social and practical factors that contribute, it is certain that the decisions of software development teams must have a significant impact on the vulnerability of those systems. In this research we explored ways in which outside actors – such as management, coaches, security teams, industry bodies, and government agencies – may positively influence the security of the software created by development teams, while keeping the development competitive and practically viable. This means that the costs of such 'interventions' need to be acceptable relative to the risks that they address. We interviewed 14 specialists in introducing software security to development teams. Based on a rigorous analysis of their responses, we were surprised to find that three of the most cost effective and scalable interventions are 'cultural interventions' – ones that work to influence the working of development teams, rather than the artefacts they produce: 1. Developing a 'threat model' and using that model to achieve commercially negotiated, risk based, agreement how threats are to be addressed; 2. A motivational workshop engaging the team with the genuine security problems as they affect their specific projects, while making it clear how they are to address those problems; and 3. Continuing 'nudges' to the developers to remind them of the importance of security. The other two low-cost and effective interventions relate to the code produced: 4. The use of source code analysis tools; and 5. The informed choice of components based on their security quality. We therefore suggest that providing guidelines, technical support and mentoring in each of these five interventions will have a significant effect on improving the security quality of code developed in future

Developer Essentials:Top Five Interventions to Support Secure Software Development

Cyber security is a big and increasing problem. Almost every week we hear of a new exploit or security breach that leads to major concerns about our digital infrastructure. Software systems are at the very heart of this digital infrastructure. Therefore, while there may be many commercial, social and practical factors that contribute, it is certain that the decisions of software development teams must have a significant impact on the vulnerability of those systems. In this research we explored ways in which outside actors – such as management, coaches, security teams, industry bodies, and government agencies – may positively influence the security of the software created by development teams, while keeping the development competitive and practically viable. This means that the costs of such 'interventions' need to be acceptable relative to the risks that they address. We interviewed 14 specialists in introducing software security to development teams. Based on a rigorous analysis of their responses, we were surprised to find that three of the most cost effective and scalable interventions are 'cultural interventions' – ones that work to influence the working of development teams, rather than the artefacts they produce: 1. Developing a 'threat model' and using that model to achieve commercially negotiated, risk based, agreement how threats are to be addressed; 2. A motivational workshop engaging the team with the genuine security problems as they affect their specific projects, while making it clear how they are to address those problems; and 3. Continuing 'nudges' to the developers to remind them of the importance of security. The other two low-cost and effective interventions relate to the code produced: 4. The use of source code analysis tools; and 5. The informed choice of components based on their security quality. We therefore suggest that providing guidelines, technical support and mentoring in each of these five interventions will have a significant effect on improving the security quality of code developed in future

Challenging Software Developers:Dialectic as a Foundation for Security Assurance Techniques

Development teams are increasingly expected to deliver secure code, but how can they best achieve this? Traditional security practice, which emphasises 'telling developers what to do' using checklists, processes and errors to avoid, has proved difficult to introduce. From analysis of industry interviews with a dozen experts in app development security, we find that secure development requires dialectic: a challenging dialog between the developers and a range of counterparties, continued throughout the development cycle. Analysing a further survey of sixteen industry developer security advocates, we identify the six assurance techniques that are most effective at achieving this dialectic in existing development teams, and conclude that the introduction of these techniques is best driven by the developers themselves. Concentrating on these six assurance techniques, and the dialectical interactions they involve, has the potential to increase the security of development activities and thus improve software security for everyone

Light-touch Interventions to Improve Software Development Security

Many software developers still have little interest in software security. To change this, we need ‘interventions’ to development teams to motivate and help them towards security improvement. An intervention costing less than two days’ effort from a facilitator plus half a day of team effort can significantly improve that team’s software security. This case study describes how this approach was used with one commercial team, and identifies its impact using Participative Action Research. With suitable improvements, the approach has the potential to help many other development teams

Light-Touch Interventions to Improve Software Development Security

Many software developers still have little interest in software security. To change this, we need 'interventions' to development teams to motivate and help them towards security improvement. An intervention costing less than two days' effort from a facilitator plus half a day of team effort can significantly improve that team's software security. This case study describes how this approach was used with one commercial team, and identifies its impact using Participative Action Research. With suitable improvements, the approach has the potential to help many other development teams

Software search is not a science, even among scientists: A survey of how scientists and engineers find software

Improved software discovery is a prerequisite for greater software reuse: after all, if someone cannot find software for a particular task, they cannot reuse it. Understanding people’s approaches and preferences when they look for software could help improve facilities for software discovery. We surveyed people working in several scientific and engineering fields to better understand their approaches and selection criteria. We found that even among highly-trained people, the rudimentary approaches of relying on general Web searches, the opinions of colleagues, and the literature were still the most commonly used. However, those who were involved in software development differed from nondevelopers in their use of social help sites, software project repositories, software catalogs, and organization-specific mailing lists or forums. For example, software developers in our sample were more likely to search in community sites such as Stack Overflow even when seeking ready-to-run software rather than source code, and likewise, asking colleagues was significantly more important when looking for ready-to-run software. Our survey also provides insight into the criteria that matter most to people when they are searching for ready-to-run software. Finally, our survey also identifies some factors that can prevent people from finding software

Software search is not a science, even among scientists: A survey of how scientists and engineers find software

Improved software discovery is a prerequisite for greater software reuse: after all, if someone cannot find software for a particular task, they cannot reuse it. Understanding people’s approaches and preferences when they look for software could help improve facilities for software discovery. We surveyed people working in several scientific and engineering fields to better understand their approaches and selection criteria. We found that even among highly-trained people, the rudimentary approaches of relying on general Web searches, the opinions of colleagues, and the literature were still the most commonly used. However, those who were involved in software development differed from nondevelopers in their use of social help sites, software project repositories, software catalogs, and organization-specific mailing lists or forums. For example, software developers in our sample were more likely to search in community sites such as Stack Overflow even when seeking ready-to-run software rather than source code, and likewise, asking colleagues was significantly more important when looking for ready-to-run software. Our survey also provides insight into the criteria that matter most to people when they are searching for ready-to-run software. Finally, our survey also identifies some factors that can prevent people from finding software

Human Factors in Secure Software Development

While security research has made significant progress in the development of theoretically secure methods, software and algorithms, software still comes with many possible exploits, many of those using the human factor. The human factor is often called ``the weakest link'' in software security. To solve this, human factors research in security and privacy focus on the users of technology and consider their security needs. The research then asks how technology can serve users while minimizing risks and empowering them to retain control over their own data. However, these concepts have to be implemented by developers whose security errors may proliferate to all of their software's users. For example, software that stores data in an insecure way, does not secure network traffic correctly, or otherwise fails to adhere to secure programming best practices puts all of the software's users at risk. It is therefore critical that software developers implement security correctly. However, in addition to security rarely being a primary concern while producing software, developers may also not have extensive awareness, knowledge, training or experience in secure development. A lack of focus on usability in libraries, documentation, and tools that they have to use for security-critical components may exacerbate the problem by blowing up the investment of time and effort needed to "get security right". This dissertation's focus is how to support developers throughout the process of implementing software securely. This research aims to understand developers' use of resources, their mindsets as they develop, and how their background impacts code security outcomes. Qualitative, quantitative and mixed methods were employed online and in the laboratory, and large scale datasets were analyzed to conduct this research. This research found that the information sources developers use can contribute to code (in)security: copying and pasting code from online forums leads to achieving functional code quickly compared to using official documentation resources, but may introduce vulnerable code. We also compared the usability of cryptographic APIs, finding that poor usability, unsafe (possibly obsolete) defaults and unhelpful documentation also lead to insecure code. On the flip side, well-thought out documentation and abstraction levels can help improve an API's usability and may contribute to secure API usage. We found that developer experience can contribute to better security outcomes, and that studying students in lieu of professional developers can produce meaningful insights into developers' experiences with secure programming. We found that there is a multitude of online secure development advice, but that these advice sources are incomplete and may be insufficient for developers to retrieve help, which may cause them to choose un-vetted and potentially insecure resources. This dissertation supports that (a) secure development is subject to human factor challenges and (b) security can be improved by addressing these challenges and supporting developers. The work presented in this dissertation has been seminal in establishing human factors in secure development research within the security and privacy community and has advanced the dialogue about the rigorous use of empirical methods in security and privacy research. In these research projects, we repeatedly found that usability issues of security and privacy mechanisms, development practices, and operation routines are what leads to the majority of security and privacy failures that affect millions of end users

How to Improve the Security Skills of Mobile App Developers:An Analysis of Expert Knowledge

Much of the world relies heavily on apps. Increasingly those apps handle sensitive information: controlling our financial transactions, enabling our personal communication and holding intimate details of our lives. So the security of those apps is becoming increasingly vital. Yet research shows that those apps contain frequent security and privacy problems; and that almost all of these issues could have been avoided had the developers had sufficient motivation, support and knowledge. This lack of developer knowledge and support is widely perceived as a major threat. We therefore investigated the skills, approach and motivation required for developers. We conducted a Constructivist Grounded Theory study, involving face-to-face interviews with a dozen experts whose cumulative experience totalled over 100 years of secure app development, to develop theory on secure development techniques. The study identified that the subdiscipline of app development security is still at an early stage, and found surprising discrepancies between current industry understanding and the experts’ recommendations. In particular it found that a secure development process tends not to appeal to app developers; and that the approach of identifying common types of security problems is too limited to give an effective security solution. Instead we identified a set of successful techniques we call ‘Dialectical Security’, where ‘dialectic’ means learning by questioning. These techniques use dialogue with a range of counterparties to achieve app security in an effective and economical way. The security increase comes from continued dialog, not passive learning. The novel contribution of our work is to provide: A grounded theory of secure app development that challenges conventional processes and checklists, and A shift in perspective from process to dialectic. Only by working to develop the Dialectical Security skills of app developers shall we begin to see the kinds of secure apps we need to combat crime and privacy invasions