Human Factors in Secure Software Development

While security research has made significant progress in the development of theoretically secure methods, software and algorithms, software still comes with many possible exploits, many of those using the human factor. The human factor is often called ``the weakest link'' in software security. To solve this, human factors research in security and privacy focus on the users of technology and consider their security needs. The research then asks how technology can serve users while minimizing risks and empowering them to retain control over their own data. However, these concepts have to be implemented by developers whose security errors may proliferate to all of their software's users. For example, software that stores data in an insecure way, does not secure network traffic correctly, or otherwise fails to adhere to secure programming best practices puts all of the software's users at risk. It is therefore critical that software developers implement security correctly. However, in addition to security rarely being a primary concern while producing software, developers may also not have extensive awareness, knowledge, training or experience in secure development. A lack of focus on usability in libraries, documentation, and tools that they have to use for security-critical components may exacerbate the problem by blowing up the investment of time and effort needed to "get security right". This dissertation's focus is how to support developers throughout the process of implementing software securely. This research aims to understand developers' use of resources, their mindsets as they develop, and how their background impacts code security outcomes. Qualitative, quantitative and mixed methods were employed online and in the laboratory, and large scale datasets were analyzed to conduct this research. This research found that the information sources developers use can contribute to code (in)security: copying and pasting code from online forums leads to achieving functional code quickly compared to using official documentation resources, but may introduce vulnerable code. We also compared the usability of cryptographic APIs, finding that poor usability, unsafe (possibly obsolete) defaults and unhelpful documentation also lead to insecure code. On the flip side, well-thought out documentation and abstraction levels can help improve an API's usability and may contribute to secure API usage. We found that developer experience can contribute to better security outcomes, and that studying students in lieu of professional developers can produce meaningful insights into developers' experiences with secure programming. We found that there is a multitude of online secure development advice, but that these advice sources are incomplete and may be insufficient for developers to retrieve help, which may cause them to choose un-vetted and potentially insecure resources. This dissertation supports that (a) secure development is subject to human factor challenges and (b) security can be improved by addressing these challenges and supporting developers. The work presented in this dissertation has been seminal in establishing human factors in secure development research within the security and privacy community and has advanced the dialogue about the rigorous use of empirical methods in security and privacy research. In these research projects, we repeatedly found that usability issues of security and privacy mechanisms, development practices, and operation routines are what leads to the majority of security and privacy failures that affect millions of end users

From Conventional to State-of-the-Art IoT Access Control Models

open access articleThe advent in Online Social Networks (OSN) and Internet of Things (IoT) has created a new world of collaboration and communication between people and devices. The domain of internet of things uses billions of devices (ranging from tiny sensors to macro scale devices) that continuously produce and exchange huge amounts of data with people and applications. Similarly, more than a billion people are connected through social networking sites to collaborate and share their knowledge. The applications of IoT such as smart health, smart city, social networking, video surveillance and vehicular communication are quickly evolving people’s daily lives. These applications provide accurate, information-rich and personalized services to the users. However, providing personalized information comes at the cost of accessing private information of users such as their location, social relationship details, health information and daily activities. When the information is accessible online, there is always a chance that it can be used maliciously by unauthorized entities. Therefore, an effective access control mechanism must be employed to ensure the security and privacy of entities using OSN and IoT services. Access control refers to a process which can restrict user’s access to data and resources. It enforces access rules to grant authorized users an access to resources and prevent others. This survey examines the increasing literature on access control for traditional models in general, and for OSN and IoT in specific. Challenges and problems related to access control mechanisms are explored to facilitate the adoption of access control solutions in OSN and IoT scenarios. The survey provides a review of the requirements for access control enforcement, discusses several security issues in access control, and elaborates underlying principles and limitations of famous access control models. We evaluate the feasibility of current access control models for OSN and IoT and provide the future development direction of access control for the sam

Does EU regulation hinder or stimulate innovation? CEPS Special Report No. 96, 19 November 2014

Introduction. One frequently hears the question posed in the title to this report, but there is little systematic analytical literature on the issue. Fragmented evidence or anecdotes dominate debates among EU regulatory decision-makers and in European business, insofar as there is a genuine debate at all. This CEPS Special Report focuses on the multi-faceted, ambiguous and complex relationship between (EU) regulation and innovation in the economy, and discusses the innovation-enhancing potential of certain regulatory approaches as well as factors that tend to reduce incentives to innovate. It adopts an 'ecosystem' approach to both regulation and innovation, and study the interactions between the two ecosystems. This general analysis and survey are complemented by seven case studies of EU regulation enabling and disabling innovation, two horizontal and five sectoral ones. The case studies are preceded by a broader contextual analysis of trends in EU regulation over the last three decades. These trends show the significant transformation of the nature as well as improvement of the quality of EU regulation, largely in the deepened internal market, which tend to have a favourable and lasting effect on the rate of innovation in the EU (other things being equal). Among the findings include the following: Regulation can at times be a powerful stimulus to innovation. EU regulation matters at all stages of the innovation process. Different types of regulation can be identified in terms of innovation impact: general or horizontal, innovation-specific and sector-specific regulation. More prescriptive regulation tends to hamper innovative activity, whereas the more flexible EU regulation is, the better innovation can be stimulated. Lower compliance and red-tape burdens have a positive effect on innovation. The authors recommend incorporating a specific test on innovation impacts in the ex-ante impact assessment of EU legislation as well as in ex-post evaluation. There is ample potential for fostering innovation by reviewing the EU regulatory acquis

Test, Trace, and Isolate: Covid-19 and the Canadian Constitution

Contact tracing is essential to controlling the spread of infectious disease and plays a central role in plans to safely loosen Covid-19 physical distancing measures and begin to reopen the economy. Contact tracing apps, used in conjunction with established human contact tracing methods, could serve as part of Canada’s “test, trace, and isolate” strategy. In this brief, we consider the potential benefits of using contract tracing apps to identify people who have been exposed to Covid-19, as well as the limitations of using this technology. We also consider the privacy implications of different app design choices. Finally, we consider how the privacy impacts of contact tracing apps could be evaluated under the Canadian Charter of Rights and Freedoms, which provides a framework for balancing competing rights and interests. We argue that so long as apps are carefully constructed and the information they reveal is appropriately safeguarded, tracing apps may have a role to play in the response of a free and democratic society to the Covid 19 pandemic. 1. Improving the Efficiency of Human Contact Tracing: The public health goal of a contact tracing app should be to integrate with human contact tracing and make it more efficient rather than replace it. We need to keep humans in the loop to ensure accuracy and to maintain the important social functions of contact tracing, which includes educating people about risks and helping them access social supports. 2. Privacy Choices: Currently, the most privacy-protective design for contact tracing apps makes use of proximity data (via Bluetooth) through a decentralized design. This method is receiving significant technical support from Apple and Google. However, this method fails to integrate with the human contact tracing system. Other options, such as the use of location logs or a centralized registration system, are more aligned with the public health goal of integration with human contact tracing but raise additional privacy questions. In addition to the constitutional questions raised by these privacy choices, there are two important considerations. First, social trust is important. If individuals do not feel comfortable with using a particular contact tracing app there will not be the large-scale uptake needed to make these an effective addition to human contact tracing. Second, due to various technical challenges, it is difficult to make effective contact tracing apps utilizing proximity data unless one uses the method supported by Apple and Google. However, Google and Apple prohibit app developers both from utilizing centralized methods and from utilizing location data. 3. Constitutional Balancing: Our privacy commissioners have discussed the need to assess these privacy choices according to the principles of necessity and proportionality. The Canadian Charter provides an important framework for thinking about these principles as it provides us with a framework for how to balance rights and interests in a free and democratic society. The Charter requires that we choose the most privacy-protective app design that meets the public health goal, so long as the benefits of meeting this goal outweigh its deleterious effects on privacy. This requires a reasonable belief in the efficacy of such an app. It also requires an assessment of the nature of the benefits, which are not just the economic benefits of reopening the economy. The currently prevailing restrictions on movement and work are themselves limitations of basic rights and liberties. Individuals who self-isolate in situations of poverty, precarious housing, mental health challenges, abusive relationships, or other vulnerabilities face challenges that affect their security of the person. There are also broader effects on equality and human flourishing. If contact tracing, enhanced by an app, reduces the need for restrictions in the form of self-isolation, it promotes other Charter rights and values (e.g., security of the person) which must be balanced against the potential infringement of privacy rights

Connected Women: How Mobile Can Support Women's Economic and Social Empowerment

This report explores how mobile services provided by Vodafone and the Vodafone Foundation are enabling women to seize new opportunities and improve their lives. Accenture Sustainability Services were commissioned to conduct research on the services and to assess their potential social and economic impact if they were widely available across Vodafone's markets by 2020. It showcases the projects and the work of those involved and also poses the question -- what would the benefit to women and to society at large be if projects such as these were taken to scale and achieved an industrialscale of growth? This reflects the Foundation's commitment not solely to the development of pilots but rather the Trustees' ambition to see projects which lead to transformational change. In order to understand this more deeply, the Report looks at the benefits for women and society and providessome financial modelling for how the engagement of commercial players could achieve industrial, sustainable growth in these areas. Accenture has provided the modelling and, given the public benefit and understanding which the report seeks to generate, these are shared openly for all in the mobile industry to understand and share. It is the Trustees' hope that the collaboration with Oxford University and Accenture in the delivery of this Report will stimulate not only the expansion of existing charitable programmes but will also seed other philanthropic, social enterprise or commercial initiatives

New falsified medicinal products’ distribution prevention regulation: legal issues and good distribution practice for pharmaceutical companies

The aim of this paper is to analyse the impact of new falsified medicinal products’ distribution prevention regulation on distributors and patients’ rights in Latvia. Starting from the late 2000s the validity of the medicinal products became one of the most important issues to be considered, as the level of falsified medicinal products sales significantly increased. In order to solve this issue, the Directive 2011/62 / EC (3) on falsified medicinal products for human use was introduced and now serves as a basis for the distribution of medicinal products, which only allows licensed pharmacies and approved retailers, including approved Internet service providers, to be included into the movement of the product. This directive introduced safety signs aimed at preventing the entry of falsified medicinal products into the supply chain of legal medicinal products (from the manufacturer to distributors, pharmacies and hospitals) and, consequently, to the patients. It is important that patients can recognize reliable sources and be aware of the risk of illegal sales

Web-based bim project execution plan management system (WeB-MaS) for public works department Malaysia

The effective uses of Building Information Modelling (BIM) Project Execution Plan (BPEP) are one of the success factors for a successful BIM implementation. However, a preliminary study with JKR indicated current BPEP preparation and management is inefficient and time-consuming due to the manual data entry. Furthermore, data inconsistency occurs due to the inability for real-time BPEP collaboration and updates as well as lack of BPEP document management. Hence, this research aims to develop a webbased BPEP Management System (WeB-MaS) for the case study research; JKR by improving the efficiency of BPEP preparation and management. The research’s first objective which is to examine the user requirements of JKR for the development of WeBMaS was conducted through a semi-structured interview with JKR BIM Unit. Consequently, to develop WeB-MaS as the second objective, Agile Scrum methodology was adopted. The last objective, which is to evaluate the user acceptance, usability, and advantage of WeB-MaS was fulfilled by conducting a questionnaire evaluation with JKR BIM Unit. WeB-MaS was designed according to JKR BPEP template with real-time element, ability to be in synced with mobile application, and accompanied with verification and review features. WeB-MaS received optimistic reviews by the JKR BIM unit and the system will be handed over to JKR. In regard to the concern on WeB-MaS security, future improvements will be made by migrating the WeB-MaS to JKR internal server. In conclusion, WeB-MaS ensures the quality of BIM information through BIM collaboration to improve productivity and efficacy of the BPEP preparation and management process

Influence of real-time information provided by a mobile phone on the management of rural water supply quality

In South Africa, access to safe drinking water is a human right that is explicitly stated in the constitution. Most metro municipalities are meeting the drinking water quality targets, but the smaller rural environments are failing to provide water of acceptable drinking water quality. Reasons contributing to the high incidence of unacceptable water quality are the rural municipalities' inadequate institutional capacity and lack of management and monitoring of drinking water services. This study investigates the possibilities of supporting rural water service institutions to manage their remote water supply schemes better by addressing the challenge of distance monitoring. Through the creation of real-time information flow between the water service authorities and the water supply caretakers in remote villages, it is to be tested if better information can be received and the status of the rural water supply quality can be monitored. The improvement of information flow is based on introducing a mobile phone application. The hypothesis is that through improving the information flow, decisions on water supply management will be improved. Case study research was conducted in rural municipalities situated in the Northern Cape Province and Eastern Cape Province of South Africa. Four different municipalities were chosen to reveal the diverse municipal set-up and different challenges facing rural municipalities. Data was gathered through interviews conducted with the municipal mangers over a seven month period, as well as through field investigations. The findings reveal that the mobile reporting system has improved information flow from water supply caretakers to government service providers. The mobile application allowed for distance monitoring of rural water supply schemes. It has helped address the municipalities' institutional capacity problems by improving access to information relevant to decision making. Through the data records displayed on the mobile application, municipal mangers were able to track the supply caretakers' performance and subsequently hold them accountable. Through an increase in data availability, water quality failures were easily identified, resulting in improved confidence in the quality of rural water supply. The access to real-time information has improved the monitoring and communication of rural water quality. Early intervention and the management of non-compliance improved. The mobile technology provided the municipal managers with a tool to monitor their rural water supply schemes more regularly, but it also became apparent that the management of such schemes only improved if relevant action was taken based on the information received. Greater improvement was seen in municipalities where the tool was used consistently, where time was set aside to follow up on data warnings and protocols existed to follow up on non-compliance issues. Management of the resources did not improve in areas where management staff was severely overstretched and response strategies to problems were non-existent before the implementation of the tool