Light-Touch Interventions to Improve Software Development Security

Many software developers still have little interest in software security. To change this, we need 'interventions' to development teams to motivate and help them towards security improvement. An intervention costing less than two days' effort from a facilitator plus half a day of team effort can significantly improve that team's software security. This case study describes how this approach was used with one commercial team, and identifies its impact using Participative Action Research. With suitable improvements, the approach has the potential to help many other development teams

Light-touch Interventions to Improve Software Development Security

Many software developers still have little interest in software security. To change this, we need ‘interventions’ to development teams to motivate and help them towards security improvement. An intervention costing less than two days’ effort from a facilitator plus half a day of team effort can significantly improve that team’s software security. This case study describes how this approach was used with one commercial team, and identifies its impact using Participative Action Research. With suitable improvements, the approach has the potential to help many other development teams

Challenging Software Developers:Dialectic as a Foundation for Security Assurance Techniques

Development teams are increasingly expected to deliver secure code, but how can they best achieve this? Traditional security practice, which emphasises 'telling developers what to do' using checklists, processes and errors to avoid, has proved difficult to introduce. From analysis of industry interviews with a dozen experts in app development security, we find that secure development requires dialectic: a challenging dialog between the developers and a range of counterparties, continued throughout the development cycle. Analysing a further survey of sixteen industry developer security advocates, we identify the six assurance techniques that are most effective at achieving this dialectic in existing development teams, and conclude that the introduction of these techniques is best driven by the developers themselves. Concentrating on these six assurance techniques, and the dialectical interactions they involve, has the potential to increase the security of development activities and thus improve software security for everyone

HIPSTER Project - State of the Art:Technical Report

Health IoT (HIoT) software offers thorny and complex security, privacy and safeguarding (SPS) problems and requirements, with huge potential impact. The HIPSTER project aims to help development teams in the Small-to-Medium Enterprise community, incorporating background information from cyber threat and risk intelligence to create a cost-effective intervention to support decision making around such threats and requirements. This report outlines the approach we plan to use and explores the academic ‘state of the art’ literature around the project. It concludes that the areas of novelty for the project are in finding ways to make risk data meaningful and palatable for software development teams; and in finding objective sources of such security and privacy information for this domain. To support readers in using the literature referenced, all citations and bibliography entries in this document have hyperlinks to the corresponding sources

Interventions for Long Term Software Security:Creating a Lightweight Program of Assurance Techniques for Developers

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team’s motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a Participatory Action Research field study where we delivered the workshops to three soft- ware development organizations, and evaluated their effectiveness through interviews be- forehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience, and that improvement is long lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide

RISCS Annual Report 2018

The Research Institute in Science of Cyber Security (RISCS) takes an evidence-based and interdisciplinary approach to addressing cyber security challenges. By providing a platform for the exchange of ideas, problems and research solutions between academia, industry, and both the UK and international policy communities, RISCS promotes and supports the development of scientific approaches to cyber security. Central to the RISCS agenda is the application of bodies of knowledge to stimulate a transition from ‘common practice’ to ‘evidence-based best practice’ in cyber security. Recognising that cyber security is a contested concept, RISCS operates within a national and international cyber security framework to establish a coherent set of research principles. These principles focus on the deployment of scientific methods and the gathering of evidence to produce sound interventions and responses to cyber security challenges. We actively seek to maximise collaboration amongst our diverse community through a culture of open publication, sharing and expanding our network. Through this collaboration, RISCS develops techniques that enable communities to anticipate emergent cyber security issues from public policy, social practice and technological perspectives. Our end goal is to deliver a world-class portfolio of activity and research findings that maximises the value of social, political and economic research into cyber security and which results in a set of scientifically based options that individuals, institutions and nation states can use to respond to imminent and long term cyber security challenges

Using Workshops to Improve Security in Software Development Teams

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. Yet many, perhaps most, security problems can be prevented with careful design, construction and configuration of the software and systems involved, so software developers have a major contribution to make. This research investigated how to help teams of software developers achieve better security. An initial qualitative survey of 15 secure software development professionals highlighted a range of security assurance and motivation techniques suitable for teams of developers, and emphasised the human interaction aspects. A further quantitative survey of 330 successful Android developers then identified a baseline of current security practices in software development. Based on these surveys, the author created an intervention package to help software developers. Action Research techniques were used to trial and improve it in two one-year cycles with a total of 19 development teams in 11 different organisations. The later development of the package concentrated on empowering the developers involved, and reducing the involvement required from the researchers. By proving that a set of structured workshops can have an impact on the security performance of a team for a reasonable cost and without the support of security professionals, this research offers a powerful means to enhance development security in the UK, creating more secure software and systems for all users