Human Factors in Secure Software Development

While security research has made significant progress in the development of theoretically secure methods, software and algorithms, software still comes with many possible exploits, many of those using the human factor. The human factor is often called ``the weakest link'' in software security. To solve this, human factors research in security and privacy focus on the users of technology and consider their security needs. The research then asks how technology can serve users while minimizing risks and empowering them to retain control over their own data. However, these concepts have to be implemented by developers whose security errors may proliferate to all of their software's users. For example, software that stores data in an insecure way, does not secure network traffic correctly, or otherwise fails to adhere to secure programming best practices puts all of the software's users at risk. It is therefore critical that software developers implement security correctly. However, in addition to security rarely being a primary concern while producing software, developers may also not have extensive awareness, knowledge, training or experience in secure development. A lack of focus on usability in libraries, documentation, and tools that they have to use for security-critical components may exacerbate the problem by blowing up the investment of time and effort needed to "get security right". This dissertation's focus is how to support developers throughout the process of implementing software securely. This research aims to understand developers' use of resources, their mindsets as they develop, and how their background impacts code security outcomes. Qualitative, quantitative and mixed methods were employed online and in the laboratory, and large scale datasets were analyzed to conduct this research. This research found that the information sources developers use can contribute to code (in)security: copying and pasting code from online forums leads to achieving functional code quickly compared to using official documentation resources, but may introduce vulnerable code. We also compared the usability of cryptographic APIs, finding that poor usability, unsafe (possibly obsolete) defaults and unhelpful documentation also lead to insecure code. On the flip side, well-thought out documentation and abstraction levels can help improve an API's usability and may contribute to secure API usage. We found that developer experience can contribute to better security outcomes, and that studying students in lieu of professional developers can produce meaningful insights into developers' experiences with secure programming. We found that there is a multitude of online secure development advice, but that these advice sources are incomplete and may be insufficient for developers to retrieve help, which may cause them to choose un-vetted and potentially insecure resources. This dissertation supports that (a) secure development is subject to human factor challenges and (b) security can be improved by addressing these challenges and supporting developers. The work presented in this dissertation has been seminal in establishing human factors in secure development research within the security and privacy community and has advanced the dialogue about the rigorous use of empirical methods in security and privacy research. In these research projects, we repeatedly found that usability issues of security and privacy mechanisms, development practices, and operation routines are what leads to the majority of security and privacy failures that affect millions of end users

Case Study of the Space Shuttle Cockpit Avionics Upgrade Software

The purpose of the Space Shuttle Cockpit Avionics Upgrade project was to reduce crew workload and improve situational awareness. The upgrade was to augment the Shuttle avionics system with new hardware and software. An early version of this system was used to gather human factor statistics in the Space Shuttle Motion Simulator of the Johnson Space Center for one month by multiple teams of astronauts. The results were compiled by NASA Ames Research Center and it was was determined that the system provided a better than expected increase in situational awareness and reduction in crew workload. Even with all of the benefits nf the system, NASA cancelled the project towards the end of the development cycle. A major success of this project was the validation of the hardware architecture and software design. This was significant because the project incorporated new technology and approaches for the development of human rated space software. This paper serves as a case study to document knowledge gained and techniques that can be applied for future space avionics development efforts. The major technological advances were the use of reflective memory concepts for data acquisition and the incorporation of Commercial off the Shelf (COTS) products in a human rated space avionics system. The infused COTS products included a real time operating system, a resident linker and loader, a display generation tool set, and a network data manager. Some of the successful design concepts were the engineering of identical outputs in multiple avionics boxes using an event driven approach and inter-computer communication, a reconfigurable data acquisition engine, the use of a dynamic bus bandwidth allocation algorithm. Other significant experiences captured were the use of prototyping to reduce risk, and the correct balance between Object Oriented and Functional based programming

Multi­-Scattering: Computational light transport in turbid media

This thesis presents and describes the development of an online freely accessible software called Multi-Scattering for the computational modeling of light propagation in scattering and absorbing media. The model is based on the use of the Monte Carlo method, where billions of photon packets are being launched and tracked through simulated cubic volumes. The software also includes features for modeling image formation by inserting a virtual collecting lens and a detection matrix which simulate a camera objective and a sensor array respectively. In addition, the Lorenz-Mie theory is integrated to generate the scattering phase functions from spherical particles. The model has been accelerated by means of general-purpose computing on graphics processing units, reducing the computation time by a factor up to 200x in comparison with a single CPU thread. By using four graphic cards on a single computer, the simulation speed increases by a factor of 800x. With an anisotropy factor g= 0.86, the transport path of one billion photons can be computed in 10 seconds for optical depth OD=10 and in 20 minutes for OD=500.The simulations are running from a computer server at Lund University, allowing researchers to login and use it freely without any need for programming skills or specific software/hardware installations. There are countless types of scattering media in which this model can be used to predict photon transport, including medical tissues, blood samples, clouds, smoke, fog, turbid liquids, spray systems, etc. In this thesis, the software has been used for a variety of scattering situations and to simulate photon transport: 1) inside a portion of a human head, 2) within atomizing spray systems, 3) in controlled aqueous dispersion of polystyren spheres, 4) for time-of-flight measurements in intralipid solutions and 5) for Diffuse Correlation Spectroscopy applications.Finally, the numerical results have been validated by rigorously comparing the simulated results with experimental data. The user interface for both setting-up a simulation and displaying the corresponding results is found at: https://multi-scattering.co

Links between the personalities, styles and performance in computer programming

There are repetitive patterns in strategies of manipulating source code. For example, modifying source code before acquiring knowledge of how a code works is a depth-first style and reading and understanding before modifying source code is a breadth-first style. To the extent we know there is no study on the influence of personality on them. The objective of this study is to understand the influence of personality on programming styles. We did a correlational study with 65 programmers at the University of Stuttgart. Academic achievement, programming experience, attitude towards programming and five personality factors were measured via self-assessed survey. The programming styles were asked in the survey or mined from the software repositories. Performance in programming was composed of bug-proneness of programmers which was mined from software repositories, the grades they got in a software project course and their estimate of their own programming ability. We did statistical analysis and found that Openness to Experience has a positive association with breadth-first style and Conscientiousness has a positive association with depth-first style. We also found that in addition to having more programming experience and better academic achievement, the styles of working depth-first and saving coarse-grained revisions improve performance in programming.Comment: 27 pages, 6 figure

Intelligence student advising system - an implementation using object-oriented C++

This paper present an approach for developing a consistent student course-advising system for undergraduate students using knowledge-based technology. A prototype system has been implemented in object-oriented technique using C++. The prototype system was designed for undergraduate Computing students. The prototype is able to give consultation and advice on some important aspect of student advising problems. Knowledgeable behaviour was produced where the ‘expert’ and ‘knowledge’ is stored separately from the inference engine. Object-oriented programming technique was found to enhance the development of the system

Towards a Theory of Software Development Expertise

Software development includes diverse tasks such as implementing new features, analyzing requirements, and fixing bugs. Being an expert in those tasks requires a certain set of skills, knowledge, and experience. Several studies investigated individual aspects of software development expertise, but what is missing is a comprehensive theory. We present a first conceptual theory of software development expertise that is grounded in data from a mixed-methods survey with 335 software developers and in literature on expertise and expert performance. Our theory currently focuses on programming, but already provides valuable insights for researchers, developers, and employers. The theory describes important properties of software development expertise and which factors foster or hinder its formation, including how developers' performance may decline over time. Moreover, our quantitative results show that developers' expertise self-assessments are context-dependent and that experience is not necessarily related to expertise.Comment: 14 pages, 5 figures, 26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2018), ACM, 201