Using Workshops to Improve Security in Software Development Teams

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. Yet many, perhaps most, security problems can be prevented with careful design, construction and configuration of the software and systems involved, so software developers have a major contribution to make. This research investigated how to help teams of software developers achieve better security. An initial qualitative survey of 15 secure software development professionals highlighted a range of security assurance and motivation techniques suitable for teams of developers, and emphasised the human interaction aspects. A further quantitative survey of 330 successful Android developers then identified a baseline of current security practices in software development. Based on these surveys, the author created an intervention package to help software developers. Action Research techniques were used to trial and improve it in two one-year cycles with a total of 19 development teams in 11 different organisations. The later development of the package concentrated on empowering the developers involved, and reducing the involvement required from the researchers. By proving that a set of structured workshops can have an impact on the security performance of a team for a reasonable cost and without the support of security professionals, this research offers a powerful means to enhance development security in the UK, creating more secure software and systems for all users

Development of microwave synthetic routes to silica and gadolinium oxide nanoparticles for potential bio-imaging applications

The main aim of this research was to develop microwave synthetic pathways to monodisperse silica nanoparticles, which have potential uses in bio-imaging. Functionalisation of these nanoparticles was also attempted, using the fluorescent dye, Rhodamine B. Microwave synthesis was also investigated as a route to metal oxide nanoparticles, specifically gadolinium oxide and doped-gadolinium oxide nanoparticles, which find uses as magnetic resonance contrast agents. A novel method to produce silica nanoparticles using a one-pot microwave synthesis has been developed. It has been demonstrated that small monodisperse silica nanoparticles can be prepared at temperatures as low as 50°C for a reaction time of as little as 30 minutes. This has been achieved using a combination of the traditional Stöber process and the use of microwave irradiation, with tertraethoxyorthosilicate as a precursor, in ethanol, water and ammonium hydroxide. A systematic study has been carried out, varying the reaction times and temperatures to identify the optimum synthetic conditions. The temperatures used were 50, 75, 85 and 100°C and the reaction times used were 0.5, 1, 2 and 5 h. To analyse particle size (Z-average) and polydispersity, dynamic light scattering (DLS) were employed. Scanning electron microscopy was also used to image the nanoparticles. It was found that typically smaller particles, with an average size of 65 nm or lower, displayed high monodispersity, compared to larger particles. Fluorescent doping of silica nanoparticles was also demonstrated using the dye Rhodamine B. These particles were larger in size compared to the pure silica nanoparticles analogues, but remained highly fluorescent, even two months after synthesis. Gadolinium oxide and europium-doped gadolinium oxide nanoparticles were also prepared using a combination of microwave irradiation and polyol synthesis. Both sets of particles displayed fluorescent properties, which could make them useful in future bioimaging applications

An Investigation into the Action of Feed Water upon the Metal of Boilers with Special Reference to Caustic Cracking

Abstract Not Provided

How Does the Stock Market React to Corporate Environmental News?

The environmental decisions of corporations can have a huge impact on both the environment and a company’s value. This paper finds that the stock market reacts negatively to news about the environmental behavior of firms. A 2009 Newsweek study on the “greenness” of companies is used in the study. The event study methodology is used with stock prices to measure the stock market reaction by creating Cumulative Abnormal Returns. The average abnormal returns of all the companies are significantly negative suggesting that investors react adversely to “green” news

Empirical relationships between health literacy and treatment decision making : A scoping review of the literature

Copyright © 2014 Elsevier Ireland Ltd. All rights reserved. Acknowledgements This research was supported by a Joseph Armand Bombardier Doctoral Scholarship awarded to Leslie J. Malloy-Weir by the Social Sciences and Humanities Research Council of Canada. The authors would like to thank Maureen Rice for her help with the literature search strategy and Dr. Malcolm Weir for his help with the relevance screening.Peer reviewedPostprin

Developer Essentials:Top Five Interventions to Support Secure Software Development

Cyber security is a big and increasing problem. Almost every week we hear of a new exploit or security breach that leads to major concerns about our digital infrastructure. Software systems are at the very heart of this digital infrastructure. Therefore, while there may be many commercial, social and practical factors that contribute, it is certain that the decisions of software development teams must have a significant impact on the vulnerability of those systems. In this research we explored ways in which outside actors – such as management, coaches, security teams, industry bodies, and government agencies – may positively influence the security of the software created by development teams, while keeping the development competitive and practically viable. This means that the costs of such 'interventions' need to be acceptable relative to the risks that they address. We interviewed 14 specialists in introducing software security to development teams. Based on a rigorous analysis of their responses, we were surprised to find that three of the most cost effective and scalable interventions are 'cultural interventions' – ones that work to influence the working of development teams, rather than the artefacts they produce: 1. Developing a 'threat model' and using that model to achieve commercially negotiated, risk based, agreement how threats are to be addressed; 2. A motivational workshop engaging the team with the genuine security problems as they affect their specific projects, while making it clear how they are to address those problems; and 3. Continuing 'nudges' to the developers to remind them of the importance of security. The other two low-cost and effective interventions relate to the code produced: 4. The use of source code analysis tools; and 5. The informed choice of components based on their security quality. We therefore suggest that providing guidelines, technical support and mentoring in each of these five interventions will have a significant effect on improving the security quality of code developed in future

I'd Like to Have an Argument, Please:Using Dialectic for Effective App Security

The lack of good secure development practice for app developers threatens everyone who uses mobile software. Current practice emphasizes checklists of processes and security errors to avoid, and has not proved effective in the application development domain. Based on analysis of interviews with relevant security experts, we suggest that secure app development requires 'dialectic': challenging dialog with a range of counterparties, continued throughout the development cycle. By further studying the different dialectic techniques possible in programmers' communications, we shall be able to empower app developers to produce the secure software that we need

Developer Essentials:Top Five Interventions to Support Secure Software Development

Cyber security is a big and increasing problem. Almost every week we hear of a new exploit or security breach that leads to major concerns about our digital infrastructure. Software systems are at the very heart of this digital infrastructure. Therefore, while there may be many commercial, social and practical factors that contribute, it is certain that the decisions of software development teams must have a significant impact on the vulnerability of those systems. In this research we explored ways in which outside actors – such as management, coaches, security teams, industry bodies, and government agencies – may positively influence the security of the software created by development teams, while keeping the development competitive and practically viable. This means that the costs of such 'interventions' need to be acceptable relative to the risks that they address. We interviewed 14 specialists in introducing software security to development teams. Based on a rigorous analysis of their responses, we were surprised to find that three of the most cost effective and scalable interventions are 'cultural interventions' – ones that work to influence the working of development teams, rather than the artefacts they produce: 1. Developing a 'threat model' and using that model to achieve commercially negotiated, risk based, agreement how threats are to be addressed; 2. A motivational workshop engaging the team with the genuine security problems as they affect their specific projects, while making it clear how they are to address those problems; and 3. Continuing 'nudges' to the developers to remind them of the importance of security. The other two low-cost and effective interventions relate to the code produced: 4. The use of source code analysis tools; and 5. The informed choice of components based on their security quality. We therefore suggest that providing guidelines, technical support and mentoring in each of these five interventions will have a significant effect on improving the security quality of code developed in future

Early Report: How to Improve Programmers' Expertise at App Security?

Apps present a significant security risk. Developer inexperience of security is a major contributor to this risk. Based on interviews with a dozen app security experts we identify that most app programmers simply do not care about security. Only by working on the factors influencing programmers’ motivation, and afterwards developing their whole system security skills, shall we shall we begin to see the kind of secure apps that industry needs

How to Improve the Security Skills of Mobile App Developers:Comparing and Contrasting Expert Views

Programmers’ lack of knowledge and ability in secure development threatens everyone who uses mobile apps. There’s no consensus on how to empower app programmers to get that knowledge. Based on interviews with twelve industry experts we argue that the discipline of secure app development is still at an early stage. Only once industry and academia have produced effective app developer motivation and training approaches shall we begin to see the kinds of secure apps we need to combat crime and privacy invasions