42 research outputs found
Better Call Saltzer \& Schroeder: A Retrospective Security Analysis of SolarWinds \& Log4j
Saltzer \& Schroeder's principles aim to bring security to the design of
computer systems. We investigate SolarWinds Orion update and Log4j to unpack
the intersections where observance of these principles could have mitigated the
embedded vulnerabilities. The common principles that were not observed include
\emph{fail safe defaults}, \emph{economy of mechanism}, \emph{complete
mediation} and \emph{least privilege}. Then we explore the literature on secure
software development interventions for developers to identify usable analysis
tools and frameworks that can contribute towards improved observance of these
principles. We focus on a system wide view of access of codes, checking access
paths and aiding application developers with safe libraries along with an
appropriate security task list for functionalities
Embedding Privacy Into Design Through Software Developers: Challenges & Solutions
To make privacy a first-class citizen in software, we argue for equipping
developers with usable tools, as well as providing support from organizations,
educators, and regulators. We discuss the challenges with the successful
integration of privacy features and propose solutions for stakeholders to help
developers perform privacy-related tasks.Comment: To be published in "IEEE Security & Privacy: Special Issue on Usable
Security for Security Workers" 11 pages, 4 figure
âI Donât Know Too Much About Itâ: On the Security Mindsets of Computer Science Students
The security attitudes and approaches of software developers have a large
impact on the software they produce, yet we know very little about how and when
these views are constructed. This paper investigates the security and privacy
(S&P) perceptions, experiences, and practices of current Computer Science
students at the graduate and undergraduate level using semi-structured
interviews. We find that the attitudes of students already match many of those
that have been observed in professional level developers. Students have a range
of hacker and attack mindsets, lack of experience with security APIs, a mixed
view of who is in charge of S&P in the software life cycle, and a tendency to
trust other peoples' code as a convenient approach to rapidly build software.
We discuss the impact of our results on both curriculum development and support
for professional developers