Why Johnny doesn't write secure software? Secure software development by the masses

Lead Research Organisation: University of Bristol
Department Name: Computer Science

Abstract

Do you use mobile or web apps or have Internet of Things devices on your person, in your home or workplace? Have you thought about who developed the software that drives these apps and devices, what was their understanding of cyber security, how did they make design decisions that impact the cyber security of the resulting software, and what factors influenced their behaviour and design choices? Or perhaps you are one of the masses exploiting app development platforms and easy-to-program hardware devices such as Arduino and Raspberry Pi to develop applications and deploy them for personal use or distribute them to millions of people around the world? How do you make cyber security decisions when you write software? Do you consciously think about the security implications of your design choices, or are there other factors that are more critical? What will help you achieve your goals from the software that you are developing while ensuring that it is not vulnerable to attacks by malicious actors?

This project aims to develop a deep foundational understanding of these issues. We recognise that developing software is no longer the preserve for the select few with deep technical skills, training, and knowledge. A wide range of people from diverse backgrounds are increasingly developing software for mobile and web apps and for programmable consumer devices. This diversity of developers is at the heart of many innovations in the digital economy. The software they produce can be, and is, deployed across systems embedded in many aspects of human activity, and is used by a global user base. However, little is currently understood about the security behaviours and decision-making processes of 'the masses' engaged in software development.

We refer to these masses by the pseudonym 'Johnny' - based on a seminal work by Whitten and Tygar where they highlighted the challenges faced by Johnny, the prototypical user of encryption. In this project we aim to tackle the challenges faced by Johnny in a contemporary setting beyond encryption. We focus on the Johnnys with diverse backgrounds, know-how and cyber security expertise who can, and are, developing software used, potentially, by millions worldwide.

Drawing on a research team of experts in cyber security, software engineering, and psychology, our aim in this project is to conduct empirically-grounded research to better understand the security implications of Johnny's behaviours and practices and develop effective support for secure software development by Johnny. We propose to achieve this by uncovering and characterising the security vulnerabilities that Johnny tends to introduce, by analysing how and why these vulnerabilities are introduced, and by identifying and evaluating a range of interventions to improve Johnny's security behaviours during software development. We will do this in collaboration with eminent international research partners, drawn from leading research and practitioner organisations around the world. This project will be the first to study the inter-relationship between the cognitive and social processes that shape Johnny's cyber security decisions, their impact on the security of the resultant software and the novel interventions that may steer Johnny towards more effective cyber security decisions during software development.

Planned Impact

The ultimate beneficiaries of the research are citizens and the digital economy at large. They will benefit from fundamental improvements in security of the software that pervades their daily lives - due to the foundational advances in security behaviours of the masses developing such software and novel interventions to support them in effective security practices.

Developers, i.e., Johnny, will benefit from fundamental insights into factors influencing their security behaviours, tools to automatically detect and flag their security assumptions and interventions to support them in effective security behaviours and design choices.

Large industry organisations and SMEs will benefit from insights into human factors and assumptions that impact software security in contemporary settings where developers have a diversity of knowledge and expertise in both software development and security. They will benefit from the insights relating behaviours, vulnerabilities and interventions to inform their own practices within their software development teams - whether in-house or out-sourced. They will also benefit from new tools and techniques as well as evolution of existing APIs and development environment to more effectively support security design choices. They will also benefit from innovative interventions to support secure software development by the masses, hence stimulating economic growth and development of a strong industry sector in this area.

Policy and government organisations will benefit from a deeper understanding of how Johnny's behaviour impacts software security and hence security of the wider environment and the kind of interventions that can lead to improved security cultures in the masses developing software.

Last, but not least, UK science will be a major beneficiary by being at the forefront of tackling fundamental security challenges that are not only critical to the UK society and economy but that of the world at large.

Publications

10 25 50
publication icon
Van Der Linden D (2019) The Effect of Software Warranties on Cybersecurity in ACM SIGSOFT Software Engineering Notes

publication icon
Van Der Linden D (2018) Safe cryptography for all

Related Projects

Project Reference Relationship Related To Start End Award Value
EP/P011799/1 01/04/2017 31/12/2017 £1,008,352
EP/P011799/2 Transfer EP/P011799/1 01/01/2018 31/03/2021 £853,634
 
Description We have undertaken a study of mobile app developers that investigates the reasons why vulnerabilities arise in mobile apps and how the various tasks and activities, other than programming, in which developers engage impact on the security of the app. Our results show that developers need to be supported in understanding the security implications of their actions when deciding upon their way of working, trusting third party resources, interacting with third parties, and thinking of longer-term impacts of licensing.
Exploitation Route Our findings can form the basis of identifying where suitable support may be targeted to help developers in producing more secure apps that are used by a variety of users around the world. The interventions may be of a technical nature or in the form of guidelines or other mechanisms such as peer support. Such interventions are a subject of on-going investigation within the project.
Sectors Digital/Communication/Information Technologies (including Software)

URL https://www.writingsecuresoftware.org
 
Description The workshops organised on the topics of impact of software warranties on cyber security and need for large-scale empirical research on software security have led to a number of discussions with industry and policy/practice organisations.
First Year Of Impact 2018
Sector Digital/Communication/Information Technologies (including Software)
Impact Types Policy & public services

 
Description 'Talking Design' workshops on expert practices 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Professor Marian Petre ran 'Talking Design' workshops on expert practices in software design at Mozilla Foundation (Mountain View, CA, USA in May 2018; Toronto, Canada in January 2018)
Year(s) Of Engagement Activity 2018
 
Description Presentation at workshop for female cyber professionals 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Irum Rauf participated in 'Queue for the Loo: female entrepreneurism in cyber' at Canary Wharf , London on 5th December, 2018 and introduced The Johnny project at informal networking event held as part of the workshop. The workshop had female cyber professionals. The event was organised by TechUK.
Year(s) Of Engagement Activity 2018
 
Description Presentation: Secure software development by the masses 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact Irum Rauf presented "Secure software development by the masses" at Institute of Coding's Cyber security workshop on 28th Feb, 2019 held at The Open University, MK. The audience was largely SMEs and wider community.
Year(s) Of Engagement Activity 2019
 
Description Workshop on large-scale empirical research on software security 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Other audiences
Results and Impact This workshop, supported by the NCSC, brought together researchers within UK, Europe and the US to discuss the requirements for an international collaborative effort and infrastructure to support large-scale empirical research on software security. The collective goal for the day was to develop a shared understanding of the challenges faced by research on software code analysis for cybersecurity and outline a roadmap for an international testbed infrastructure for large-scale experimental research on software security. The workshop was jointly organised by Professor Hridesh Rajan, a Fulbright Scholar from Iowa State University whom we hosted at the University of Bristol, and Professor Awais Rashid.
Year(s) Of Engagement Activity 2018
 
Description Workshop on the Effect of Software Warranties on Cyber Security 
Form Of Engagement Activity Participation in an activity, workshop or similar
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact This workshop, sponsored by the NCSC, focused on bringing software developers and legal professionals together to understand the shared challenges they face in promoting the development of secure software on the one hand, and software at all, on the other hand. The workshop also featured a keynote by Professor Annie Anton from Georgia Tech as well as an invited talk by Robert Carolina from RHUL. There was also a panel involving government and industry figures as well as roundtable discussions. A summary of the discussions and insights from the workshop has appeared in a report in ACM SIGSOFT Software Engineering Notes:

Dirk van der Linden, Awais Rashid: The Effect of Software Warranties on Cybersecurity. ACM SIGSOFT Software Engineering Notes 43(4): 31-35 (2018)
Year(s) Of Engagement Activity 2018