This week I’ve been at the IEEE SecDev conference in Boston. It’s been a eye-opener; I had not realised before just how many aspects there are to secure software development: toolchain improvements; what can senior management do; resources available to developers; patterns for secure development; language design to prevent time-based oracles; using strong typing to enforce security; log analysis; automated threat modelling – we heard about research on all of these.
Here too, I had the privilege of organising a Birds of a Feather session. This time I asked the question raised by the paper I was presenting: given developer resources on security tend to be inadequate, how are developers to find out what they need to know?
Here are some of the points from the conversation; I’ve organised them into themes.
Finding Good Answers to Security Problems
We know from research that Stack Overflow is very doubtful as a source. It’s OK to show that a solution exists, but the solutions found are often insecure. However it’s a fact that the industry solution to documentation is searchable bulletin boards of solutions. Some organisations even prohibit copying samples from outside [though this doesn’t necessary solve the problem of bad information].
There are several problems with search engines. Often the data returned is old – decades old data has more references to it, so tends to be high ranking. People rarely get to page 2 of Google results (c.f. With fake news and conspiracy data we always see dodgy leads ranked highest).
Can we improve by using different queries to Google? E.g. add the wors ‘recommend’. This is difficult because the English language is highly overloaded (words have many meanings). But maybe use an apprentice/mentor role, teaching how to search for the right things - avoiding the paths of ‘evil’ (Stack Overflow). Or could Stack Overflow or Google change the rankings w.r.t. software security queries?
Reducing the Problem?
Perhaps we should turn the question around to “How to make developers need to know less?”. One major problem is poor APIs. For example in Microsoft .Net originally everyone in used the fastest and insecure APIs. Microsoft has now solved the problem internally by scaring their developers into using secure APIs. But developer usability of APIs is vital.
For developers, there are certain things they need to know before starting coding. We need to make internal training include security training. However, how do security-sensitised developers continue learning about security? There’s no obvious route. And who defines the scope of what developers need to know? There’s no definition currently.
Good cultures, though, have security expected; developers ‘click’ into the idea security. Think of programming as a class that never stops; the only thing that’s vital is to know what you don’t know and how to learn and action it. Or perhaps the only thing that is vital is just paranoia!
Photo by joshmacdonald.net (edited)