A Good Argument for Security?

A year ago I started researching software security. I started by interviewing a dozen very experienced experts, and analysing what they said.


In their answers I found something very different from what I’d seen in the literature.


Much of the writing about software security tells programmers to use checklists of possible errors; the implication is that if the checklist is satisfied, the software is secure. Alas, this isn’t true. 

Read More

How Important Is Software Security?

Last week I was discussing my research at Security Lancaster with a friend. She said, "You must think security is the most important thing in software.”  

I hastened to deny it. You see, I don't think security is by any means the most important aspect to software creation.


Read More

Leading-edge software research at FSE

I attended the Foundations of Software Engineering conference in Seattle a week or so back. The conference covers a wide range of research topics, and this year they’ve moved to having three streams in parallel much of the time. Three presentations really stood out.

Read More

What does 'Cyber' mean?

Cyber security is a bit strange,  For government it’s the name that defines a very real threat to our country’s future. For information security specialists it’s a silly word that only means something to government. So what does ‘Cybersecurity’ really mean?

Read More

Five Dimensions of App Security

What does 'App Security' really mean? What does it mean to keep an app secure, so that our users can do what they want, but we can stop malicious people from causing them and us harm?

Read More

A Bluffer's Guide to Cryptography


Cryptography worries people.  It all seems very complicated.   But it needn't be...

Read More

Who Commits Cybercrime?


Know your enemy is a very old principle indeed.  It dates back to the Chinese philosopher Sun Tzu's The Art of War.  I've always been fascinated to know who it is that is my enemy when I'm developing secure software for mobile phones.

Read More

The Pivot: Reducing your costs through competition

It’s a tricky decision.  You have two or three possible vendors for a very large software-related project.  Any of them would be good. Your problem is that having chosen a vendor, you know you’ll be stuck with them, effectively, indefinitely. And so in a year or so you’ll no longer be able to use vendor competition to keep your costs down. So what do you do?

Read More

What Makes a Secure Development Process?


What does a Secure Development Process mean for an Agile development team?  An SDP is a set of activities and deliverables to enable developers, testers and project managers to create software that is proof against security threats. But how?

Read More

Using Google for Programming

Is Google the ultimate programming tool? 


Five years ago, given a project in a new environment, you would get several books on the language; you would get a manual or two (possibly online) on the frameworks and libraries. Then you would learn the language and libraries by trial and error, and, after considerable blood sweat and tears, would be able to program in that environment at a professional level. But that's all changed now...

Read More