I was privileged to attend the Workshop on Security and Human Behaviour last month in Cambridge, UK. This fascinating two day workshop brought together around ninety leading researchers in Human-Centred Security, most working in software security. The delegate page alone is worth a look: most attendees linked their key papers so it makes a good introduction to the field.
A year ago I started researching software security. I started by interviewing a dozen very experienced experts, and analysing what they said.
In their answers I found something very different from what I’d seen in the literature.
Much of the writing about software security tells programmers to use checklists of possible errors; the implication is that if the checklist is satisfied, the software is secure. Alas, this isn’t true.
Last week I was discussing my research at Security Lancaster with a friend. She said, "You must think security is the most important thing in software.”
I hastened to deny it. You see, I don't think security is by any means the most important aspect to software creation.
I attended the Foundations of Software Engineering conference in Seattle a week or so back. The conference covers a wide range of research topics, and this year they’ve moved to having three streams in parallel much of the time. Three presentations really stood out.
Cyber security is a bit strange, For government it’s the name that defines a very real threat to our country’s future. For information security specialists it’s a silly word that only means something to government. So what does ‘Cybersecurity’ really mean?
What does 'App Security' really mean? What does it mean to keep an app secure, so that our users can do what they want, but we can stop malicious people from causing them and us harm?
Cryptography worries people. It all seems very complicated. But it needn't be...
Know your enemy is a very old principle indeed. It dates back to the Chinese philosopher Sun Tzu's The Art of War. I've always been fascinated to know who it is that is my enemy when I'm developing secure software for mobile phones.
It’s a tricky decision. You have two or three possible vendors for a very large software-related project. Any of them would be good. Your problem is that having chosen a vendor, you know you’ll be stuck with them, effectively, indefinitely. And so in a year or so you’ll no longer be able to use vendor competition to keep your costs down. So what do you do?
What does a Secure Development Process mean for an Agile development team? An SDP is a set of activities and deliverables to enable developers, testers and project managers to create software that is proof against security threats. But how?
Is Google the ultimate programming tool?
Five years ago, given a project in a new environment, you would get several books on the language; you would get a manual or two (possibly online) on the frameworks and libraries. Then you would learn the language and libraries by trial and error, and, after considerable blood sweat and tears, would be able to program in that environment at a professional level. But that's all changed now...
Meet me at...
Phone: +44 (0) 7876 027350
Tap to call: +447876027350
Wallacefield, Armathwaite, Carlisle CA4 9SR, UK