Why Johnny doesn't write secure software? Secure software development by the masses

为什么约翰尼不编写安全软件？

• 批准号: EP/P011799/2
• 负责人: Awais Rashid
• 金额: $ 108.77万
• 依托单位: University of Bristol
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2018
• 资助国家: 英国
• 起止时间: 2018 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FP011799%2F2
• 关键词: Why; Johnny; doesn; write; secure

Do you use mobile or web apps or have Internet of Things devices on your person, in your home or workplace? Have you thought about who developed the software that drives these apps and devices, what was their understanding of cyber security, how did they make design decisions that impact the cyber security of the resulting software, and what factors influenced their behaviour and design choices? Or perhaps you are one of the masses exploiting app development platforms and easy-to-program hardware devices such as Arduino and Raspberry Pi to develop applications and deploy them for personal use or distribute them to millions of people around the world? How do you make cyber security decisions when you write software? Do you consciously think about the security implications of your design choices, or are there other factors that are more critical? What will help you achieve your goals from the software that you are developing while ensuring that it is not vulnerable to attacks by malicious actors?This project aims to develop a deep foundational understanding of these issues. We recognise that developing software is no longer the preserve for the select few with deep technical skills, training, and knowledge. A wide range of people from diverse backgrounds are increasingly developing software for mobile and web apps and for programmable consumer devices. This diversity of developers is at the heart of many innovations in the digital economy. The software they produce can be, and is, deployed across systems embedded in many aspects of human activity, and is used by a global user base. However, little is currently understood about the security behaviours and decision-making processes of 'the masses' engaged in software development. We refer to these masses by the pseudonym 'Johnny' - based on a seminal work by Whitten and Tygar where they highlighted the challenges faced by Johnny, the prototypical user of encryption. In this project we aim to tackle the challenges faced by Johnny in a contemporary setting beyond encryption. We focus on the Johnnys with diverse backgrounds, know-how and cyber security expertise who can, and are, developing software used, potentially, by millions worldwide. Drawing on a research team of experts in cyber security, software engineering, and psychology, our aim in this project is to conduct empirically-grounded research to better understand the security implications of Johnny's behaviours and practices and develop effective support for secure software development by Johnny. We propose to achieve this by uncovering and characterising the security vulnerabilities that Johnny tends to introduce, by analysing how and why these vulnerabilities are introduced, and by identifying and evaluating a range of interventions to improve Johnny's security behaviours during software development. We will do this in collaboration with eminent international research partners, drawn from leading research and practitioner organisations around the world. This project will be the first to study the inter-relationship between the cognitive and social processes that shape Johnny's cyber security decisions, their impact on the security of the resultant software and the novel interventions that may steer Johnny towards more effective cyber security decisions during software development.

您是否在家中或工作场所使用移动的或Web应用程序，或随身携带物联网设备？您是否想过是谁开发了驱动这些应用程序和设备的软件，他们对网络安全的理解是什么，他们如何做出影响最终软件网络安全的设计决策，以及哪些因素影响了他们的行为和设计选择？或者你是一个大众利用应用程序开发平台和易于编程的硬件设备，如Arduino和树莓派开发应用程序，并将其部署为个人使用或分发给世界各地的数百万人？当你编写软件时，你如何做出网络安全决策？您是否有意识地考虑设计选择的安全影响，或者是否有其他更关键的因素？什么将帮助您从正在开发的软件中实现目标，同时确保它不容易受到恶意行为者的攻击？该项目旨在对这些问题进行深入的基础性理解。我们认识到，开发软件不再是少数具有深厚技术技能、培训和知识的人的专利。来自不同背景的各种各样的人越来越多地为移动的和Web应用程序以及可编程消费设备开发软件。开发人员的多样性是数字经济中许多创新的核心。他们生产的软件可以部署在嵌入人类活动许多方面的系统中，并由全球用户群使用。然而，目前很少有人了解的安全行为和决策过程中的“群众”从事软件开发。我们用假名“Johnny”来指代这些群众-基于Whitten和Tygar的开创性工作，他们强调了加密的原型用户Johnny所面临的挑战。在这个项目中，我们的目标是解决约翰尼在加密之外的当代环境中所面临的挑战。我们专注于具有不同背景，专业知识和网络安全专业知识的Johnny，他们可以并且正在开发全球数百万人可能使用的软件。在网络安全，软件工程和心理学的专家组成的研究团队的基础上，我们在这个项目中的目标是进行基于实践的研究，以更好地了解约翰尼的行为和实践的安全影响，并为约翰尼的安全软件开发提供有效的支持。我们建议实现这一目标，通过揭露和描述的安全漏洞，约翰尼倾向于介绍，通过分析如何以及为什么这些漏洞被引入，并通过识别和评估一系列的干预措施，以提高约翰尼的安全行为在软件开发过程中。我们将与来自世界各地领先的研究和实践组织的知名国际研究合作伙伴合作。该项目将是第一个研究认知和社会过程之间的相互关系，这些过程塑造了Johnny的网络安全决策，它们对所产生的软件的安全性的影响，以及可能引导Johnny在软件开发过程中做出更有效的网络安全决策的新干预措施。

项目成果

Computer Security. ESORICS 2021 International Workshops - CyberICPS, SECPRE, ADIoT, SPOSE, CPS4CIP, and CDT&SECOMANE, Darmstadt, Germany, October 4-8, 2021, Revised Selected Papers

计算机安全。

• DOI: 10.1007/978-3-030-95484-0_12
• 发表时间: 2022
• 作者: Gardiner J

Influences of developers' perspectives on their engagement with security in code

开发人员的观点对其参与代码安全性的影响

• DOI: 10.1145/3528579.3529180
• 发表时间: 2022
• 作者: Rauf I

The Case for Adaptive Security Interventions

• DOI: 10.1145/3471930
• 发表时间: 2021-06
• 期刊: ACM Trans. Softw. Eng. Methodol.
• 作者: I. Rauf;M. Petre;T. Tun;Tamara Lopez;Paul Lunn;D. Linden;J. Towse;H. Sharp;M. Levine;A. Rashid;B. Nuseibeh

"Do this! Do that!, and Nothing will Happen" Do Specifications Lead to Securely Stored Passwords?

“这样做！那样做！，什么都不会发生”规范是否会导致安全存储密码？

• DOI: 10.1109/icse43902.2021.00053
• 发表时间: 2021
• 作者: Hallett J

On the privacy of mental health apps: An empirical investigation and its implications for app development.

关于心理健康应用程序的隐私：实证调查及其对应用程序开发的影响。

• DOI: 10.1007/978-3-319-10759-2_2
• 发表时间: 2023
• 期刊: Empirical software engineering
• 影响因子: 4.1
• 作者: Iwaya LH