=Paper=
{{Paper
|id=Vol-1575/paper_5
|storemode=property
|title=Early Report: How to Improve Programmers' Expertise at App Security?
|pdfUrl=https://ceur-ws.org/Vol-1575/paper_5.pdf
|volume=Vol-1575
|authors=Charles Weir,Awais Rashid,James Noble
|dblpUrl=https://dblp.org/rec/conf/essos/WeirRN16
}}
==Early Report: How to Improve Programmers' Expertise at App Security?==
https://ceur-ws.org/Vol-1575/paper_5.pdf
Early Report: How to Improve Programmers’ Expertise at App Security?
Charles Weir Awais Rashid James Noble
Security Lancaster Security Lancaster Victoria University
Lancaster University Lancaster University Wellington, NZ
c.weir1@lancaster.ac.uk a.rashid@lancaster.ac.uk kjx@ecs.vuw.ac.nz
1. Research Approach
Abstract For this research we interviewed a dozen experts in
mobile app security: developers, architects and team
Apps present a significant security risk.
leaders. We chose our interviewees opportunistically
Developer inexperience of security is a major
through contacts and referrals; they average some 30
contributor to this risk. Based on interviews
years of industry experience, are typically quite senior
with a dozen app security experts we identify
in their professions, and work in organisations ranging
that most app programmers simply do not care
from start-ups to global software giants. Since the
about security. Only by working on the
purpose was to find positive approaches to app
factors influencing programmers’ motivation,
security, the interview questions derived from
and afterwards developing their whole system
Appreciative Inquiry [Reed06], and focussed on
security skills, shall we shall we begin to see
success stories and aspirations. To analyse the results,
the kind of secure apps that industry needs.
we used Grounded Theory [GlSt73], transcribing and
coding the interviews to draw out the participants’
The western world relies heavily on apps. Apps run
concerns as themes and correlations between
on mobile phones, on PC browsers, as PC native apps,
interviews. This report is based on overview results of
or as the software running on sensors and controllers in
all twelve interviews plus detailed analysis of the first
the Internet of Things, but all share a number of
four, and includes quotations.
common features. Typically they communicate with
The results surprised us. We’d hoped the experts
one or at most a few services on the internet; they are
would tell us of learning resources and successful
not advertised on the Internet in the way that services
security training methods. The participants, even those
must be; and in many cases they may contain data,
who’d been active in creating resources for
have access to data, or control services that could
programmers to learn, didn’t feel that such resources
embarrass or harm an individual or organisation if they
had solved the problems. Instead they highlighted two
are compromised.
main issues:
So securing apps that run on such services is
becoming increasingly important. There are two
questions that address this, both worthwhile: (1) how 1.1 Lack of interest in security
can we improve the systems and compilers that host Programmers simply aren’t motivated to get security
and produce such apps; and (2) how can we improve right. The youth and inexperience of many
the security skills of the developers who produce them? programmers means they don’t have a feeling for the
Most existing work, such as [EOMC11], has studied possible impact of a security problem: “It's not that
the kinds of mistakes programmers make, but there has [programmers] have passed judgement on it, and that it
been little exploration of underlying causes, though a is unimportant – they just don't realise that it is
recent survey of US organisations [Pone15] found that important”.
73% of respondents saw developer lack of skills as a Also, few of the stakeholders in apps are interested
major cause of app security issues. This paper, in security at all – most non-experts, if they think of it
therefore, is an early report of an ongoing research at all, expect security to happen automatically; security
project to explore the second question. is seen as an additional cost, and not one justified by
industry experience of apps so far: “You can see that
from the Apps World [exhibition] where there’s no
Copyright © by the paper's authors. Copying permitted for private and mention of security at all. It’s not on people’s radar.”
academic purposes. This volume is published and copyrighted by its
editors. 1.2 Need for whole system security
In: D. Aspinall, L. Cavallaro, M. N. Seghir, M. Volkamer (eds.):
Proceedings of the Workshop on Innovations in Mobile Privacy and Much of the literature and research has focussed on
Security IMPS at ESSoS'16, London, UK, 06-April-2016, published at small-scale aspects of security, such as correct use of
http://ceur-ws.org APIs, and approaches for securing data. But in practice
49
�a main source of security issues is wider, typically formal and informal risk assessments combining the
related to the problem domain or the way systems likelihood of each attack with its potential impact.
interconnect: “The things that are the most challenging Effective communication: They find good ways of
around security really are trying to understand the communicating security decisions in ways their
threat landscape and trying to understand how threats stakeholders can understand: “this data may be visible
are realised”. to an attacker. Do you mind?”
To address these requires developers who can Development techniques: They use processes to
analyse security threats, and who can explain security avoid the kinds of defect in software that can lead to a
issues to stakeholders in ways that allow them to make security breach. Examples are pair programming, code
decisions. reviews, using code analysis tools and security-aware
choices of libraries and environments.
2. Tackling these issues Continuous feedback: They ensure they receive
security status information from released products;
Most of the interviewees had significant experience they analyse emergent security issues and plan fixes
of a variety of projects involving software security, and into the development stream for the future.
they offered a variety of practical solutions to these Continuous enhancement: They emphasise the
problems. We’ll look at each in turn. continuous nature of security: the need for regular
upgrades of the live software. They also use
2.1 Tackling programmers’ lack of interest in development contracts and system architectures that
security allow for this rather than the more traditional ‘fire and
forget’ approach.
Different interviewees suggested different ways to
address this. Most common was an approach we’d sum
up as ‘corporate interest’. Here the organisation itself 3. Summary and next steps
drives programmer interest: company targets, product So a major threat to app security is that few app
specifications, project processes and team organisation programmers are motivated to do anything about it.
all focus on app security, including whole system And for those that are, the major wins will be in
security. The result is that every team member takes an addressing skills in whole system security.
interest; it becomes an exciting part of their normal This paper represents early findings; further work
day’s work. will expand the taxonomy of solutions in section 2.
Where this corporate interest is lacking, some This will provide insights into the issues underpinning
suggested enforcing it as part of professional app programmers’ security behaviour, and into
discipline: app security and motivation to be included mitigation measures that work in practice.
in university courses and as a necessity for professional
qualifications. Others prefer to wait for app-based
security breaches that will change industry ways of 4. References
thinking. [EOMC11] ENCK, WILLIAM ; OCTEAU, DAMIEN ;
One interviewee, who uses developers in an external MCDANIEL, PATRICK ; CHAUDHURI, SWARAT: A
company that hadn’t been security-aware, finds it very Study of Android Application Security. In: USENIX
effective to have a long discussion with each new security symposium (2011), Nr. August
developer on his projects, getting to know a bit about
their life and relating their experiences to the security [GlSt73] GLASER, BARNEY G ; STRAUSS, ANSELM L: The
requirements of his project. Discovery of Grounded Theory : Strategies for
Qualitative Research, Observations. Chicago :
Aldine Transaction, 1973 — ISBN 9780202302607
2.2 Tackling Whole System Security
Our interviewees highlighted a variety of successful [Pone15] PONEMON INSTITUTE: The State of Mobile
techniques they use to achieve app security, including: Application Insecurity, 2015
Analysis: They use ideation sessions working with
stakeholders and penetration testing experts of different [Reed06] REED, JAN: Appreciative inquiry: Research for
possible attacks on the system; they analyse reasons for change : Sage, 2006 — ISBN 1452279020
attacks and profiles of possible attackers; and they do
50
�