Usable Security

In my current research work, I am investigating how developers and security experts incorporate security in the software development process. My goal is to help software developers and security experts to have smooth integration of security in SDLC. To aim to this goal, I am exploring the needs of developers and security experts while performing security tasks, explore and develop new methods to ensure software security based on the software practitioner’s need.

Summary

The advancement in software security mechanisms (API security, tools, documentation, etc) has not been able to stop the increase in the number of reported security vulnerabilities and attacks on critical software systems. NIST’s NVD statistical figures report more than a 100\% increase in reported vulnerabilities since the year 2016. The outcome of the security research (API security, tools, documentation, secure coding, etc) is used by developers and it is easy to blame them for poor development practices and lack of security know-how. But, now the research community is recognizing that it is unrealistic to expect developers to become security experts. On the other side, the security experts have demonstrated that security mechanisms can protect the majority of applications against many common security attacks but in practice, we find a huge knowledge gap. Therefore, an important question to ask is, how can developers and development teams adopt effective security practices and knowledge during the software development process.

Another point of view is that the change in the developer’s expertise over a while has shifted the focus on developers for good. The security mechanisms must be smoothly integrated into the software development process so that software developers can be conflict-free from the security perspective and use their cognitive processing in their expert area. Part of our work is also on understanding how security is impacted by different developer activities.

The first step of my research is to survey and interview the software professionals. To summarize, we want to understand the perspective on security from various roles in software development.

Do you want to join & tell us what motivates you for software security?
We would like to hear from → write an e-mail to me!

This research project is of the Software Engineering Research (SERG) Group at the Delft University of Technology in the Netherlands.