Final published version, 1.71 MB, PDF document
Available under license: CC BY-ND: Creative Commons Attribution-NoDerivatives 4.0 International License
Research output: Thesis › Master's Thesis
Research output: Thesis › Master's Thesis
}
TY - GEN
T1 - How to Improve the Security Skills of Mobile App Developers
T2 - An Analysis of Expert Knowledge
AU - Weir, Charles
PY - 2017
Y1 - 2017
N2 - Much of the world relies heavily on apps. Increasingly those apps handle sensitive information: controlling our financial transactions, enabling our personal communication and holding intimate details of our lives. So the security of those apps is becoming increasingly vital. Yet research shows that those apps contain frequent security and privacy problems; and that almost all of these issues could have been avoided had the developers had sufficient motivation, support and knowledge. This lack of developer knowledge and support is widely perceived as a major threat.We therefore investigated the skills, approach and motivation required for developers. We conducted a Constructivist Grounded Theory study, involving face-to-face interviews with a dozen experts whose cumulative experience totalled over 100 years of secure app development, to develop theory on secure development techniques. The study identified that the subdiscipline of app development security is still at an early stage, and found surprising discrepancies between current industry understanding and the experts’ recommendations. In particular it found that a secure development process tends not to appeal to app developers; and that the approach of identifying common types of security problems is too limited to give an effective security solution.Instead we identified a set of successful techniques we call ‘Dialectical Security’, where ‘dialectic’ means learning by questioning. These techniques use dialogue with a range of counterparties to achieve app security in an effective and economical way. The security increase comes from continued dialog, not passive learning.The novel contribution of our work is to provide: A grounded theory of secure app development that challenges conventionalprocesses and checklists, and A shift in perspective from process to dialectic.Only by working to develop the Dialectical Security skills of app developers shall we begin to see the kinds of secure apps we need to combat crime and privacy invasions.
AB - Much of the world relies heavily on apps. Increasingly those apps handle sensitive information: controlling our financial transactions, enabling our personal communication and holding intimate details of our lives. So the security of those apps is becoming increasingly vital. Yet research shows that those apps contain frequent security and privacy problems; and that almost all of these issues could have been avoided had the developers had sufficient motivation, support and knowledge. This lack of developer knowledge and support is widely perceived as a major threat.We therefore investigated the skills, approach and motivation required for developers. We conducted a Constructivist Grounded Theory study, involving face-to-face interviews with a dozen experts whose cumulative experience totalled over 100 years of secure app development, to develop theory on secure development techniques. The study identified that the subdiscipline of app development security is still at an early stage, and found surprising discrepancies between current industry understanding and the experts’ recommendations. In particular it found that a secure development process tends not to appeal to app developers; and that the approach of identifying common types of security problems is too limited to give an effective security solution.Instead we identified a set of successful techniques we call ‘Dialectical Security’, where ‘dialectic’ means learning by questioning. These techniques use dialogue with a range of counterparties to achieve app security in an effective and economical way. The security increase comes from continued dialog, not passive learning.The novel contribution of our work is to provide: A grounded theory of secure app development that challenges conventionalprocesses and checklists, and A shift in perspective from process to dialectic.Only by working to develop the Dialectical Security skills of app developers shall we begin to see the kinds of secure apps we need to combat crime and privacy invasions.
KW - app developer
KW - app development
KW - app programmer
KW - app security
KW - application security
KW - dialectic
KW - dialectical security
KW - dialectical security technique
KW - grounded theory
KW - mobile app
KW - penetration testing
KW - secure app
KW - secure app development
KW - secure development
KW - secure software
KW - security code review
KW - security issue
KW - security pattern
KW - software engineering
KW - software security
KW - whole system security
M3 - Master's Thesis
PB - Lancaster University
ER -