Home > Research > Publications & Outputs > How to Improve the Security Skills of Mobile Ap...

Electronic data

  • 2017weirmbr

    Final published version, 1 MB, PDF-document

    Available under license: CC BY-ND: Creative Commons Attribution-NoDerivatives 4.0 International License

View graph of relations

How to Improve the Security Skills of Mobile App Developers: An Analysis of Expert Knowledge

Research output: ThesisMaster's Thesis

Published

Standard

How to Improve the Security Skills of Mobile App Developers : An Analysis of Expert Knowledge. / Weir, Charles.

Lancaster University, 2017. 135 p.

Research output: ThesisMaster's Thesis

Harvard

APA

Vancouver

Author

Bibtex

@phdthesis{7067866fbb0e491da2e335aeafae335a,
title = "How to Improve the Security Skills of Mobile App Developers: An Analysis of Expert Knowledge",
abstract = "Much of the world relies heavily on apps. Increasingly those apps handle sensitive information: controlling our financial transactions, enabling our personal communication and holding intimate details of our lives. So the security of those apps is becoming increasingly vital. Yet research shows that those apps contain frequent security and privacy problems; and that almost all of these issues could have been avoided had the developers had sufficient motivation, support and knowledge. This lack of developer knowledge and support is widely perceived as a major threat.We therefore investigated the skills, approach and motivation required for developers. We conducted a Constructivist Grounded Theory study, involving face-to-face interviews with a dozen experts whose cumulative experience totalled over 100 years of secure app development, to develop theory on secure development techniques. The study identified that the subdiscipline of app development security is still at an early stage, and found surprising discrepancies between current industry understanding and the experts’ recommendations. In particular it found that a secure development process tends not to appeal to app developers; and that the approach of identifying common types of security problems is too limited to give an effective security solution.Instead we identified a set of successful techniques we call ‘Dialectical Security’, where ‘dialectic’ means learning by questioning. These techniques use dialogue with a range of counterparties to achieve app security in an effective and economical way. The security increase comes from continued dialog, not passive learning.The novel contribution of our work is to provide: A grounded theory of secure app development that challenges conventionalprocesses and checklists, and A shift in perspective from process to dialectic.Only by working to develop the Dialectical Security skills of app developers shall we begin to see the kinds of secure apps we need to combat crime and privacy invasions.",
keywords = "app developer, app development, app programmer, app security, application security, dialectic, dialectical security, dialectical security technique, grounded theory, mobile app, penetration testing, secure app, secure app development, secure development, secure software, security code review, security issue, security pattern, software engineering, software security, whole system security",
author = "Charles Weir",
year = "2017",
language = "English",
publisher = "Lancaster University",
school = "Lancaster University",

}

RIS

TY - THES

T1 - How to Improve the Security Skills of Mobile App Developers

T2 - An Analysis of Expert Knowledge

AU - Weir, Charles

PY - 2017

Y1 - 2017

N2 - Much of the world relies heavily on apps. Increasingly those apps handle sensitive information: controlling our financial transactions, enabling our personal communication and holding intimate details of our lives. So the security of those apps is becoming increasingly vital. Yet research shows that those apps contain frequent security and privacy problems; and that almost all of these issues could have been avoided had the developers had sufficient motivation, support and knowledge. This lack of developer knowledge and support is widely perceived as a major threat.We therefore investigated the skills, approach and motivation required for developers. We conducted a Constructivist Grounded Theory study, involving face-to-face interviews with a dozen experts whose cumulative experience totalled over 100 years of secure app development, to develop theory on secure development techniques. The study identified that the subdiscipline of app development security is still at an early stage, and found surprising discrepancies between current industry understanding and the experts’ recommendations. In particular it found that a secure development process tends not to appeal to app developers; and that the approach of identifying common types of security problems is too limited to give an effective security solution.Instead we identified a set of successful techniques we call ‘Dialectical Security’, where ‘dialectic’ means learning by questioning. These techniques use dialogue with a range of counterparties to achieve app security in an effective and economical way. The security increase comes from continued dialog, not passive learning.The novel contribution of our work is to provide: A grounded theory of secure app development that challenges conventionalprocesses and checklists, and A shift in perspective from process to dialectic.Only by working to develop the Dialectical Security skills of app developers shall we begin to see the kinds of secure apps we need to combat crime and privacy invasions.

AB - Much of the world relies heavily on apps. Increasingly those apps handle sensitive information: controlling our financial transactions, enabling our personal communication and holding intimate details of our lives. So the security of those apps is becoming increasingly vital. Yet research shows that those apps contain frequent security and privacy problems; and that almost all of these issues could have been avoided had the developers had sufficient motivation, support and knowledge. This lack of developer knowledge and support is widely perceived as a major threat.We therefore investigated the skills, approach and motivation required for developers. We conducted a Constructivist Grounded Theory study, involving face-to-face interviews with a dozen experts whose cumulative experience totalled over 100 years of secure app development, to develop theory on secure development techniques. The study identified that the subdiscipline of app development security is still at an early stage, and found surprising discrepancies between current industry understanding and the experts’ recommendations. In particular it found that a secure development process tends not to appeal to app developers; and that the approach of identifying common types of security problems is too limited to give an effective security solution.Instead we identified a set of successful techniques we call ‘Dialectical Security’, where ‘dialectic’ means learning by questioning. These techniques use dialogue with a range of counterparties to achieve app security in an effective and economical way. The security increase comes from continued dialog, not passive learning.The novel contribution of our work is to provide: A grounded theory of secure app development that challenges conventionalprocesses and checklists, and A shift in perspective from process to dialectic.Only by working to develop the Dialectical Security skills of app developers shall we begin to see the kinds of secure apps we need to combat crime and privacy invasions.

KW - app developer

KW - app development

KW - app programmer

KW - app security

KW - application security

KW - dialectic

KW - dialectical security

KW - dialectical security technique

KW - grounded theory

KW - mobile app

KW - penetration testing

KW - secure app

KW - secure app development

KW - secure development

KW - secure software

KW - security code review

KW - security issue

KW - security pattern

KW - software engineering

KW - software security

KW - whole system security

M3 - Master's Thesis

PB - Lancaster University

ER -