AppSec US 2018 (Please, make sure you register to attend)

Software is written by people, either alone or in teams. Ultimately secure code development depends on the actions and decisions taken by the people who develop the code. How do we account for the “human factors” that contribute to application security?

By its very nature both automated and manual application security testing are performed retroactively on code that has already been written. Automated AppSec testing can speed up that process to provide security analysts and developers with timely information about the security state of their code, thereby closing the time gap between committing code and discovering weaknesses in it. But automated testing is still performed after code has been committed. Furthermore, both manual and automated source code analyses are done without much prior knowledge about where the vulnerabilities are likely to appear in the code base.

What would happen if we could point to specific code that is more likely to be vulnerable based on other factors, such as the environment (time of day, distracting noise, time pressure) under which the code was written or the characteristics of the individual developers (experience, training, focused attention) or the teams (size, diversity, level of collaboration) that developed the code? This information would allow us to orient our manual code analyses and automated static analyses towards susceptible code. It would also allow us to change up the conditions that are contributing to the introduction of vulnerabilities, and intervene before these conditions impact the security of the code under development.

This is a definitive way to shift security to the left. Become so aware of the factors that contribute to the introduction of vulnerabilities that an organization can mitigate their introduction by changing up the conditions under which the code is being developed.

This session will review the types of research being conducted, and the initial findings, from an emerging area of application security research: the human dimensions that relate to secure code development. We will also open up a discussion with the audience about innovative ways that could be used to further study the human factors that affect secure code development in ongoing projects, not just through historical analyses of well-established repositories.