Welcome to OWASP AppSec 2018 USA we look forward to seeing you in San Jose, CA
Back To Schedule
Friday, October 12 • 10:15am - 10:50am
Human factors that influence secure software development

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Software is written by people, either alone or in teams. Ultimately secure code development depends on the actions and decisions taken by the people who develop the code. How do we account for the “human factors” that contribute to application security?

By its very nature both automated and manual application security testing are performed retroactively on code that has already been written. Automated AppSec testing can speed up that process to provide security analysts and developers with timely information about the security state of their code, thereby closing the time gap between committing code and discovering weaknesses in it. But automated testing is still performed after code has been committed. Furthermore, both manual and automated source code analyses are done without much prior knowledge about where the vulnerabilities are likely to appear in the code base.

What would happen if we could point to specific code that is more likely to be vulnerable based on other factors, such as the environment (time of day, distracting noise, time pressure) under which the code was written or the characteristics of the individual developers (experience, training, focused attention) or the teams (size, diversity, level of collaboration) that developed the code? This information would allow us to orient our manual code analyses and automated static analyses towards susceptible code. It would also allow us to change up the conditions that are contributing to the introduction of vulnerabilities, and intervene before these conditions impact the security of the code under development.

This is a definitive way to shift security to the left. Become so aware of the factors that contribute to the introduction of vulnerabilities that an organization can mitigate their introduction by changing up the conditions under which the code is being developed.

This session will review the types of research being conducted, and the initial findings, from an emerging area of application security research: the human dimensions that relate to secure code development. We will also open up a discussion with the audience about innovative ways that could be used to further study the human factors that affect secure code development in ongoing projects, not just through historical analyses of well-established repositories.

avatar for Anita D'Amico

Anita D'Amico

CEO, Code Dx, Inc.
Anita D’Amico, PhD. is CEO of Code Dx, Inc., which provides application security orchestration and correlation solutions that automate AppSec workflows. Prior to taking on the role of CEO, Anita was the Director of Secure Decisions, a cybersecurity R&D organization that developed... Read More →
avatar for Chris Horn

Chris Horn

Senior Researcher, Secure Decisions
Chris Horn is a Senior Researcher at Secure Decisions, an R&D division of Applied Visions, Inc. He has 18 years of experience in research, software systems, and new product development. Currently, he leads cybersecurity research & development projects and focuses on developing technology... Read More →

Friday October 12, 2018 10:15am - 10:50am PDT
  Gold, Beginner
  • NEW FIELD 1 Track 3