Why doesn't Johnny write secure software?
Software is in the very fabric of the systems we utilise in our daily lives - from online banking to social media through to critical infrastructures that bring water and electricity to our homes and drive systems such as transportation, health and governmental services. Yet vulnerabilities in software continue to be a recurring issue despite major advances in libraries, APIs and tools to help developers write secure software and test the security of their software systems.
Almost 20 years ago, Alma Whitten and David Tygar wrote about the challenges faced by an archetypal user (Johnny) when utilising cryptography to secure communications. As appification and low cost, easy to program, hardware democratise software, what are the struggles that developers face when utilising the security libraries, APIs and tools at their disposal.
In this talk, I will discuss these struggles, their potential impact on the security of the security of the resultant software and the open research questions that need to be addressed to support developers in writing more secure software.
Awais Rashid (Bristol)
Awais Rashid is Professor of Cyber Security at University of Bristol where he heads the Cyber Security Group and is Director of the EPSRC Centre for Doctoral Training in Trust, Identity, Privacy and Security in Large-Scale Infrastructures.
His research interests are in security of cyber-physical systems, software security and human factors. He leads projects as part of the UK Research Institute on Trustworthy Industrial Control Systems (RITICS) and UK Research Institute on Science of Cyber Security (RISCS). He co-led the Security and Safety theme within the UK Hub on Cyber Security of Internet of Things (PETRAS) and is a sector-lead for the PETRAS National Centre of Excellence in Cyber Security of IoT.
He leads CyBOK: an international effort on developing a Cyber Security Body of Knowledge to provide interdisciplinary foundations for education and training programmes and is also a Fellow of the Alan Turing Institute.