I'd Like to Have an Argument, Please:Using Dialectic for Effective App Security

The lack of good secure development practice for app developers threatens everyone who uses mobile software. Current practice emphasizes checklists of processes and security errors to avoid, and has not proved effective in the application development domain. Based on analysis of interviews with relevant security experts, we suggest that secure app development requires 'dialectic': challenging dialog with a range of counterparties, continued throughout the development cycle. By further studying the different dialectic techniques possible in programmers' communications, we shall be able to empower app developers to produce the secure software that we need.

[1]  Charles S. Edge,et al.  Learning iOS Security , 2015 .

[2]  David L. Cooperrider,et al.  Appreciative Inquiry: A Positive Revolution in Change , 2005 .

[3]  Joseph P. Near,et al.  Finding Security Bugs in Web Applications Using a Catalog of Access Control Patterns , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[4]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[5]  Reidar Conradi,et al.  An empirical study on the utility of formal routines to transfer knowledge and experience , 2001, ESEC/FSE-9.

[6]  Erran Carmel,et al.  Global software teams: collaborating across borders and time zones , 1999 .

[7]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[8]  David Geer,et al.  Are Companies Actually Using Secure Development Life Cycles? , 2010, Computer.

[9]  Paul Ralph,et al.  Grounded Theory in Software Engineering Research: A Critical Review and Guidelines , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[10]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[11]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[12]  Shamal Faily,et al.  Here's Johnny: A Methodology for Developing Attacker Personas , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[13]  Nikolay Elenkov Android Security Internals: An In-Depth Guide to Android's Security Architecture , 2014 .

[14]  Christian Bird,et al.  Convergent contemporary software peer review practices , 2013, ESEC/FSE 2013.

[15]  Wouter Joosen,et al.  Do Security Patterns Really Help Designers? , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[16]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[17]  Collin Mulliner,et al.  Android Hacker's Handbook , 2014 .

[18]  Lorrie Faith Cranor,et al.  The Privacy and Security Behaviors of Smartphone App Developers , 2014 .

[19]  K. Charmaz,et al.  Constructing Grounded Theory , 2014 .

[20]  James Noble,et al.  How to Improve the Security Skills of Mobile App Developers? Comparing and Contrasting Expert Views , 2016, WSIW@SOUPS.

[21]  John Viega,et al.  19 deadly sins of software security : programming flaws and how to fix them , 2005 .

[22]  Gary McGraw Four Software Security Findings , 2016, Computer.

[23]  Bharat K. Bhargava,et al.  Incorporating attacker capabilities in risk estimation and mitigation , 2015, Comput. Secur..

[24]  Jing Xie,et al.  ASIDE: IDE support for web application security , 2011, ACSAC '11.

[25]  David Thomas,et al.  The Pragmatic Programmer: From Journeyman to Master , 1999 .

[26]  Laura Johnson,et al.  How Many Interviews Are Enough? , 2006 .

[27]  A. Strauss,et al.  The discovery of grounded theory: strategies for qualitative research aldine de gruyter , 1968 .

[28]  Mira Mezini,et al.  FlowTwist: efficient context-sensitive inside-out taint analysis for large codebases , 2014, SIGSOFT FSE.

[29]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[30]  R. Fisher,et al.  Getting to Yes: Negotiating Agreement Without Giving in , 1981 .

[31]  Laurie Williams,et al.  The costs and benefits of pair programming , 2001 .

[32]  James Noble,et al.  Reaching the masses: a new subdiscipline of app programmer education , 2016, SIGSOFT FSE.