Socio-technical factors in secure software engineering methodologies and practices

Software development is a highly cognitive process, requiring the intellectual work of individuals and groups. And the development of secure software systems is highly dependent on the decisions of the software developers and other relevant stakeholders. Due to this reason, it is a field that is affected by errors in human judgment and a range of other socio-technical factors. Therefore, how do we account for this “human factor”, which plays a major role in this process?

At CREST, researchers are leveraging empirical data sources to study the effect of human factors in secure software development methodologies, processes, and practices. In this regard, the CREST centre aims to collaborate with its industry partners to develop and rigorously evaluate novel technologies (methods, approaches, and tools) that are ultimately deployed in the organizational setting.

Current work includes research related to software patch management which is one of the most critical defenses employed by organizations to thwart security threats. Patching large and complex enterprise systems with hundreds of servers, multiple operating systems, and several enterprise applications from distinct vendors, all interconnected through networking devices, working together to serve thousands, sometimes millions, of users, is not an easy task. At CREST, the researchers explore human-AI collaboration, through the lens of socio-technical aspects in a case study of patch management.

In other work, research is being done in relation to gaining an in-depth understanding of socio-technical factors and the challenges of ensuring secure outputs via DevOps practices and the pipeline. In this line of research, we explore how application security assurance methods can be re-framed to suit the DevOps lifecycle. Another area that we explore is how developer behaviours are linked with producing secure outputs and vulnarability progression in a DevOps setting. Ultimately, we plan to develop and rigoruously evaluate novel tools and frameworks to enable automated security support in this domain.