SESSION ID: DSO-T12 Which Developers and Teams Are More Likely to Write Vulnerable Software? Anita D’Amico, Ph.D. Chris Horn CEO Code Dx, Inc. @anitadamico Senior Researcher Secure Decisions @chornsec #RSAC #RSAC Lightning round of my talk New research links human factors to software quality and security Certain characteristics of software developers and work environments correlate with quality and security issues in code You can use knowledge of how human factors affect performance in medicine and transportation to structure work environments that yield more secure software You can use information about human factors to: – More efficiently hunt for vulnerabilities in code – Structure your software development team to write better and more secure code 2 Approved for Public Release, Distribution Unlimited, 23 September 2019. #RSAC Outline of today’s talk Why investigate human factors that affect code quality and security? How do we conduct research to discover these human factors? What has been discovered thus far? – Work environment – Team characteristics – Developer behaviors & characteristics Where can we draw lessons learned from non-software domains? – Factors that affect human performance in transportation, medicine & healthcare, occupational safety 3 Approved for Public Release, Distribution Unlimited, 23 September 2019. #RSAC Why? Why should we investigate human factors that affect code quality and security? Software vulnerabilities are a major gateway to breaches Top hacking vectors within Information industry Web application Breaches Other Backdoor or C2 Desktop sharing Partner 0% 20% 40% 60% 80% Verizon Data Breach Report 2018, Figure 32, page 34 Approved for Public Release, Distribution Unlimited, 23 September 2019. 100% #RSAC Software vulnerabilities remain undiscovered for years Heartbleed took 2 years to discover – 500,000 secure web servers were vulnerable to theft of private keys and passwords1 Apache Struts vulnerability (in Equifax breach) took 4 years to discover – Vulnerability exposed personal financial information of 143 million Americans2 On average, vulnerabilities in open source projects remain undiscovered for two years3 6 Approved for Public Release, Distribution Unlimited, 23 September 2019. #RSAC Static Application Security Testing (SAST) and manual code reviews don’t find all software vulnerabilities One static analysis tool, on average, will only detect 14% of all security weaknesses1 Manual code reviewers have difficulty finding vulnerabilities in code 7 Approved for Public Release, Distribution Unlimited, 23 September 2019. #RSAC Where would you hunt for vulnerabilities in code? Could you search for security issues based on human factors? Developer characteristics Team characteristics When code was written Where code was written Approved for Public Release, Distribution Unlimited, 23 September 2019. #RSAC Human factors are properties of people and their environment that affect human performance Psychological Individual Group • Learning • Ability to focus attention • Short/long term memory • Decision making • Collaboration & conflict • Communication • Cultural norms … Physiological      Hearing sensitivity Fatigue Circadian rhythm Endurance Health … Environmental  Distractions  Temperature  Lighting … Human factors are considered in safety-critical systems. Why not software engineering? 9 Approved for Public Release, Distribution Unlimited, 23 September 2019. #RSAC #RSAC How? How do we conduct research to discover human factors that affect code quality and security? Prior human factors research in academia & industry #RSAC Mine existing source code repositories and other systems for indirect measures of human factors – Analyze relationships to known vulnerabilities and failures – Medium & large open source software projects Linux kernel, Chromium browser, PostgreSQL, etc. – No direct measurement of human factors Limited studies of proprietary development – Mostly large organizations, e.g. Microsoft, AT&T We are performing research under a DARPA R&D contract – Expanding research to proprietary development – Studying human factors directly 11 Approved for Public Release, Distribution Unlimited, 23 September 2019. #RSAC Technical approach to DARPA-funded study Goal: Identify human factors that indicate where vulnerabilities may occur in open source and proprietary code Retrospective analysis of software repositori