State of Practice in Secure Software: Experts’ Views on Best Ways Ahead

Background

Proper selection of methodology for acquiring, authoritative views in the area of applied technology is often insufficiently addressed, with a failure to employ research methods that are properly grounded, with issues such as ‘observation’ versus ‘theory’ [O’HEAR] not separated out. At worst, observation simply consists of an unrepresentative sampling of journal papers or online search, and theory simply the biased views of the enquirer, and in neither case with the investigator’s views subject to proper ‘closed-loop’ feedback. To avoid this as far as possible and although we do make use of open-loop sources, our findings are weighted towards first-hand encounters with a number of peer-reviewed activities involving experts in secure software development. In the course of these encounters we have sometimes been involved in drafting (and redrafting) reports summarizing consensus views on the subject. What is, and what is not, said, and the manner in which the discussions proceed during this consensus building, can give additional insight into the debate.

Prominent among these was participation in a UK Department of Trade and Industry (DTI) Global Watch Initiative, in January 2006 [GWM]. The Global Watch team comprised a small body of experts who met a wide range of influential academic and governmental representatives and senior staff in leading software companies in California and Washington State.