Secure Programming
Dominik Wermke

Abstract: Potential attack openings in software often stem from a relatively small number of programming errors, wrong assumptions, or the inclusion of vulnerable software components (e.g., the recent Log4Shell or ProxyShell vulnerabilities). Unsurprisingly, just blaming developers for these errors did not resolve vulnerabilities in the past. A better approach appears to be to support developers in their secure programming efforts.

In this lecture, we will take a look at an early step in supporting these efforts from an academic point of view: identifying and systemizing developers’ current practices and approaches around secure programming. For this, we will discuss a number of publications investigating documentation choices, library usage, and supply chain considerations, as well as the qualitative and quantitative research methodologies applied by these publications.

We will see how the applied development approaches are often quite diverse and dependent on the project’s context, as well as how future research could better support secure programming efforts.

Static site generated in Hugo with custom theme, deployed on vercel.