Software Security Learning Guide
How do you solve a problem involving security? You have the 'Ghostbusters' problem: Who you gonna call? You might ask somebody in your office; but there's a good chance that you’ll need to work with some kind of community online. And when we say community, we mean a discussion in Stack Overflow or a similar site.
So here's how to use Stack Overflow to learn about software security. Click on each question to learn more.
Where do I start?
Start with normal programming questions; around any specific programming task.
If you Google for the answer to a programming problem, more often than not you'll find references in Stack Overflow or one of its related sites. Stack Overflow is a website where developers can ask questions about programming problems they are solving, and get answers. In operation since 2008, the site now provides a community of practice, where participants form a partnership around the shared need to solve programming problems.
You'll learn about security on Stack Overflow within the context of specific tasks you need to complete. Developers on Stack Overflow typically do this, expanding their security awareness and understanding incrementally, by exploring the implications in the context of familiar technologies and skills.
For example, you might use a general question about secure password storage as a space to examine different features of a language API. In asking a follow-up question about the API, you can learn more about how the language works, and at the same time gather information about secure information storage.
Stack Overflow isn't always right, particularly about security. What do I do about that?
Look for tended posts and comment streams: ones with comments and amendments over several years.
Security is dynamic. It takes time to learn and understand good practices, and changing threats require ongoing attention to ensure that mechanisms remain effective and up to date. Security tagged posts on Stack Overflow reflect this, and often remain active for months or even years after an answer is accepted.
The tending activity might be keeping links up-to-date, or adding references to other documents, or refining the language of the question and answer posts for clarity. But often participants will also tend to the content within posts and comment streams. They develop answers over time to include different scenarios, to consider new developments around the issue, or to develop the argument for an answer. Or they may modify answers using information from existing comments, to produce new, relevant information or a new perspective. So, look for discussions that show:
- Information trading. Where participants trade "small" pieces of information over time that serve an immediate need for the participants.
- Broadcasts, with updates about technologies or libraries or software company activity. Sometimes this information is added to answer or question posts, but often you'll find it in the comment threads.
- Related Work. Look for explanations supported with links to other information, such as related answers, articles and documentation.
And how do I use Stack Overflow to learn even more?
Join in by lending a hand or asking for help.
It is personal connections that really support secure coding practice. Upvotes may help to show promising information, but they're not enough! Problem-solving of security problems often requires additional support with discussions between participants.
Security problems, like other problem solving that developers undertake to complete tasks reflect individual needs in the moment that are shaped by personal knowledge, the context of work, and the technologies at play. Support is given within comments written by the author of accepted answers, and by other users that have particular knowledge of a language or technical aspect of security.
You can use these discussions to:
- Give and receive focused, non-judgemental assistance. You might provide or ask for information, clarification or corrections; or you might confirm your understanding.
- Associate technology facts with security problems. Look for the details: for example, showing how a detail of a language works with an equally small feature of security.
- Situate technical advice in the broader security landscape. You might use anecdotes to explain how attackers use particular technologies, or to bring broader attack scenarios to life.
How does this relate to my project and team?
Bring online security conversations into your team discussions and practice.
If you're like most developers, you'll prefer to draw on the support of your colleagues before turning to online sources; but often you'll find that problem solving is a mix of online and real-world interactions. Simply copying code snippets can and does often introduce security vulnerabilities. So you need to mould the information found online, including code snippets, to your local software environment, to your functional requirements, or to your particular requirements for security.
The best way to do this is sharing the information you find online with colleagues, talking it over and assessing it with them.
The short open-access paper Taking the Middle Path: Learning about Security Through Online Social Interaction outlines the research and reasons behind this advice. Click here for the full reference.