Research: Software Ecosystems Security

Information Security Behavior in Organisations

Two people looking at a wall full of security cameras
Photo by Matthew Henry on Unsplash

Organisations and governments invest much effort into training users on specific cyber security behaviours like anti-phishing campaigns or creating a general cyber security awareness. However, PwC's survey reported that still "employees are responsible for 27% of all cyber security incidents" in organisations, and this ratio is growing (20% in 2016 vs 27% in 2017). In 2020, the Ponemon Institute found out that 62% of cyber security incidents "were due to negligent or inadvertent employees or contractors'' with an average cost per such incident of 307,111 US dollars confirming this alarming trend. Information systems are an attractive target for cybercriminals. It provides a rich source of valuable information that can be used for malicious purposes. Many attackers exploit behavioural techniques (like heuristics, biases, nudges) to conduct social engineering, phishing and similar attacks. To cope with it, we need to arm people with usable security tools and match security designs with users' main goals to make it work.

Our project tackles this problem by addressing the three core challenges. One of the main challenges of my research is to find out: "What is 'security behaviour'? Who determines it?" Another challenge is related to developing a robust approach to measure actual security behaviour. The self-reporting approach based on questionnaires is frequently used in this area, but it is often biased by participants' emotions and desire to `look good' despite anonymity. One more challenge is to find a sound explanation of user security or insecurity behaviour within the organisation environment. Our research will help organisations to improve the design of their cyber security processes and software solutions and make them more resistant to cyber attacks.

SearchSECO: A Method and Vulnerability Index for the Worldwide Software Ecosystem

We have developed SearchSECO, a hash based index for code fragments that enables searching source code at the method level in the worldwide software ecosystem. We have created a set of parsers that rapidly process and hash Git projects. By making methods from the worldwide software ecosystem findable, we can perform more reliable license checks, search for vulnerabilities, and extract call graphs from those methods.

Screenshot of the SearchSECO search method

We unearth the relationships between code fragments, code files, and their projects on a worldwide scale. This fine-grained data enables much richer analyses, significantly moving forward the field of empirical software engineering and its sub-field of repository mining. For more information, please refer to our Github and our Portal.

FAIRSECO: An Impact Portal for FAIR Research Software

Acknowledging the contributions of research software is hard, hampering the careers of research software engineers and grossly undervalueing the role of software in research. We have developed a worldwide software ecosystem database that records software reuse on the software method level. Our database makes software impact measurement much easier for research software. We want to extend our database to report the impact that research software has in the worldwide software ecosystem. Furthermore, we wish to extend the portal in collaboration with the eScience Center, so that research software engineers can better measure the impact of their software.

Screenshot of research software directory

TrustSECO: A Distributed Ledger for Trust in Software Ecosystems

Package managers are part of the infrastructure that enables anyone to use software. Package managers are a software ecosystem’s backbone. They host software from respected software producers and are seen as trusted sources of software by their users. Unfortunately, these package managers are not as secure as users think they are. At different points in the life cycle of software, vulnerabilities can enter the software and the package manager cannot be held responsible for it.

In this project, we want to use a distributed ledger that stores trust data about software packages to support the trust that customers of the package managers have. Such trust data can be whether the package contains known vulnerabilities, whether the package stems from a reproducible build, whether the package is maintained frequently, whether its developers are reputable, etc. The data is in turn used by package managers to provide trust data about their software packages.