Software Security Researcher, Lancaster University
I’m a bit unusual as an early career researcher. You see, academic research is my third career. I spent about 15 years as a programmer and a consultant to programmers, then another 15 years as a tech entrepreneur, setting up and running an outsourced software development company. Both were good fun, and both gave me skills that I use every day in my academic research. For example, even before I started a PhD at Lancaster, I knew how to run a project; how to schedule; how to write a good document; how to manage; about flipped learning; and how to network with colleagues. They’re all useful skills for researchers even if they are rarely included in researcher learning plans.
My favourite research achievement so far is one of impact. Ingolf Becker and I spent several months, with the help of the CyberASAP scheme, taking the Developer Security Essentials workshops we had invented and trialled, and promoting them as an offering for industry. And the workshops are now indeed being used in several companies. Impact is valuable for my university; and for me, it is satisfying to make a contribution to the world.
My big outstanding research question is: how are development teams to achieve good security and privacy without the help of security experts? It’s a question I first encountered in 2012 as leader of a team in just that position; it is a question that is still as relevant, challenging and important as it was then. Innovation and change tend to start with smaller, independent, companies and organisations, and these are exactly where security expertise is most lacking. So, it is vital that we find answers to support them. And this question still drives all my research.
Though it is foremost a technical subject (software security), practical answers to the research question require a range of disciplines: software engineering, sociology, statistics, psychology and management. That range of disciplines is challenging, requiring different academic and industry experts to work together. Nobody knows in advance what the answers are likely to be; changes happen in industry by a process of evolution, with effective practice sometimes being picked up and adopted in different companies. So, academia can contribute very effectively to establishing effective practice—by exploring unconventional and ground-breaking ideas. Our latest project, Sprite+’s FiVu, for example, trials the idea of using design fiction to help threat assessment in a particular domain. Wacky? Certainly. Likely to help security-challenged developers in some way? Yes, that too.