News Stay informed about the latest enterprise technology news and product updates.

Automating security, privacy in software programming

Jean Yang, who created the Jeeves software language, explains why the industry needs to do a better job of enforcing security and privacy policies in its applications.

Jean Yang had enough with aging software programming languages that didn't properly address security and privacy,...

and she wasn't going to take it anymore.

Yang, a Ph.D. student in MIT's Computer Science and Artificial Intelligence Laboratory, as well as a soon-to-be assistant professor at Carnegie Mellon University's computer science department, last year introduced Jeeves, a programming language that automatically enforces privacy and security policies. She spoke at the recent Privacy. Security. Risk. 2015 event in Las Vegas about the lack of secure software programming languages, and put the problem in blunt terms.

"From my point of view as a programming languages researcher, we're still living in the 1970s," Yang said during her keynote. "Privacy and security were not concerns in the 1970s."

Yang told the audience of privacy and security professionals that "the future runs on software," and in an era of smart cars and smart homes, having applications with strong privacy and security policies will be imperative. But in order to enact and enforce those policies, she said, "we can create a culture around caring about security and privacy."

That's not an easy task, but Yang is doing more than her fair share to make it a reality. In an interview with SearchSecurity, she talked about approach behind Jeeves and why developers need to pay special attention to how security and privacy policies are enforced in existing software programming languages.

"These programming languages don't do developers any favors when it comes to security and privacy policies," she said. "It's inherently problematic to add policies for all existing programming languages."

Yang said there are a lot of "garbage languages" in the industry that are still being used by developers, despite their obvious shortcomings. And that only makes the problem worse, she said, because developing and managing all of these security and privacy policies for vast amounts of data sets and information flows is challenging enough.

"The complexities of managing security policies are becoming unmanageable," Yang said. "To put that pressure on the programmer is tough when he or she is already working on the basic controls. So, programmers build the applications first, and then think about security and privacy after the fact -- if they get to it at all."

Jeeves was created as a direct response to those issues, Yang said. The language uses a "policy-agnostic programming" approach, where programmers can attach policies directly to data and the rest of the program can be written in a way that is agnostic to those policies.

In other words, Jeeves allows programmers to write these policies once; the language then gives programmers the ability to automatically apply and enforce them for different information flows, removing the need to manually rewrite and apply the controls again and again throughout the program. By automating the process, Jeeves not only strengthens policy enforcement, but also reduces the chances of making coding mistakes.

From my point of view as a programming languages researcher, we're still living in the 1970s.
Jean YangPh.D. student, MIT

"There are not a lot of tools out there to help developers avoid making these mistakes," Yang said. "With [Jeeves], the policies are built into the system, so you don't have to think about it."

But Yang said programmers should be thinking about security and privacy in a larger sense, especially with the growth of cloud services and Internet of Things, which open up more avenues for information to flow and potentially leak. "Cloud does complicate software programming," she said, adding that companies need to do more than just protect data -- they also need to protect metadata and usage patterns for cloud services and the Internet.

In addition to Jeeves, Yang is also hoping to change the culture around security and privacy with the Cybersecurity Factory, an accelerator she co-founded in partnership with venture capital firm Highland Capital Partners. Cybersecurity Factory offers an eight-week program for college students interested in launching security-focused startups and provides them seed money, office space, and technical and business mentors.

The aim, Yang said, is for a new generation of IT professionals to help change the culture around security and privacy in software development and policy enforcement. But ultimately, she said, users will be the ones to truly move the needle. "People need to push for these things," Yang said. "The consumers need to demand better security and privacy, and they need to see these things as competitive differentiators."

While the current view of software security may appear bleak, Yang said she's hopeful for the future. "I don't think we need to get depressed," she said. "I'm pretty optimistic about software security, because we know it's an issue, and there are a lot of smart people working on it."

Next Steps

Find out why experts believe it's time to rethink cloud data privacy

Learn why training can be more important than programming language security

Discover Wyvern, a secure Web programming language

Dig Deeper on Information security policies, procedures and guidelines

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How can software programmers better address security and privacy controls in their applications?
Cancel
I think these in effect are two separate questions.

Privacy has to do about keeping safe things which are personal and not to be widely distributed.

Security has to do with safety of use, protecting from potential exploitation by those without legitimate access or authorization, as well as for the integrity of the data that it serves.  It may also include ideas like reliability that often gets forgotten.

For Privacy, I would audit the app for data that is perhaps personal or identifying.  How are they stored, how easy is it for an exploiter to get a hold of it if they get system access?  

For Security, I include static scans to look for bad practices, and I Also look for dynamic and penetration testing.  However, you need to include design characteristics, and audit the data that is passed across the wire.


And if you think that's important, consider what this article says.  There are tools for most languages, but some are easier to audit for these two areas than others.
Cancel
I agree with Veretax, I think they are similar but should still considered separate issues. You can have one without the other but why would you. You need to have a good balance and I think this is more on the network tech than the software programmers. 
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close