Jean Yang had enough with aging software programming languages that didn't properly address security and privacy,...
and she wasn't going to take it anymore.
Yang, a Ph.D. student in MIT's Computer Science and Artificial Intelligence Laboratory, as well as a soon-to-be assistant professor at Carnegie Mellon University's computer science department, last year introduced Jeeves, a programming language that automatically enforces privacy and security policies. She spoke at the recent Privacy. Security. Risk. 2015 event in Las Vegas about the lack of secure software programming languages, and put the problem in blunt terms.
"From my point of view as a programming languages researcher, we're still living in the 1970s," Yang said during her keynote. "Privacy and security were not concerns in the 1970s."
Yang told the audience of privacy and security professionals that "the future runs on software," and in an era of smart cars and smart homes, having applications with strong privacy and security policies will be imperative. But in order to enact and enforce those policies, she said, "we can create a culture around caring about security and privacy."
That's not an easy task, but Yang is doing more than her fair share to make it a reality. In an interview with SearchSecurity, she talked about approach behind Jeeves and why developers need to pay special attention to how security and privacy policies are enforced in existing software programming languages.
"These programming languages don't do developers any favors when it comes to security and privacy policies," she said. "It's inherently problematic to add policies for all existing programming languages."
Yang said there are a lot of "garbage languages" in the industry that are still being used by developers, despite their obvious shortcomings. And that only makes the problem worse, she said, because developing and managing all of these security and privacy policies for vast amounts of data sets and information flows is challenging enough.
"The complexities of managing security policies are becoming unmanageable," Yang said. "To put that pressure on the programmer is tough when he or she is already working on the basic controls. So, programmers build the applications first, and then think about security and privacy after the fact -- if they get to it at all."
Jeeves was created as a direct response to those issues, Yang said. The language uses a "policy-agnostic programming" approach, where programmers can attach policies directly to data and the rest of the program can be written in a way that is agnostic to those policies.
In other words, Jeeves allows programmers to write these policies once; the language then gives programmers the ability to automatically apply and enforce them for different information flows, removing the need to manually rewrite and apply the controls again and again throughout the program. By automating the process, Jeeves not only strengthens policy enforcement, but also reduces the chances of making coding mistakes.
Jean YangPh.D. student, MIT
"There are not a lot of tools out there to help developers avoid making these mistakes," Yang said. "With [Jeeves], the policies are built into the system, so you don't have to think about it."
But Yang said programmers should be thinking about security and privacy in a larger sense, especially with the growth of cloud services and Internet of Things, which open up more avenues for information to flow and potentially leak. "Cloud does complicate software programming," she said, adding that companies need to do more than just protect data -- they also need to protect metadata and usage patterns for cloud services and the Internet.
In addition to Jeeves, Yang is also hoping to change the culture around security and privacy with the Cybersecurity Factory, an accelerator she co-founded in partnership with venture capital firm Highland Capital Partners. Cybersecurity Factory offers an eight-week program for college students interested in launching security-focused startups and provides them seed money, office space, and technical and business mentors.
The aim, Yang said, is for a new generation of IT professionals to help change the culture around security and privacy in software development and policy enforcement. But ultimately, she said, users will be the ones to truly move the needle. "People need to push for these things," Yang said. "The consumers need to demand better security and privacy, and they need to see these things as competitive differentiators."
While the current view of software security may appear bleak, Yang said she's hopeful for the future. "I don't think we need to get depressed," she said. "I'm pretty optimistic about software security, because we know it's an issue, and there are a lot of smart people working on it."