first_imgThere are plenty of methods to catch and fix bugs before a piece of software is shipped, but Microsoft is testing a new one that may be a wee bit invasive for developers: biometrics.A Microsoft Research paper entitled “Using Psycho-Physiological Measures to Assess Task Difficulty in Software Development” details experiments with developer biometrics, or monitoring a developer’s eye movements, physical and mental characteristics as they code to measure alertness and stress levels to indicate a higher probability of code errors.Researchers Andrew Begel, Thomas Fritz, Sebastian Mueller, Serap Yigit-Elliott, and Manuela Zueger conducted a study of 15 developers where they strapped psycho-physiological biometric sensors, including an eye tracker, an electrodermal (skin sensor measuring sweat) sensor and an EEG (brainwave) sensor, to developers as they programmed various tasks. The study found that biometrics could predict task difficulty for a new developer 64.99% of the time. For a new development task, the researchers found biometrics to be 84.38% accurate.Microsoft’s researchers concluded that biometrics could better predict when software errors will occur than traditional testing processes looking for defects and bug risks in software metrics. They do admit, however, that a host of internal and external factors including personality, personal life stresses and even time of day could throw off the biometric readings. In a bubble, biometric readings and predictions may give a more accurate picture of a developer’s stress levels and state of mind during coding. But on top of the fact that the constant feeling of being watched and monitored could contribute to developer stress in the first place, placing a painstaking emphasis on catching bugs during coding discounts the importance of software testing to the software development life cycle. Thinking with a Dev/Test mindset of catching errors and preventing bugs before QA testing occurs is a valuable trait for developers, but software testers are there for a reason. Their job is to anticipate where a bug will occur and to know the whole of the delivered software inside and out. Whether testers are accomplishing this by manual or automated means, biometric readings are not a replacement for professional knowledge and human instinct.Not to mention, a group of 15 developers is hardly a representative sample.(Related: How enterprises are maintaining testing quality in a Continuously Delivered world)Their conclusion states, “It is possible to use fewer sensors and still retain the ability to accurately classify task difficulty,” and that they hope the research will lead to the development of predictive programming support tools. But once you start strapping sensors to a developer’s forehead and skin while tracking every subtle eye movement they make, does it really matter how many sensors they’re using? Probably not to the developer.Read the full Microsoft Research paper here.last_img read more

Read More

first_imgEnterprises are realizing they need to adjust their security initiatives, and as result, software security is finally becoming mainstream. But with the rise of new trends like the Internet of Things and containerization, it’s up to security teams to teach developers how to secure their code.Cigital addresses these trends in BSIMM7, the latest version of its software security measurement tool. BSIMM7 looks at the value of software security, as well as industry changes surrounding security practices. The model it uses also has data on what firms are doing to stay secure, as well as the efforts to demonstrate what the companies are doing right.The BSIMM7 model has expanded to include the largest amount of companies in its eight years of addressing software security, said Gary McGraw, CTO of Cigital.(Related: Microsoft announces new security capabilities)The model now draws from 95 organizations in six areas: financial services, independent software vendors, cloud, healthcare, Internet of Things, and insurance. (The last two industries were added this year.)Industries represented within those areas included telecommunications, security, retail and energy, and it covered companies like Aetna, Bank of America, EMC, JPMorgan Chase, Siemens, Target and Wells Fargo.McGraw said that Cigital tracks many industries, but only reported the data when they have at least nine companies in an area. This way, Cigital can report the data without “outing” any particular firm, he said. Last year, the BSIMM6 model introduced the healthcare industry to bolster the dataset and show other healthcare firms what’s at risk within their systems. During this time, Cigital found software security to be lagging here. While healthcare software security has improved lately, McGraw said it still has a way to go.On the other hand, the insurance vertical is slightly more mature than healthcare, and firms that were not paying attention to software security are now trying to up their efforts, according to McGraw.Just like healthcare, data breaches are a big security risk for insurance companies, said McGraw. As this industry goes through its own digital transformation, it will completely change it will operate, he said.“You used to go into your local insurance agent once every long time, but now insurance companies are releasing apps, and they have mobile solutions,” said McGraw. “As they adopt these new technology, they need to be really careful [of vulnerabilities].”The BSIMM7 model is based on observation, and it serves as a “measuring stick” for software security for product security teams or software security groups (SSGs), said McGraw. The BSIMM is meant for use by anyone responsible for creating and executing a software security initiative, but developers looking to gain more insight into software security can benefit from the report as well.“We still have many more people to teach about software security and building security in,” said McGraw.According to the report, 272,782 developers have been directly touched by the BSIMM. With new technologies like IoT and containers, McGraw said it’s up to the SSGs to teach developers how to implement security better as software changes.“That’s the job of the SSG, it’s to teach developers how to build security better,” said McGraw. “And that’s what we do at Cigital all day, we teach armies of developers how to code better, how to review their code with modern tools, what they can do when transporting their code to the cloud, and how to design and architect their code to be secure. All of those things are described by the BSIMM.”last_img read more

Read More