Awards Ceremony Recap - 5th Annual Best Scientific Cybersecurity Paper Competition

On October 27, 2017, the Research Directorate at NSA hosted the 5th Annual Best Scientific Cybersecurity Paper Competition awards ceremony. The winners are Mr. Doowon Kim, and Prof. Michelle Mazurek from the University of Maryland and Ms. Yasemin Acar, Dr. Sascha Fahl and Mr. Christian Stransky from the Universität Des Saarlandes (Saarland University) whose paper was entitled “You Get Where You’re Looking For: The Impact of Information Sources on Code Security.”

Dr. Adam Tagert, the Science of Security Technical Director, gave the welcoming remarks, stating that this ceremony would “acknowledge these special award winners.” In addition to the award, Dr. Tagert pointed out that the winning paper was also presented at the 2016 IEEE Symposium on Security and Privacy. He also gratefully acknowledged the help from the 11-member Distinguished Expert Reviewers, with a special nod to Prof. Jean Camp from Indiana University who was in attendance.

Dr. Deborah Frincke, NSA’s Director of Research, presented the Opening Remarks that emphasized how research is valued. She noted that, after all, the Director of Research has a seat at NSA’s Board of Directors. To the winners, she confirmed that papers like theirs “influence the outside world” in part by demonstrating how science can be used as a “common language and rigor to approach problems.” The competition also serves as a thermometer that gauges the maturity of security research, as she is seeing improvement over the years. In this case, the winning team set an example for others to follow as they have shown “what ‘good’ looks like.”

Both Ms. Acar and Mr. Stransky gave a brief presentation on their research which was inspired by a common problem. When software developers get “stuck”, they often turn to resources such as Stack Overflow to find solutions. Unfortunately, many of the posted solutions are not necessarily secure. The research explores developers’ problem solving choices, and the impact on the software ecosystem. They noticed that an unsettling number of Android apps used readily available, and insecure code snippets. After describing their methodology of subjecting Android developers to various security-relevant tasks and varying their choices of resources (Stack Overflow, official documentation, books, and free choice), they reviewed their findings on the impacts to both functional correctness, and security correctness. They concluded that project managers should “take developers offline and give them a book,” and added that while professionals tended to produce functional code more reliably, they were no better at security.

Dr. Carl Landwehr then moderated a Q&A panel discussion with the awardees. They were asked what kinds of blind alleys they might have gone down. They didn’t expect how difficult it would be to recruit enough Android developers, and to get their development system to run on different systems, with different restrictions. The discussion led to conclusions about documentation, how it needs more troubleshooting to be an effective, preferred resource, and that the team is working with Google to improve their documentation. The team was then asked about the generalizability of their findings. They responded that there needs to be a change in mindset, so that security needs to be treated as a common goal, and that “documentation matters” – but nobody likes to write it. The team noted that it might be necessary to treat developers like end-users in that most don’t know enough about security. Dr. Frincke asked if there were other human nature traps. The team felt that people don’t search for optimal solutions and take security advice from odd sources that discourages deeper learning.

Dr. George Coker, Chief of Information Assurance Research, gave the closing remarks. He concluded that the scientific approach to Science of Security is advancing as demonstrated by the research quality improving year over year. He thanked the winners (who stood out above the other 37 nominees), the expert reviewers, and Dr. Frincke. Lastly, he pointed out that the nominations for the 6th annual competition will be due in December.