An Adoption Theory of Secure Software Development Tools

1. An Adoption Theory of Secure Software Development Tools PI: Emerson Murphy-Hill Students: Jim Shepherd and Shundan Xiao

2. Context The National Security Agency is sponsoring a large-scale “Science of Security” project to make fundamental advances in security. Three sites: • Carnegie Mellon • University of Illinois, Urbana-Champaign • North Carolina State

3. Background: Secure Software Tools • To secure our complex systems, we must secure their software • Software developers are the lynchpin of software security • Developers can use practices and tools to build secure software • Tools include static analysis tools, model checkers, and automated penetration testing tools • But developers generally use very few of the tools available to them. Why?

4. Background: Adoption Theory • Why new ideas are adopted (or not) has been extensively studied in diffusion of innovations, an interdisciplinary study. Used in: • Agricultural innovations • Social programs • New technologies • A little in software development • Identifies the factors that lead to adoption and effective sustained use Everett Rogers. Diffusion of Innovations. 2003.

5. Approach Identify the factors that lead to security tool adoption (and non-adoption) Step 1: Qualitatively identify factors Factors will help us make better tools, make smarter adoption decisions, and educate students

6. Method 43 Interviews with Software Developers Interviews semi-structured, some role-specific questions asked $50 gift card for participating

7. High Level Findings Relative advantage Experience Compatibility Characteristics of the innovation (security tools) Characteristics of potential adopters (developers) Complexity Inquisitiveness Trialability Re-invention Probability of adoption Company size Company training Frequency of interaction Company structure Social system factors Communication channels Company domain & security concern Trust Company culture Company policy & standards

8. Some Highlights • Use of security tools may be low because it’s a preventative innovation: big distance between tools and their effects • Far and away, developers are learning about security tools from their peers • Developers may consider holistic cost of a tool, not just up front cost, but opportunity cost when sorting through false positives

9. More Highlights • Company approval process effectively reduces trialability • Tool integration into build system short-circuited many challenges of adoption • Many developers felt they could rely on others to ensure security

10. Next Steps Year 2: Quantify • Distribute survey to people who have used tools • Distribute survey to wider developers, with vignettes Year 3: Predict and Refine • A-B testing case studies Year 4: Operationalize and Influence • Work with Industrial Extension Service to put theory to practice

11. Questions? Relative advantage Experience Compatibility Characteristics of the innovation (security tools) Characteristics of potential adopters (developers) Complexity Inquisitiveness Trialability Re-invention Probability of adoption Company size Company training Frequency of interaction Company structure Social system factors Communication channels Company domain & security concern Trust Company culture Company policy & standards