120 likes | 253 Views
An Adoption Theory of Secure Software Development Tools. PI: Emerson Murphy-Hill Students: Jim Shepherd and Shundan Xiao. Context. The National Security Agency is sponsoring a large-scale “Science of Security” project to make fundamental advances in security. Three sites: Carnegie Mellon
E N D
An Adoption Theory of Secure Software Development Tools PI: Emerson Murphy-Hill Students: Jim Shepherd and Shundan Xiao
Context The National Security Agency is sponsoring a large-scale “Science of Security” project to make fundamental advances in security. Three sites: • Carnegie Mellon • University of Illinois, Urbana-Champaign • North Carolina State
Background: Secure Software Tools • To secure our complex systems, we must secure their software • Software developers are the lynchpin of software security • Developers can use practices and tools to build secure software • Tools include static analysis tools, model checkers, and automated penetration testing tools • But developers generally use very few of the tools available to them. Why?
Background: Adoption Theory • Why new ideas are adopted (or not) has been extensively studied in diffusion of innovations, an interdisciplinary study. Used in: • Agricultural innovations • Social programs • New technologies • A little in software development • Identifies the factors that lead to adoption and effective sustained use Everett Rogers. Diffusion of Innovations. 2003.
Approach Identify the factors that lead to security tool adoption (and non-adoption) Step 1: Qualitatively identify factors Factors will help us make better tools, make smarter adoption decisions, and educate students
Method 43 Interviews with Software Developers Interviews semi-structured, some role-specific questions asked $50 gift card for participating
High Level Findings Relative advantage Experience Compatibility Characteristics of the innovation (security tools) Characteristics of potential adopters (developers) Complexity Inquisitiveness Trialability Re-invention Probability of adoption Company size Company training Frequency of interaction Company structure Social system factors Communication channels Company domain & security concern Trust Company culture Company policy & standards
Some Highlights • Use of security tools may be low because it’s a preventative innovation: big distance between tools and their effects • Far and away, developers are learning about security tools from their peers • Developers may consider holistic cost of a tool, not just up front cost, but opportunity cost when sorting through false positives
More Highlights • Company approval process effectively reduces trialability • Tool integration into build system short-circuited many challenges of adoption • Many developers felt they could rely on others to ensure security
Next Steps Year 2: Quantify • Distribute survey to people who have used tools • Distribute survey to wider developers, with vignettes Year 3: Predict and Refine • A-B testing case studies Year 4: Operationalize and Influence • Work with Industrial Extension Service to put theory to practice
Questions? Relative advantage Experience Compatibility Characteristics of the innovation (security tools) Characteristics of potential adopters (developers) Complexity Inquisitiveness Trialability Re-invention Probability of adoption Company size Company training Frequency of interaction Company structure Social system factors Communication channels Company domain & security concern Trust Company culture Company policy & standards