Upload
samuel-hoover
View
212
Download
0
Embed Size (px)
Citation preview
An Adoption Theory of Secure Software Development Tools
PI: Emerson Murphy-HillStudents: Jim Shepherd and Shundan Xiao
Context
The National Security Agency is sponsoring a large-scale “Science of Security” project to make fundamental advances in security.
Three sites:• Carnegie Mellon• University of Illinois, Urbana-Champaign• North Carolina State
Background: Secure Software Tools
• To secure our complex systems, we must secure their software
• Software developers are the lynchpin of software security
• Developers can use practices and tools to build secure software
• Tools include static analysis tools, model checkers, and automated penetration testing tools
• But developers generally use very few of the tools available to them. Why?
Background: Adoption Theory
• Why new ideas are adopted (or not) has been extensively studied in diffusion of innovations, an interdisciplinary study. Used in:– Agricultural innovations– Social programs– New technologies– A little in software development
• Identifies the factors that lead to adoption and effective sustained use
Everett Rogers. Diffusion of Innovations. 2003.
Approach
Identify the factors that lead to security tool adoption (and non-adoption)
Step 1: Qualitatively identify factors
Factors will help us make better tools, make smarter adoption decisions, and educate students
Method
43 Interviews with Software Developers
Interviews semi-structured, some role-specific questions asked
$50 gift card for participating
High Level Findings
Relative advantage
Compatibility
Complexity
Trialability
Re-invention
Characteristics of the innovation (security
tools)
Experience
Inquisitiveness
Company policy & standards
Company culture
Company domain & security concern
Company structure
Company training
Social system factors
Frequency of interaction
Trust
Characteristics of potential adopters
(developers)
Communication channels
Company size
Probability of adoption
Some Highlights
• Use of security tools may be low because it’s a preventative innovation: big distance between tools and their effects
• Far and away, developers are learning about security tools from their peers
• Developers may consider holistic cost of a tool, not just up front cost, but opportunity cost when sorting through false positives
More Highlights
• Company approval process effectively reduces trialability
• Tool integration into build system short-circuited many challenges of adoption
• Many developers felt they could rely on others to ensure security
Next Steps
Year 2: Quantify– Distribute survey to people who have used tools– Distribute survey to wider developers, with
vignettes
Year 3: Predict and Refine– A-B testing case studies
Year 4: Operationalize and Influence– Work with Industrial Extension Service to put
theory to practice
Questions?
Relative advantage
Compatibility
Complexity
Trialability
Re-invention
Characteristics of the innovation (security
tools)
Experience
Inquisitiveness
Company policy & standards
Company culture
Company domain & security concern
Company structure
Company training
Social system factors
Frequency of interaction
Trust
Characteristics of potential adopters
(developers)
Communication channels
Company size
Probability of adoption