An Adoption Theory of Secure Software Development Tools

PI: Emerson Murphy-HillStudents: Jim Shepherd and Shundan Xiao

Context

The National Security Agency is sponsoring a large-scale “Science of Security” project to make fundamental advances in security.

Three sites:• Carnegie Mellon• University of Illinois, Urbana-Champaign• North Carolina State

Background: Secure Software Tools

• To secure our complex systems, we must secure their software

• Software developers are the lynchpin of software security

• Developers can use practices and tools to build secure software

• Tools include static analysis tools, model checkers, and automated penetration testing tools

• But developers generally use very few of the tools available to them. Why?

Background: Adoption Theory

• Why new ideas are adopted (or not) has been extensively studied in diffusion of innovations, an interdisciplinary study. Used in:– Agricultural innovations– Social programs– New technologies– A little in software development

• Identifies the factors that lead to adoption and effective sustained use

Everett Rogers. Diffusion of Innovations. 2003.

Approach

Identify the factors that lead to security tool adoption (and non-adoption)

Step 1: Qualitatively identify factors

Factors will help us make better tools, make smarter adoption decisions, and educate students

Method

43 Interviews with Software Developers

Interviews semi-structured, some role-specific questions asked

$50 gift card for participating

High Level Findings

Relative advantage

Compatibility

Complexity

Trialability

Re-invention

Characteristics of the innovation (security

tools)

Experience

Inquisitiveness

Company policy & standards

Company culture

Company domain & security concern

Company structure

Company training

Social system factors

Frequency of interaction

Trust

Characteristics of potential adopters

(developers)

Communication channels

Company size

Probability of adoption

Some Highlights

• Use of security tools may be low because it’s a preventative innovation: big distance between tools and their effects

• Far and away, developers are learning about security tools from their peers

• Developers may consider holistic cost of a tool, not just up front cost, but opportunity cost when sorting through false positives

More Highlights

• Company approval process effectively reduces trialability

• Tool integration into build system short-circuited many challenges of adoption

• Many developers felt they could rely on others to ensure security

Next Steps

Year 2: Quantify– Distribute survey to people who have used tools– Distribute survey to wider developers, with

vignettes

Year 3: Predict and Refine– A-B testing case studies

Year 4: Operationalize and Influence– Work with Industrial Extension Service to put

theory to practice

Questions?

Relative advantage

Compatibility

Complexity

Trialability

Re-invention

Characteristics of the innovation (security

tools)

Experience

Inquisitiveness

Company policy & standards

Company culture

Company domain & security concern

Company structure

Company training

Social system factors

Frequency of interaction

Trust

Characteristics of potential adopters

(developers)

Communication channels

Company size

Probability of adoption