Factors Influencing Adoption of Security Tools in Software Development
Understanding the reasons behind the low adoption of security tools in software development is crucial for improving tool utilization. Through qualitative research and interviews with software developers, factors such as relative advantage, complexity, company culture, and communication channels are identified as key influencers. Developers may prioritize factors like trialability and reinvention when evaluating tool adoption, considering not only the tool's cost but also its long-term impact on software security. Increased awareness, education, and tailored strategies can enhance the adoption of security tools in software development.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Social Influences on Secure Development Tool Adoption: Why Security Tools Spread Emerson Murphy-Hill Jim Witschey Shundan Xiao
Background: Secure Software Tools To secure our complex systems, we must secure their software Software developers are the lynchpin of software security Developers can use practices and tools to build secure software Tools include static analysis tools, model checkers, and automated penetration testing tools But developers generally use very few of the tools available to them. Why?
Background: Adoption Theory Why new ideas are adopted (or not) has been extensively studied in diffusion of innovations, an interdisciplinary study. Used in: Agricultural innovations Social programs New technologies A little in software development Identifies the factors that lead to adoption and effective sustained use Everett Rogers. Diffusion of Innovations. 2003.
Step 1: Approach Identify the factors that lead to security tool adoption (and non- adoption) Qualitatively identify factors Factors will help us make better tools, make smarter adoption decisions, and educate students
Method 43 Interviews with Software Developers Interviews semi-structured, some role-specific questions asked $50 gift card for participating
High Level Findings Relative advantage Experience Compatibility Characteristics of the innovation (security tools) Characteristics of potential adopters (developers) Complexity Inquisitiveness Trialability Re-invention Probability of adoption Company size Company training Frequency of interaction Social system factors Communication channels Company structure Company domain & security concern Trust Company culture Company policy & standards
Some Highlights Use of security tools may be low because it s a preventative innovation: big distance between tools and their effects Far and away, developers are learning about security tools from their peers Developers may consider holistic cost of a tool, not just up front cost, but opportunity cost when sorting through false positives
More Highlights Company approval process effectively reduces trialability Tool integration into build system short-circuited many challenges of adoption Many developers felt they could rely on others to ensure security
Community Acceptance Interlude We ve taken a different (and uncomfortable) tack on research on pursuit of science of security We ve had challenges getting work accepted: This paper lacks any technical contributions. As a study, it is not informative. It insanely fails to cite the fantastic and well-known CACM article from Coverity. But we ve finally prevailed With (potentially) a best paper!
Step 2: Method 3 companies so far. Contacted 190 developers and got 77 complete responses and 62 incomplete responses Created survey, designed to quantify interview findings Company Pitch: Enabling self-assessment, comparison Individual Pitch: Gift card drawing
Highlights I have seen what others do using security tools. I would trust tool information from... 40 60 Agree Disagree 50 30 40 20 30 10 20 10 0 Non-Users Occasional Users Regular Users 0 None of the non-users agreed that it was "easy" for them "to observe others using security tools". Agree Disagree No apparent correlation between tool use and responses to Security experts thoroughly review the software I develop to ensure it is secure My peers thoroughly review the software I develop to ensure it is secure
More highlights At one company, 4 of the 38 respondents who were asked agreed that their employer "holds frequent trainings" on security tools; the other 34 must not hear about them. Of 43 non-users, only 3 agreed or disagreed that there were good security tools that were compatible with their workflows. 15 neither agreed nor disagreed, and 15 didn't know. Only 2 respondents agreed that their superiors rewarded them for writing secure software.
Next Steps Surveys thus far are biased towards people who have not used tools. Next we ll survey those who have. Quantify our predictive model. What factors are the most important? What factors are mediating? Put model into action. Can we manipulate factors to influence adoption?
Conclusion Our research seeks to enable Educators to identify what will help their students make better use of tools Practitioners to implement policies and environments that encourage tool usage Researchers to build tools that align with the way developers work emerson@csc.ncsu.edu