understanding secure development tool adoption
TRANSCRIPT
![Page 1: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/1.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Understanding Secure Development Tool
Adoption Jim Witschey
Graduate Research Assistant
![Page 2: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/2.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Us
• Jim Witschey (me) • Shundan Xiao • Dr. Emerson Murphy-Hill (PI)
![Page 3: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/3.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Secure Development Software security can’t be painted on
www.flickr.com/photos/crondeau/6251922757
![Page 4: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/4.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Secure Development Software security should be baked in
www.flickr.com/photos/crondeau/6251923537
![Page 5: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/5.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Secure Development Tools Help developers find and fix vulnerabilities
http://blogs.smithsonianmag.com/design/files/2012/07/sherlock-holmes-glass_550.jpg
![Page 6: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/6.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Secure Development Tools e.g. FindBugs
users.ece.utexas.edu/~miryung/teaching/EE461L-Spring2012/labs/findbugs.html
![Page 7: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/7.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Secure Development Tool Adoption
•Why do developers use secure development tools?
•Why don’t they?
![Page 8: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/8.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Diffusion of Innovations Sociological framework for understanding
adoption patterns of new technologies
http://commons.wikimedia.org/wiki/File:Chaconne_Dance_1735.jpg
![Page 9: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/9.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
What We’ve Done
• Interviewed 43 industry developers • Analyzed responses • Developed Security Tool Adoption Model
![Page 10: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/10.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption
Observability
Security Tool Adoption Model
![Page 11: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/11.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Security Tool Adoption Model Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption Observability
![Page 12: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/12.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Tools
• Trialability – How easy is it to try out a tool?
![Page 13: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/13.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Security Tool Adoption Model Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption
Observability
![Page 14: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/14.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Social System
• Company Structure – How do people interact within the company?
![Page 15: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/15.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Security Tool Adoption Model Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption
Observability
![Page 16: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/16.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Communication Channel
• Trust – How much do developers trust a
communication channel?
![Page 17: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/17.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Security Tool Adoption Model Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption
Observability
![Page 18: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/18.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Potential Adopters
• Experience – How long has the developer been working?
![Page 19: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/19.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
Relative Advantage
Compatibility
Complexity
Trialability Innovation
Experience
Inquisitiveness
Standards
Structure
Security Concern
Culture
Training
Exposure
Trust
Social System
Potential Adopter
Communication Channel
Probability of Adoption
Observability
Security Tool Adoption Model
![Page 20: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/20.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
What’s Next?
•More interviews with OSS developers – generalize our model
• Surveys of hundreds of developers – quantify our model
• Case studies – help companies understand and foster security
tool adoption in their organizations
![Page 21: Understanding Secure Development Tool Adoption](https://reader030.vdocuments.mx/reader030/viewer/2022012506/6182761af7d16658c44ec510/html5/thumbnails/21.jpg)
Science of Security Lablet
Understanding & Accounting Human Behavior
How Can We Work Together?
• Connect us to your developers for surveys •Help us conduct case studies
– gain concrete knowledge about how your policies affect adoption in your organization