An Adoption Theory of Secure Software Development Tools PI: Emerson Murphy-Hill Students: Jim Shepherd and Shundan Xiao

Context The National Security Agency is sponsoring a large-scale “Science of Security” project to make fundamental advances in security. Three sites: Carnegie Mellon University of Illinois, Urbana-Champaign North Carolina State

Background: Secure Software Tools To secure our complex systems, we must secure their software Software developers are the lynchpin of software security Developers can use practices and tools to build secure software Tools include static analysis tools, model checkers, and automated penetration testing tools But developers generally use very few of the tools available to them. Why?

Background: Adoption Theory Why new ideas are adopted (or not) has been extensively studied in diffusion of innovations, an interdisciplinary study. Used in: – Agricultural innovations – Social programs – New technologies – A little in software development Identifies the factors that lead to adoption and effective sustained use Everett Rogers. Diffusion of Innovations

Approach Identify the factors that lead to security tool adoption (and non-adoption) Step 1: Qualitatively identify factors Factors will help us make better tools, make smarter adoption decisions, and educate students

Method 43 Interviews with Software Developers Interviews semi-structured, some role-specific questions asked $50 gift card for participating

High Level Findings Relative advantage Compatibility Complexity Trialability Re-invention Characteristics of the innovation (security tools) Experience Inquisitiveness Company policy & standards Company culture Company domain & security concern Company structure Company training Social system factors Frequency of interaction Trust Characteristics of potential adopters (developers) Communication channels Company size Probability of adoption

Some Highlights Use of security tools may be low because it’s a preventative innovation: big distance between tools and their effects Far and away, developers are learning about security tools from their peers Developers may consider holistic cost of a tool, not just up front cost, but opportunity cost when sorting through false positives

More Highlights Company approval process effectively reduces trialability Tool integration into build system short- circuited many challenges of adoption Many developers felt they could rely on others to ensure security

Next Steps Year 2: Quantify – Distribute survey to people who have used tools – Distribute survey to wider developers, with vignettes Year 3: Predict and Refine – A-B testing case studies Year 4: Operationalize and Influence – Work with Industrial Extension Service to put theory to practice

Questions? Relative advantage Compatibility Complexity Trialability Re-invention Characteristics of the innovation (security tools) Experience Inquisitiveness Company policy & standards Company culture Company domain & security concern Company structure Company training Social system factors Frequency of interaction Trust Characteristics of potential adopters (developers) Communication channels Company size Probability of adoption