PhD Proposal: Secure Software Development: A Human Centered Approach

Kelsey Fulton
12.17.2021 10:00 to 12:00

IRB 5105

Secure software development remains a difficult and expensive task. There are many possible solutions to this problem: security education, secure development tools and programming languages, or improving the secure development lifecycle. However, each of these solutions requires resources like time and money. It is important to select these solutions such that the benefits are maximized while the costs are minimized. This calculus suggests it is important to better understand developers’ mental models and processes during secure software development.In this thesis, we will investigate how and why developers introduce vulnerabilities, how secure development tools can aid in this process, and methods for conducting human-centered secure software development studies. Based on our findings, we will identify guidelines for secure tool development and alternate methodology for conducting security-focused software developer studies. Presently, we conducted a semi-controlled experiment to determine how and why software developers introduce vulnerabilities. From our results, we make recommendations to help improve developers’ mental models and processes of security during software development such as the use of secure development tools, better security education, and improved software development lifecycle.To explore the use of secure development tools, we conducted an interview study and broader survey to understand the barriers to secure programming language adoption. Through this, we were able to distill recommendations for the development and adoption of secure development tools. Additionally, we propose a study evaluating the use of AI code generators such as Github’s Copilot. From this study, we aim to understand how developers decide which AI generated code snippets to use and trust, especially when it comes to security features.Finally, we propose that secure software development studies would be made simpler with the generation of standardized methodologies. To explore this, we propose a study to evaluate three different methodologies for exploring the security of code: writing code, reading code, and fixing code to determine if they yield the same results. Through this study, we will produce guidelines for conducting developer-based studies that allow for valid results while reducing the stress of the participants.Examining Committee:

Chair:Department Representative:Members:

Dr. Michelle Mazurek Dr. John DickersonDr. Michael Hicks