PhD Defense: Understanding and Improving Secure Development from a Human-Centered Perspective

Talk
Kelsey Fulton
Time: 
06.06.2023 11:00 to 13:00

Secure software development remains a difficult task, as is exemplified by the fact that vulnerabilities are discovered in production code on a regular basis. Researchers in the computer security field have worked for many years to mitigate this problem through building better security tooling, creating secure programming languages, improving secure development processes, and improving educational interventions. The success of these interventions depends on both the technical attributes of the intervention and the human and organizational factors that impact adoption, usability, and efficacy, suggesting the importance of understanding both the technical and human and organizational factors that influence the success of these interventions. While there has been much past work exploring the technical factors, there has been little work exploring the human and organizational factors.To attempt to close this gap, I first start by understanding why and how developers introduce, find, and fix vulnerabilities as they build secure code. By performing in-depth qualitative analysis on data collected throughout an iteration of a secure programming competition, I empirically uncovered an overwhelming need for investment in tooling or processes that can uncover and correct conceptual misunderstandings of security concepts.Next, I explore the adoption of current security development interventions by understanding the benefits and drawbacks of adoption a secure programming language by using Rust as a case study. Through the use of interviews with professional developers that had adopted or attempted to adopt Rust and a survey with the broader Rust community, I highlighted a range of positive features and drawbacks. These results have implications for promoting the adoption of Rust specifically and secure programming languages and tools more generally.Lastly, given the importance of understanding the human and organizational factors of secure software development, I explore alternate approaches to conducting these studies to improve validity and reduce stress on participants. Our results suggest possible alternatives for code writing studies and avenues for future exploration.

Examining Committee

Chair:

Dr. Michelle Mazurek

Dean's Representative:

Dr. Wayne Lutters

Members:

Dr. John Dickerson

Dr. Mike Hicks

Dr. Brad Reaves (NC State)