|
As software now pervades nearly every aspect of modern life, securing software is widely acknowledged as a critical problem. Although significant effort has gone into identifying flaws in software, as well as developing tools, libraries, and processes for detecting and mitigating these flaws during software development and maintenance, security problems remain pervasive. There has been comparatively little effort to empirically assess the effectiveness of existing tools and processes in realistic settings, and almost no effort to understand the root causes of professional developers making security errors. This lack of knowledge hinders the advancement of secure programming techniques that can effectively reduce the number of security bugs in deployed software. This research focuses on measuring and evaluating the effectiveness of particular approaches to securing software as carried out by typical developers. By combining anthropological observation of industrial development practice with experimental evaluation of tools and processes, this project will identify new or underappreciated approaches to improving software security in practice.
The research includes four interdependent approaches: anthropological observation via long-term embedding in partner industrial software development teams; conducting and analyzing results from secure-programming contests that serve as quasi-experiments; controlled lab experiments; and analysis of open-source software artifacts. The anthropological approach produces deep insights through zero-proximity observation and reflection by fieldworkers, and competitions illuminate how differences in approach (language, tools, etc.) to a substantive problem correlate (quantitatively and qualitatively) with success or failure. Both of these approaches will generate hypotheses, which can then be tested via controlled lab experiments, as well as additional field, contest, and artifact observations. This combination of approaches leverages the strength of each in order to maximize both ecological and internal validity, offering the best chance to understand the real causes of (in)secure software development and offer effective guidance.
|
SaTC: CORE: Medium: Collaborative: Understanding Security in the Software Development Lifecycle: A Holistic, Mixed-Methods Approach