log in  |  register  |  feedback?  |  help  |  web accessibility
Logo
PhD Defense: Understanding and Improving Secure Development from a Human-Centered Perspective
Kelsey Fulton
Tuesday, June 6, 2023, 11:00 am-1:00 pm Calendar
  • You are subscribed to this talk through .
  • You are watching this talk through .
  • You are subscribed to this talk. (unsubscribe, watch)
  • You are watching this talk. (unwatch, subscribe)
  • You are not subscribed to this talk. (watch, subscribe)
Abstract
Secure software development remains a difficult task, as is exemplified by the fact that vulnerabilities are discovered in production code on a regular basis. Researchers in the computer security field have worked for many years to mitigate this problem through building better security tooling, creating secure programming languages, improving secure development processes, and improving educational interventions. The success of these interventions depends on both the technical attributes of the intervention and the human and organizational factors that impact adoption, usability, and efficacy, suggesting the importance of understanding both the technical and human and organizational factors that influence the success of these interventions. While there has been much past work exploring the technical factors, there has been little work exploring the human and organizational factors.

To attempt to close this gap, I first start by understanding why and how developers introduce, find, and fix vulnerabilities as they build secure code. By performing in-depth qualitative analysis on data collected throughout an iteration of a secure programming competition, I empirically uncovered an overwhelming need for investment in tooling or processes that can uncover and correct conceptual misunderstandings of security concepts.

Next, I explore the adoption of current security development interventions by understanding the benefits and drawbacks of adoption a secure programming language by using Rust as a case study. Through the use of interviews with professional developers that had adopted or attempted to adopt Rust and a survey with the broader Rust community, I highlighted a range of positive features and drawbacks. These results have implications for promoting the adoption of Rust specifically and secure programming languages and tools more generally.

Lastly, given the importance of understanding the human and organizational factors of secure software development, I explore alternate approaches to conducting these studies to improve validity and reduce stress on participants. Our results suggest possible alternatives for code writing studies and avenues for future exploration.
 
Examining Committee

Chair:

Dr. Michelle Mazurek

Dean's Representative:

Dr. Wayne Lutters

Members:

Dr. John Dickerson

 

Dr. Mike Hicks

 

Dr. Brad Reaves (NC State)

Bio

Kelsey Fulton is a sixth year PhD student in the SP2 lab advised by Dr. Michelle Mazurek. Their research focuses on a human-centric approach to secure software development with an emphasis on mental models and processes of software developers and secure development tools. They received their master's degree in computer science from University of Maryland in 2019 and their bachelor's degree in computer science and mathematics from Millersville University in 2017.

This talk is organized by Tom Hurst