SaTC: CORE: Medium: Collaborative: Understanding Security in the Software Development Lifecycle: A Holistic, Mixed-Methods Approach

SaTC：核心：媒介：协作：了解软件开发生命周期中的安全性：整体的混合方法方法

• 批准号: 1801545
• 负责人: Michelle Mazurek
• 金额: $ 69.9万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1801545&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Collaborative; Understanding

As software now pervades nearly every aspect of modern life, securing software is widely acknowledged as a critical problem. Although significant effort has gone into identifying flaws in software, as well as developing tools, libraries, and processes for detecting and mitigating these flaws during software development and maintenance, security problems remain pervasive. There has been comparatively little effort to empirically assess the effectiveness of existing tools and processes in realistic settings, and almost no effort to understand the root causes of professional developers making security errors. This lack of knowledge hinders the advancement of secure programming techniques that can effectively reduce the number of security bugs in deployed software. This research focuses on measuring and evaluating the effectiveness of particular approaches to securing software as carried out by typical developers. By combining anthropological observation of industrial development practice with experimental evaluation of tools and processes, this project will identify new or underappreciated approaches to improving software security in practice.The research includes four interdependent approaches: anthropological observation via long-term embedding in partner industrial software development teams; conducting and analyzing results from secure-programming contests that serve as quasi-experiments; controlled lab experiments; and analysis of open-source software artifacts. The anthropological approach produces deep insights through zero-proximity observation and reflection by fieldworkers, and competitions illuminate how differences in approach (language, tools, etc.) to a substantive problem correlate (quantitatively and qualitatively) with success or failure. Both of these approaches will generate hypotheses, which can then be tested via controlled lab experiments, as well as additional field, contest, and artifact observations. This combination of approaches leverages the strength of each in order to maximize both ecological and internal validity, offering the best chance to understand the real causes of (in)secure software development and offer effective guidance.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

随着现在的软件几乎遍及现代生活的各个方面，确保软件被广泛认为是一个关键问题。尽管在识别软件中的缺陷以及开发工具，库和流程以检测和减轻软件开发和维护过程中这些缺陷的过程中，但安全问题仍然普遍存在。在现实设置中，几乎没有努力理解专业开发人员犯有安全错误的根本原因，几乎没有努力在经验上评估现有工具和流程的有效性相对较少的努力。缺乏知识阻碍了安全编程技术的进步，这些技术可以有效地减少部署软件中的安全错误数量。这项研究重点是衡量和评估典型开发人员执行的保护软件的特定方法的有效性。通过将工业发展实践的人类学观察与工具和流程的实验评估相结合，该项目将确定在实践中改善软件安全性的新方法或不足的方法。该研究包括四种相互依存的方法：通过长期嵌入伙伴工业软件开发团队中的人类学观察；人类学观察；通过作为准表现的安全编程竞赛进行和分析结果；受控实验实验；和开源软件工件的分析。人类学方法通过零XIMITITITION的观察和反思来产生深刻的见解，竞争阐明了方法（语言，工具等）的差异如何与成功或失败相关联（定量和定性）。这两种方法都将产生假设，然后可以通过对照实验室实验以及其他领域，竞赛和人工制品观测来对其进行测试。这种方法的结合利用了每种方法的强度，以最大化生态和内部有效性，从而提供了理解（在）安全软件开发并提供有效指导的真正原因的最佳机会。该奖项反映了NSF的法定任务，并认为通过使用该基金会的知识分子和更广泛的影响来评估CRITERIA的评估。

项目成果

Building and Validating a Scale for Secure Software Development Self-Efficacy

• DOI: 10.1145/3313831.3376754
• 发表时间: 2020-04
• 期刊: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems
• 作者: Daniel Votipka;Desiree Abrokwa;Michelle L. Mazurek

Vulnerability Discovery for All: Experiences of Marginalization in Vulnerability Discovery

• DOI: 10.1109/sp46215.2023.10179478
• 发表时间: 2023-05
• 期刊: 2023 IEEE Symposium on Security and Privacy (SP)
• 作者: Kelsey R. Fulton;Samantha Katcher;Kevin Song;M. Chetty;Michelle L. Mazurek;Chloé Messdaghi;Daniel Votipka

Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It

• 发表时间: 2020
• 作者: Daniel Votipka;Kelsey R. Fulton;James Parker;Matthew Hou;Michelle L. Mazurek;M. Hicks

FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing

• 发表时间: 2022
• 作者: Zenong Zhang;Zach Patterson;M. Hicks;Shiyi Wei

Benefits and Drawbacks of Adopting a Secure Programming Language: Rust as a Case Study

• 发表时间: 2021
• 作者: Kelsey R. Fulton;Anna Chan;Daniel Votipka;M. Hicks;Michelle L. Mazurek