SaTC: CORE: Medium: Collaborative: Understanding Security in the Software Development Lifecycle: A Holistic, Mixed-Methods Approach

SaTC：核心：媒介：协作：了解软件开发生命周期中的安全性：整体的混合方法方法

• 批准号: 1801545
• 负责人: Michelle Mazurek
• 金额: $ 69.9万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1801545&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Collaborative; Understanding

As software now pervades nearly every aspect of modern life, securing software is widely acknowledged as a critical problem. Although significant effort has gone into identifying flaws in software, as well as developing tools, libraries, and processes for detecting and mitigating these flaws during software development and maintenance, security problems remain pervasive. There has been comparatively little effort to empirically assess the effectiveness of existing tools and processes in realistic settings, and almost no effort to understand the root causes of professional developers making security errors. This lack of knowledge hinders the advancement of secure programming techniques that can effectively reduce the number of security bugs in deployed software. This research focuses on measuring and evaluating the effectiveness of particular approaches to securing software as carried out by typical developers. By combining anthropological observation of industrial development practice with experimental evaluation of tools and processes, this project will identify new or underappreciated approaches to improving software security in practice.The research includes four interdependent approaches: anthropological observation via long-term embedding in partner industrial software development teams; conducting and analyzing results from secure-programming contests that serve as quasi-experiments; controlled lab experiments; and analysis of open-source software artifacts. The anthropological approach produces deep insights through zero-proximity observation and reflection by fieldworkers, and competitions illuminate how differences in approach (language, tools, etc.) to a substantive problem correlate (quantitatively and qualitatively) with success or failure. Both of these approaches will generate hypotheses, which can then be tested via controlled lab experiments, as well as additional field, contest, and artifact observations. This combination of approaches leverages the strength of each in order to maximize both ecological and internal validity, offering the best chance to understand the real causes of (in)secure software development and offer effective guidance.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

随着软件几乎渗透到现代生活的方方面面，确保软件安全被广泛认为是一个关键问题。尽管在识别软件中的缺陷，以及在软件开发和维护期间开发用于检测和减轻这些缺陷的工具、库和过程方面已经进行了大量的工作，但是安全性问题仍然普遍存在。相对而言，在实际设置中对现有工具和过程的有效性进行经验评估的努力很少，并且几乎没有努力去理解专业开发人员制造安全错误的根本原因。这种知识的缺乏阻碍了安全编程技术的进步，而安全编程技术可以有效地减少已部署软件中的安全错误的数量。本研究的重点是衡量和评估由典型开发人员执行的保护软件的特定方法的有效性。通过将工业发展实践的人类学观察与工具和过程的实验评估相结合，该项目将确定在实践中改进软件安全性的新的或未被重视的方法。该研究包括四种相互依赖的方法：通过长期嵌入合作伙伴工业软件开发团队的人类学观察；管理和分析安全编程竞赛的结果，这些竞赛可以作为准实验；受控实验室实验；以及开源软件工件的分析。人类学方法通过实地工作者的零接近观察和反思产生了深刻的见解，而竞争则阐明了解决实质性问题的方法（语言、工具等）的差异如何与成功或失败（定量和定性）相关联。这两种方法都会产生假设，然后可以通过受控的实验室实验，以及额外的领域、竞赛和人工制品观察来测试。这种方法的组合利用了每种方法的力量，以最大化生态和内部有效性，提供了最好的机会来理解安全软件开发的真正原因，并提供有效的指导。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Building and Validating a Scale for Secure Software Development Self-Efficacy

• DOI: 10.1145/3313831.3376754
• 发表时间: 2020-04
• 期刊: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems
• 作者: Daniel Votipka;Desiree Abrokwa;Michelle L. Mazurek

Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It

• 发表时间: 2020
• 作者: Daniel Votipka;Kelsey R. Fulton;James Parker;Matthew Hou;Michelle L. Mazurek;M. Hicks

Vulnerability Discovery for All: Experiences of Marginalization in Vulnerability Discovery

• DOI: 10.1109/sp46215.2023.10179478
• 发表时间: 2023-05
• 期刊: 2023 IEEE Symposium on Security and Privacy (SP)
• 作者: Kelsey R. Fulton;Samantha Katcher;Kevin Song;M. Chetty;Michelle L. Mazurek;Chloé Messdaghi;Daniel Votipka

FIXREVERTER: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing

• 发表时间: 2022
• 作者: Zenong Zhang;Zach Patterson;M. Hicks;Shiyi Wei

Benefits and Drawbacks of Adopting a Secure Programming Language: Rust as a Case Study

• 发表时间: 2021
• 作者: Kelsey R. Fulton;Anna Chan;Daniel Votipka;M. Hicks;Michelle L. Mazurek