CAREER: Improving the Reliability of Human-Centered Secure-Development Research

职业：提高以人为本的安全开发研究的可靠性

• 批准号: 1943215
• 负责人: Michelle Mazurek
• 金额: $ 55万
• 依托单位: University of Maryland, College Park
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2025-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1943215&HistoricalAwards=false
• 关键词: CAREER; Improving; Reliability; Human; Centered

Improving software security is a critical need for the U.S. and the world. Despite significant technical advances in software security, insecure software remains a common problem, sometimes with disastrous results. Solving this problem will require understanding how human decision-making interacts with technology in the process of secure software development. However, studying these human factors is typically expensive, time-consuming and difficult, for several reasons: professional developers are a small and hard-to-reach study population, professional software development is a complex task that can be hard to mimic in a study environment, and security is, despite its criticality, often a secondary goal that can be difficult to study directly. Researchers attempting to conduct such studies must make many choices about experimental design while balancing complexity, time and cost constraints, and validity or usefulness of expected results. Unfortunately, there is little evidence-based guidance as to how best to make these choices. By conducting a variety of experiments directly comparing the effects of different experimental design choices on studies of human-centered secure development, this project will help future researchers design better experiments and deploy their resources as effectively as possible.This project will improve the validity and reliability of developer-centered security research by empirically establishing best practices and tradeoffs, building on best practices from the usable security and empirical software engineering communities. Researchers will undertake a series of methodological studies and experiments in three key areas: (a) how to design appropriate programming tasks; (b) how to choose a study environment that effectively balances experimental control with ecological validity; and (c) how to measure relevant outcomes such as developer self-efficacy and API usability. Investigators will test these critical questions of study design across multiple underlying research questions, such as comparisons of APIs, documentation resources, and security tools. The results will provide deep insights into how tradeoffs among design decisions play out in different kinds of studies, allowing researchers to make informed choices that fit best in their context. The results will be synthesized into comprehensive guidelines to help researchers conduct better studies, acquire stronger evidence, and therefore improve the process of secure development.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

改善软件安全是美国和世界的迫切需求。尽管软件安全方面的技术进步很大，但不安全的软件仍然是一个普遍的问题，有时会带来灾难性的结果。解决此问题将需要了解人类决策在安全软件开发过程中如何与技术相互作用。但是，研究这些人为因素通常是昂贵，耗时且困难的，原因有几个：专业开发人员是一个小而难以到达的研究人群，专业软件开发是一项复杂的任务，在研究环境中可能很难模仿，尽管其至关重要，但安全性通常是次要的目标，很难直接研究。试图进行此类研究的研究人员必须在平衡复杂性，时间和成本限制以及预期结果的有效性或实用性的同时做出许多选择。不幸的是，关于如何最好地做出这些选择，几乎没有循证指导。通过进行各种实验直接比较不同的实验设计选择对以人为本的安全开发研究的影响，该项目将帮助未来的研究人员设计更好的实验，并尽可能有效地部署其资源。该项目将通过基于最佳实践和最佳的安全性工程和Empirictic和Empirical和Empirical和Empirical和Empirical和Empirical和Empirical和Empirical和Empirical和Empirical和Empirical和Empirical Commuction来提高开发人员居住的安全性安全研究的有效性和可靠性。研究人员将在三个关键领域进行一系列方法论研究和实验：（a）如何设计适当的编程任务； （b）如何选择有效平衡实验控制与生态有效性的研究环境； （c）如何衡量相关结果，例如开发人员的自我效能和API可用性。研究人员将在多个基本研究问题（例如API，文档资源和安全工具的比较）中测试这些关键的研究设计问题。结果将为设计决策之间的折衷如何在各种研究中发挥作用，从而使研究人员能够做出最适合其背景的明智选择。结果将被合成为全面的指南，以帮助研究人员进行更好的研究，获得更强有力的证据，从而改善安全发展的过程。该奖项反映了NSF的法定任务，并被认为是通过基金会的智力优点和广泛影响的评估来评估值得支持的。

项目成果

Vulnerability Discovery for All: Experiences of Marginalization in Vulnerability Discovery

• DOI: 10.1109/sp46215.2023.10179478
• 发表时间: 2023-05
• 期刊: 2023 IEEE Symposium on Security and Privacy (SP)
• 作者: Kelsey R. Fulton;Samantha Katcher;Kevin Song;M. Chetty;Michelle L. Mazurek;Chloé Messdaghi;Daniel Votipka