ABSTRACT
Security tools can help developers build more secure software systems by helping developers detect or fix security vulnerabilities in source code. However, developers do not always use these tools. In this paper, we investigate a number of social factors that impact developers' adoption decisions, based on a multidisciplinary field of research called diffusion of innovations. We conducted 42 one-on-one interviews with professional software developers, and our results suggest a number of ways in which security tool adoption depends on developers' social environments and on the channels through which information about tools is communicated. For example, some participants trusted developers with strong reputations on the Internet as much as they trust their colleagues for information about security tools.
- Ajzen, I. The theory of planned behavior. Organizational Behavior and Human Decision Processes 50, 2 (Dec. 1991), 179--211.Google ScholarCross Ref
- Bacchelli, A., and Bird, C. Expectations, outcomes, and challenges of modern code review. In Proceedings of the 35th International Conference on Software Engineering (2013). Google ScholarDigital Library
- Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak, S., and Engler, D. A few billion lines of code later: using static analysis to find bugs in the real world. Communications of the ACM 53, 2 (Feb. 2010), 66--75. Google ScholarDigital Library
- Boehm, B. W. Software Engineering Economics, 1st ed. Prentice Hall PTR, Upper Saddle River, NJ, USA, 1981. Google ScholarDigital Library
- Buxton, J., and Malcolm, R. Software technology transfer. Software Engineering Journal 6, 1 (Jan. 1991), 17--23. Google ScholarDigital Library
- 6. Cornell, D. Remediation statistics: What does fixing application vulnerabilities cost? RSA Conference, 2012.Google Scholar
- Cowley, S. Code red costs could top $2 billion. PCWorld, August 2001. http: //www.pcworld.com/article/57744/article.html.Google Scholar
- Davis, F. D. Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly 13, 3 (Sept. 1989), 319--340. Google ScholarDigital Library
- Geer, D. Are companies actually using secure development life cycles? IEEE Computer 43, 6 (June 2010), 12--16. Google ScholarDigital Library
- Gorschek, T., Wohlin, C., Carre, P., and Larsson, S. A model for technology transfer in practice. IEEE Software 23, 6 (Nov.-Dec. 2006), 88--95. Google ScholarDigital Library
- Grigoreanu, V., Burnett, M., Wiedenbeck, S., Cao, J., Rector, K., and Kwan, I. End-user debugging strategies: A sensemaking perspective. ACM Transactions on Computer-Human Interaction 19 (2012), 5:1--5:28. Google ScholarDigital Library
- Hardgrave, B. C., Davis, F. D., and Riemenschneider, C. K. Investigating determinants of software developers' intentions to follow methodologies. Journal of Management Information Systems 20, 1 (July 2003), 123--151. Google ScholarDigital Library
- Howard, M., and Lipner, S. The Security Development Lifecycle. Microsoft Press, Redmond, WA, USA, 2006. Google ScholarDigital Library
- Iivari, J. From a macro innovation theory of IS diffusion to a micro innovation theory of IS adoption: An application to CASE adoption. In Proc. of the IFIP WG8.2 Working Group on Information Systems Development (1993), 295--320. Google ScholarDigital Library
- Iivari, J. Why are CASE tools not used? Communications of the ACM 39, 10 (Oct. 1996), 94--103. Google ScholarDigital Library
- Kemerer, C. F. How the learning curve affects CASE tool adoption. IEEE Software 9, 3 (May 1992), 23--28. Google ScholarDigital Library
- Koppel, R., Wetterneck, T., Telles, J. L., and Karsh, B.-T. Workarounds to barcode medication administration systems: Their occurrences, causes, and threats to patient safety. Journal of the American Medical Informatics Association 15, 4 (2008), 408--423.Google ScholarCross Ref
- McGraw, G. Software security. IEEE Security and Privacy 2, 2 (Mar.-Apr. 2004), 80--83. Google ScholarDigital Library
- Meyerovich, L. A., and Rabkin, A. S. Socio-plt: principles for programming language adoption. In Proc. of Onward!, ACM (2012), 39--54. Google ScholarDigital Library
- Moore, G. C., and Benbasat, I. Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation. Information Systems Research 2, 3 (Sept. 1991), 192--222.Google ScholarDigital Library
- Morrison, P., and Murphy-Hill, E. Is programming knowledge related to age? Mining Software Repositories (2013), 3--6. Google ScholarDigital Library
- Murphy-Hill, E., Jiresal, R., and Murphy, G. C. Improving software developers' fluency by recommending development environment commands. In Proc. of FSE, ACM (2012), 42:1--42:11. Google ScholarDigital Library
- Murphy-Hill, E., and Murphy, G. C. Peer interaction effectively, yet infrequently, enables programmers to discover new tools. In Proc. of CSCW (2011), 405--414. Google ScholarDigital Library
- Nahar, N., Kakola, T., and Huda, N. Diffusion of software technology innovations in the global context. In Proc. of the Hawaii International Conference on System Sciences (Jan. 2002), 2749--2757. Google ScholarDigital Library
- Nov, O., and Arazy, O. Personality-targeted design: theory, experimental procedure, and preliminary results. In Proc. of CSCW, ACM (New York, NY, USA, 2013), 977--984. Google ScholarDigital Library
- Parnin, C., Bird, C., and Murphy-Hill, E. Java generics adoption: how new features are introduced, championed, or ignored. In Proc. of MSR, ACM (2011), 3--12. Google ScholarDigital Library
- Pham, R., Singer, L., Liskin, O., Figueira Filho, F., and Schneider, K. Creating a shared understanding of testing culture on a social coding site. In Proc. of ICSE, IEEE Press (Piscataway, NJ, USA, 2013), 112--121. Google ScholarDigital Library
- Premkumar, G., and Potter, M. Adoption of computer aided software engineering (CASE) technology: an innovation adoption perspective. SIGMIS Database 26, 2-3 (May 1995), 105--124. Google ScholarDigital Library
- Raghavan, S., and Chand, D. Diffusing software-engineering methods. IEEE Software 6, 4 (July 1989), 81--90. Google ScholarDigital Library
- Rai, A., and Howard, G. Propagating case usage for software development: An empirical investigation of key organizational correlates. Omega 22, 2 (Mar. 1994), 133--147.Google ScholarCross Ref
- Rai, A., and Patnayakuni, R. A structural model for CASE adoption behavior. Journal of Management Information Systems 13, 2 (Sept. 1996), 205--234. Google ScholarDigital Library
- Riemenschneider, C., Hardgrave, B., and Davis, F. Explaining software developer acceptance of methodologies: a comparison of five theoretical models. IEEE TSE 28, 12 (Dec. 2002), 1135--1145. Google ScholarDigital Library
- Rigby, P. C., and Bird, C. Convergent Software Peer Review Practices. In Proceedings of the the joint meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on The Foundations of Software Engineering (ESEC/FSE), ACM (2013).Google Scholar
- Rogers, E. M. Diffusion of Innovations. Free Press, 1995.Google Scholar
- Seaman, C. Qualitative methods in empirical studies of software engineering. IEEE TSE 25, 4 (1999), 557--572. Google ScholarDigital Library
- Singer, L., and Schneider, K. Influencing the adoption of software engineering methods using social software. In Proc. of ICSE (2012), 1325--1328. Google ScholarDigital Library
- Singer, L.-G. Improving the Adoption of Software Engineering Practices Through Persuasive Interventions. PhD thesis, Gottfried Wilhelm Leibniz Universitt Hannover, 2013.Google Scholar
- Straus, S. G., Bikson, T. K., Balkovich, E., and Pane, J. F. Mobile technology and action teams: Assessing blackberry use in law enforcement units. Proc. of CSCW 19, 1 (2010), 45--71. Google ScholarDigital Library
- Thompson, R. L., Higgins, C. A., and Howell, J. M. Personal Computing: Toward a Conceptual Model of Utilization. MIS Quarterly 15, 1 (Mar. 1991), 125. Google ScholarDigital Library
- Venkatesh, V., and Davis, F. D. A theoretical extension of the technology acceptance model: Four longitudinal field studies. Management Science 46, 2 (Feb. 2000), 186--204. Google ScholarDigital Library
- Xie, J., Lipford, H., and Chu, B. Why do programmers make security errors? In Proc. of Visual Languages and Human-Centric Computing (Sept. 2011), 161--164.Google Scholar
Index Terms
- Social influences on secure development tool adoption: why security tools spread
Recommendations
Quantifying developers' adoption of security tools
ESEC/FSE 2015: Proceedings of the 2015 10th Joint Meeting on Foundations of Software EngineeringSecurity tools could help developers find critical vulnerabilities, yet such tools remain underused. We surveyed developers from 14 companies and 5 mailing lists about their reasons for using and not using security tools. The resulting thirty-nine ...
Secure development tool adoption in open-source
SPLASH '13: Proceedings of the 2013 companion publication for conference on Systems, programming, & applications: software for humanityAlthough the use of secure software development tools can help developers build more secure software, many developers do not use these tools. In previous work, a colleague conducted interviews with professional developers to develop a qualitative model ...
An Empirical Analysis of Practitioners' Perspectives on Security Tool Integration into DevOps
ESEM '21: Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)Background: Security tools play a vital role in enabling developers to build secure software. However, it can be quite challenging to introduce and fully leverage security tools without affecting the speed or frequency of deployments in the DevOps ...
Comments