Social influences on secure development tool adoption: why security tools spread

Security tools can help developers build more secure software systems by helping developers detect or fix security vulnerabilities in source code. However, developers do not always use these tools. In this paper, we investigate a number of social factors that impact developers' adoption decisions, based on a multidisciplinary field of research called diffusion of innovations. We conducted 42 one-on-one interviews with professional software developers, and our results suggest a number of ways in which security tool adoption depends on developers' social environments and on the channels through which information about tools is communicated. For example, some participants trusted developers with strong reputations on the Internet as much as they trust their colleagues for information about security tools.

[1]  John N. Buxton,et al.  Software technology transfer , 1991, Softw. Eng. J..

[2]  Alberto Bacchelli,et al.  Expectations, outcomes, and challenges of modern code review , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[3]  Chris F. Kemerer,et al.  Now the learning curve affects CASE tool adoption , 1992, IEEE Software.

[4]  Johannes Sametinger,et al.  Software Security , 2013, 2013 20th IEEE International Conference and Workshops on Engineering of Computer Based Systems (ECBS).

[5]  Juhani Iivari,et al.  Why are CASE tools not used? , 1996, CACM.

[6]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[7]  Jane M. Howell,et al.  Personal Computing: Toward a Conceptual Model of Utilization , 1991, MIS Q..

[8]  Timo Käkölä,et al.  Diffusion of software technology innovations in the global context , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[9]  Emerson R. Murphy-Hill,et al.  Peer interaction effectively, yet infrequently, enables programmers to discover new tools , 2011, CSCW.

[10]  I. Ajzen The theory of planned behavior , 1991 .

[11]  Gary McGraw Software Security , 2012, Datenschutz und Datensicherheit - DuD.

[12]  Juhani Iivari,et al.  From a Macro Innovation Theory of IS Diffusion to a Micro Innovation Theory of IS Adoption: An Application to CASE Adoption , 1993, Human, Organizational, and Social Dimensions of Information Systems Development.

[13]  Emerson R. Murphy-Hill,et al.  Java generics adoption: how new features are introduced, championed, or ignored , 2011, MSR '11.

[14]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[15]  Fred D. Davis,et al.  Explaining Software Developer Acceptance of Methodologies: A Comparison of Five Theoretical Models , 2002, IEEE Trans. Software Eng..

[16]  Margaret M. Burnett,et al.  End-user debugging strategies: A sensemaking perspective , 2012, TCHI.

[17]  Donald R. Chand,et al.  Diffusing software-engineering methods , 1989, IEEE Software.

[18]  Leif Singer,et al.  Influencing the adoption of software engineering methods using social software , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[19]  Emerson Murphy-Hill,et al.  Improving software developers' fluency by recommending development environment commands , 2012, SIGSOFT FSE.

[20]  Michael Potter,et al.  Adoption of computer aided software engineering (CASE) technology: an innovation adoption perspective , 1995, DATB.

[21]  Oded Nov,et al.  Personality-targeted design: theory, experimental procedure, and preliminary results , 2013, CSCW.

[22]  Christian Bird,et al.  Convergent Software Peer Review Practices , 2013 .

[23]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[24]  David Geer,et al.  Are Companies Actually Using Secure Development Life Cycles? , 2010, Computer.

[25]  E. Rogers,et al.  Diffusion of innovations , 1964, Encyclopedia of Sport Management.

[26]  Tosha B. Wetterneck,et al.  Technology Evaluation: Workarounds to Barcode Medication Administration Systems: Their Occurrences, Causes, and Threats to Patient Safety , 2008, J. Am. Medical Informatics Assoc..

[27]  Emerson R. Murphy-Hill,et al.  Is programming knowledge related to age? An exploration of stack overflow , 2013, 2013 10th Working Conference on Mining Software Repositories (MSR).

[28]  Carolyn B. Seaman,et al.  Qualitative Methods in Empirical Studies of Software Engineering , 1999, IEEE Trans. Software Eng..

[29]  Arun Rai,et al.  A Structural Model for CASE Adoption Behavior , 1996, J. Manag. Inf. Syst..

[30]  Tora K. Bikson,et al.  Mobile Technology and Action Teams: Assessing BlackBerry Use in Law Enforcement Units , 2010, Computer Supported Cooperative Work (CSCW).

[31]  Leif Singer,et al.  Creating a shared understanding of testing culture on a social coding site , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[32]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[33]  Tony Gorschek,et al.  A Model for Technology Transfer in Practice , 2006, IEEE Software.

[34]  Jing Xie,et al.  Why do programmers make security errors? , 2011, 2011 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[35]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[36]  Fred D. Davis,et al.  Investigating Determinants of Software Developers' Intentions to Follow Methodologies , 2003, J. Manag. Inf. Syst..

[37]  Leo A. Meyerovich,et al.  Socio-PLT: principles for programming language adoption , 2012, Onward! 2012.

[38]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.