(Press-News.org) For software programmers, security tools are analytic software that can scan or run their code to expose vulnerabilities long before the software goes to market. But these tools can have shortcomings, and programmers don't always use them. New research from National Science Foundation-funded computer science researcher Emerson Murphy-Hill and his colleagues tackles three different aspects of the issue.
"Our work is focused on understanding the developers who are trying to identify security vulnerabilities in their code, and how they use (or don't use) tools that can help them find those vulnerabilities," says Murphy-Hill, an associate professor of computer science at NC State University. "The one thing that ties all of our work together is that we want to help give programmers the best possible tools and help them use those tools effectively."
In the first of three related papers being presented next week at the Symposium on the Foundations of Software Engineering, a team of computer science and psychology researchers from NC State and Microsoft Research surveyed more than 250 developers on their experiences with security tools. The goal was to determine what influences a developer's use of these tools - and the findings were somewhat surprising.
For one thing, developers who said they worked on products in which security was important were not much more likely to use security tools than other programmers.
Instead, "the two things that were most strongly associated with using security tools were peer influence and corporate culture," Murphy-Hill says. Specifically, people who said they had seen what others do with security tools, and people whose bosses expected them to use security tools, were most likely to take advantage of the tools.
"This research gives software development companies and managers information they can use to effectively influence the adoption of security tools by developers," Murphy-Hill says.
But these tools aren't completely accurate. For example, they can tell programmers there's a problem where no problem actually exists. And the tools aren't always user-friendly. In short, the characteristics of the tools themselves can affect whether programmers choose to use them.
To shed light on how security tools support developers in diagnosing potential vulnerabilities, Murphy-Hill's team and collaborators from the University of North Carolina at Charlotte devised a separate study, effectively asking: do tools give developers the information they need to determine if there's a real problem and how to fix it?
In this study, the researchers gave 10 developers of varying backgrounds a specific security tool and a substantial chunk of open-source code to examine. The code contained known security vulnerabilities, which were identified by the security tool. Each of the study participants was asked to use the tool, inspect the source code, and say whether each security notification from the tool was real and how they would address the vulnerabilities.
"In many cases, the tool presented multiple possible fixes for a problem, but didn't give programmers much information about the relevant advantages and disadvantages of each fix," Murphy-Hill says. "We found that this made it difficult for programmers to select the best course of action."
The tool would also give developers multiple notifications that seemed to be related to each other - but the notifications didn't give developers information on exactly how the problems related to each other.
"This can be confusing for programmers, and lead to problems if developers don't fully understand how various problems are related to each other or how potential fixes might affect the overall code," Murphy-Hill says.
"More research is needed to really flesh these findings out - we need to expand this study to incorporate more programmers and more security tools," Murphy-Hill says. "But overall, we're hoping that this and related work can help programmers create more effective tools for use by the software development community."
One concept that Murphy-Hill and colleagues from NC State propose in a third paper is the idea of "bespoke" tools. The basic idea is to create tools that developers use - including security tools - that are capable of evolving over time as they are used, adapting to each programmer's particular areas of expertise.
"For example, programmers with expertise in addressing security vulnerabilities won't need a security tool that offers extensive information on all of the potential fixes for a given vulnerability - wading through that might slow them down," Murphy-Hill says. "So a bespoke tool might learn to offer only basic information about potential fixes for them. But the tool could also recognize that it needs to leave in that additional information for less security-savvy programmers, who may need it to make informed decisions."
These bespoke tools could learn about a programmer's strengths through both the programmer's interactions with the tool and by analyzing the programmer's code itself, Murphy-Hill says.
INFORMATION:
The Symposium on the Foundations of Software Engineering is being held Aug. 30 to Sept. 4 in Bergamo, Italy. Lead author of "Quantifying Developers' Adoption of Security Tools" is Jim Witschey, a former computer science graduate student at NC State. The paper was co-authored by Olga Zielinska, Allaire Welk, Murphy-Hill, and Chris Mayhorn of NC State and Thomas Zimmerman of Microsoft Research. Lead author of "Questions Developers Ask While Diagnosing Potential Security Vulnerabilities with Static Analysis," is Justin Smith, a Ph.D. student at NC State. The paper was co-authored by Brittany Johnson and Murphy-Hill of NC State and Bill Chu and Heather Richter Lipford of UNC-Charlotte. Johnson is also lead author of "Bespoke Tools: Adapted to the Concepts Developers Know." Co-authors are Rahul Pandita, Murphy-Hill and Sarah Heckman of NC State.
The research was supported by NSF under grants 1318323, DGE-0946818 and 1217700.
URBANA, Ill. - Men and persons age 65 and older who have access to natural surroundings, whether it's the green space of a nearby park or a sandy beach and an ocean view, report sleeping better, according to a new University of Illinois study published in Preventive Medicine.
"It's hard to overestimate the importance of high-quality sleep," said Diana Grigsby-Toussaint, a U of I professor of kinesiology and community health and a faculty member in the U of I's Division of Nutritional Sciences. "Studies show that inadequate sleep is associated with declines in mental ...
PROVIDENCE, R.I. [Brown University] -- A new study of the records of millions of nursing home residents affirms the value of influenza vaccination among the elderly. The Brown University analysis found that between 2000 and 2009, the better matched the vaccine was for the influenza strain going around, the fewer nursing home residents died or were hospitalized.
Although flu vaccination is a standard of care and a measure of quality in nursing homes, some public health experts question the evidence of whether they do any good, said Vincent Mor, corresponding author of ...
The Global Precipitation Measurement or GPM mission core satellite gathered rainfall data on Tropical Depression Kilo as it heads toward Johnston Island in the Central Pacific Ocean. On August 24, a Tropical Storm Warning was posted for Johnston Island
Kilo formed as depression and strengthened into a tropical storm to southeast of the Hawaiian Islands on August 20, 2015. By 5 a.m. EDT on Sunday, August 23, Kilo weakened to a tropical depression. Today, August 24, the tropical depression nearing Johnston Island.
The National Hurricane Center noted that Johnston Island ...
Washington D.C., August 24, 2015 - Children who have been abused typically experience more intense emotions than their peers who have not been abused. This is often considered a byproduct of living in volatile, dangerous environments. A recent study published in the Journal of the American Academy of Child and Adolescent Psychiatry (JAACAP) set to find out what happens when these children are taught how to regulate their emotions. Could that better help them cope with difficult situations?
The team of researchers from the University of Washington studied what happens ...
WASHINGTON, Aug. 24 2015 -- You're tired and you need an energy boost, but you don't want the jitters from caffeine. What to do? In this Reactions video, we give you some chemistry-backed tips -- one of which involves cats -- to boost your productivity and stay awake without refilling the coffee cup. Check it out here: https://youtu.be/SvEQBURrPow
INFORMATION:
Subscribe to our weekly series at http://bit.ly/ACSReactions and follow us on Twitter @ACSReactions.
The American Chemical Society is a nonprofit organization chartered by the U.S. Congress. With more than 158,000 ...
We humans have been using self-medication to cure the illnesses since the dawn of our species. There is some evidence that also other animals can exhibit this type of behavior, but the evidence has been hard to come by.
Scientists from the University of Helsinki, Finland, have now shown that black ant Formica fusca can change their taste for food once exposed to the fungal pathogens. In the compound of interest was hydrogen peroxide, which can be found in the damaged plants, other insects and cadavers.
"When ants are feeding on the diet containing extra free radicals ...
People are motivated to participate in the sharing economy because of its ecological sustainability, the enjoyment derived from the activity, the sense of community, and saving money and time. Ecological sustainability is one of the basic principles of the sharing economy - not to purchase everything individually but rather consumer collaboratively by sharing goods and services. Another canonical principle of the sharing economy is 'paying it forward'. However, collaborative consumption may involve the same hurdles as any other type of green consumption, researcher from ...
The report, published on F1000Research and titled Neuropathic pain in a patient with congenital insensitivity to pain has just passed peer review. It concerns a unique case of a woman with Channelopathy-associated Insensitivity to Pain (CIP) Syndrome, who developed features of neuropathic pain after sustaining pelvic fractures and an epidural hematoma that impinged on the right fifth lumbar (L5) nerve root. These injuries were sustained during a painless labour, which culminated in a Caesarean section.
The patient had been diagnosed with CIP as child. This was later ...
CINCINNATI - A study published online Aug. 24 by the journal Pediatrics finds a significant decrease in the use of computed tomography (CT) scans at children's hospitals for 10 common childhood diagnoses including seizure, concussion, appendectomy and upper respiratory tract infection.
Alternate types of imaging such as ultrasound and magnetic resonance imaging (MRI) are being used more frequently for eight of the 10 diagnoses. Study authors hypothesize the decline in CT usage may be attributable to a growing body of evidence linking ionizing radiation from CT scans to ...
Yes, a good cry indeed might go a long way to make you feel better, says Asmir Gračanin of the University of Tilburg in the Netherlands, lead author of a study in Springer's journal Motivation and Emotion. These findings were established after a research team videotaped a group of participants while watching the emotionally charged films La vita è bella and Hachi: A Dog's Tale. Afterwards, the participants were asked a few times to reflect on how they felt.
Although humans are the only species able to shed emotional tears, little is known about the function ...
