Researchers want to help software developers find the best tools for detecting security issues. Emerson Murphy-Hill, a National Science Foundation-funded computer science researcher and associate professor at North Carolina State University, and his colleagues are attempting to uncover the shortcomings and disadvantages of security tools.
“Our work is focused on understanding the developers who are trying to identify security vulnerabilities in their code, and how they use [or don’t use] tools that can help them find those vulnerabilities,” said Murphy-Hill. “The one thing that ties all of our work together is that we want to help give programmers the best possible tools and help them use those tools effectively.”
(Related: Security startup tries to outdo Windows)
So far the researchers have tackled three different aspects of software security tools. One study looked at what influenced a developer to use certain tools, and according to its findings, developers are likely to use tools if they’ve seen how their peers use the tool or if corporate mandated it.
In another study, the team looked at how efficient and accurate tools were in identifying potential issues.
“In many cases, the tool presented multiple possible fixes for a problem, but didn’t give programmers much information about the relevant advantages and disadvantages of each fix,” said Murphy-Hill. “We found that this made it difficult for programmers to select the best course of action.”
Lastly, the researchers studied the idea of bespoke tools, which would evolve, modify over time, and learn the strengths and weaknesses of its user, according to Murphy-Hill.
“More research is needed to really flesh these findings out; we need to expand this study to incorporate more programmers and more security tools,” Murphy-Hill said. “But overall, we’re hoping that this and related work can help programmers create more effective tools for use by the software development community.”