Toward effective adoption of secure software development practices

Security tools, including static and dynamic analysis tools, can guide software developers to identify and fix potential vulnerabilities in their code. However, the use of security tools is not common among developers. The goal of this research is to develop a framework for modeling the adoption of security practices in software development and to explore sanctioning mechanisms that may promote greater adoption of these practices among developers. We propose a multiagent simulation framework that incorporates developers and manager roles, where developers maximize task completion and compliance with security policies, and the manager enforces sanctions based on functionality and security of the project. The adoption of security practices emerges through the interaction of manager and developer agents in time-critical projects. Using the framework, we evaluate the adoption of security practices for developers with different preferences and strategies under individual and group sanctions. We use a real case study for demonstrating the model and initialize the occurrence of bugs using a 13 year database of bug reports for the Eclipse Java Development Tools. Results indicate that adoption of security practices are significantly dictated by the preferences of the developers. We also observed that repetitive sanctions may cause lower retention of developers and an overall decrease in security practices. The model provides comparison of security adoption in developers with different preferences and provides guidance for managers to identify appropriate sanctioning mechanism for increasing the adoption of security tools in software development.