Abstract: Secure software development remains a difficult and expensive task. In order to make progress, it is important to understand the human and organizational factors that help – or harm – secure development processes. My work aims to understand these factors through the use of qualitative and quantitative methodology, including interviews, large-scale surveys, and code review for vulnerabilities.

 

In this talk, I will highlight how and why developers introduce vulnerabilities, as well as why current secure tooling, interventions, and organizational processes fail developers and security professionals and how we can improve them. First, I will discuss why and how developers introduced, found, and fixed different types of vulnerabilities, empirically uncovering an overwhelming need for investment in tooling or processes that can uncover and correct conceptual misunderstandings of security concepts. Then, I will present two studies exploring current issues with secure tooling and security communities through the use of interviews and a survey. Going forward, I plan to study the security assumptions developers make in order to improve security tooling, processes, and resources.

Short Bio: Kelsey Fulton is a sixth year PhD candidate at University of Maryland. Their research applies a human-centric approach to secure software development with an emphasis on mental models and processes of software developers and the usability and improvement of secure development tools. Their work has been published in top security conferences and recognized with a best paper award at the USENIX Security Symposium. They received their master's degree in computer science from University of Maryland in 2019 and their bachelor's degree in computer science and mathematics from Millersville University in 2017.