The Secure Decisions team will conduct research to: 1) determine how human dimensions of software engineering (SE) processes influence software security and quality; and 2) develop mechanisms for measuring these relationships in both open source and closed (private) development environments. The human dimensions of interest are: characteristics and behaviors of developers and development teams; environmental conditions that affect developers; and the chain of human activities that contribute to the introduction and persistence of vulnerabilities within a software repository. Software security is the primary outcome of interest; quality issues that influence an applications security are also studied. Two types of analyses will be performed on software developed under both open and closed environments: retrospective analyses of existing software repositories to find relationships between human dimensions and software security; and root cause analyses of vulnerabilities in which we will build a timeline of the chain of SE activities that led to the vulnerabilities introduction, persistence, eventual discovery, and remediation. A third type, concurrent analysis, will assess how human dimensions relate to software security using data collected while software is developed in closed environments. Results will be transitioned into commercial services, an open source curated database of vulnerability histories, and other research.
