Mazurek, Hicks Receive NSF Grant to Study Factors Leading to Insecure Software

Published September 12, 2018

Two researchers in the Maryland Cybersecurity Center (MC2) recently received a National Science Foundation (NSF) grant to understand the human and organizational factors that contribute toward insecure software development.

Michelle Mazurek, an assistant professor of computer science, and Michael Hicks, a professor of computer science, will share the approximately $450,000 award.

Both faculty also have appointments in the University of Maryland Institute for Advanced Computer Studies (UMIACS).

Their proposal, “Understanding Security in the Software Development Lifecycle: A Holistic, Mixed-Methods Approach,” includes collaboration with researchers at the University of South Florida.

Although significant effort has gone into identifying flaws in software—as well as developing tools, libraries and processes for detecting and mitigating these flaws during software development and maintenance—security problems remain pervasive, the researchers say.

Mazurek says there has been comparatively little effort to empirically assess the effectiveness of existing tools and processes in realistic settings, and almost no effort to understand the root causes of professional developers making security errors. This lack of knowledge, she adds, hinders the advancement of secure programming techniques that can effectively reduce the number of security bugs in deployed software.

The team’s research will focus on measuring and evaluating the effectiveness of particular approaches to securing software as carried out by typical developers.

By combining anthropological observation of industrial development practice with experimental evaluation of tools and processes, the project will identify new or underappreciated approaches to improving software security in practice.

“The cool thing about this project is that we’re trying to get a 360-degree view—using many different methods so that we can analyze it from multiple angles,” Mazurek says.