Iteration 1 - Nc State University · Software tester Manager Security expert Other I usually use security tools when I develop software, or security tools automatically analyze the

emerson

Typewritten Text

Iteration 1

3/12/2015 Qualtrics Survey Software

https://login.qualtrics.com/ControlPanel/Ajax.php?action=GetSurveyPrintPreview&T=1hReUMsiNrGy1YInHtiUMi 1/13

Greetings and Consent

Thanks for participating in our survey! It consists of this consent form, 4 pages ofquestions, and a chance to give some general feedback if you like.

North Carolina State UniversityINFORMED CONSENT FORM for RESEARCHSecurity Tool Attitudes SurveyJim Witschey and Dr. Emerson MurphyHill, North Carolina State University

What are some general things you should know about research studies?You are being asked to take part in a research study. Your participation in this study isvoluntary. You have the right to be a part of this study, to choose not to participate or tostop participating at any time without penalty. The purpose of research studies is to gain abetter understanding of a certain topic or issue. You are not guaranteed any personalbenefits from being in a study. Research studies also may pose risks to those thatparticipate. In this consent form you will find specific details about the research in which youare being asked to participate. If you do not understand something in this form it is yourright to ask the researcher for clarification or more information. A copy of this consent formwill be provided to you. If at any time you have questions about your participation, do nothesitate to contact the researcher(s) named above. What is the purpose of this study?We would like to understand why developers use or do not use tools that help themdevelop more secure software. This study will collect data about developers' perceptionsabout these tools. We plan to use this data to develop a quantitative model that predictswhether an individual developer will or will not use such a tool. What will happen if you take part in the study?If you agree to participate in this study, you will be asked to take one online survey. Youwill be asked to answer a number of questions about your perceptions of tools that helpdevelopers develop more secure software. We estimate that this survey will take less than15 minutes. You may take this survey anywhere you have access to it.Participation in this study is not a requirement of your employment, and your participation orlack thereof will not affect your job. RisksWe do not anticipate any risks to participation. However, if you experience any discomfortor choose to stop taking the survey for any reason, you may leave the survey at any timeby closing your browser. BenefitsWe do not anticipate any direct benefits to you for participating in this survey. Yourresponses will help researchers, toolsmiths, and software development managers increase



I am not a professional software developer or tester.

1 year or less

1 2 years

3 5 years

610 years

11 20 years

more than 20 years

the adoption of tools that help developers develop more secure software. We will also usethis data to compare the adoption of such tools within different organizations. ConfidentialityThe information in the study records will be kept confidential to the full extent allowed bylaw. Data will be stored securely on passwordprotected computers and hard drivesbelonging to the researchers. No reference will be made in oral or written reports whichcould link you to the study. You will NOT be asked to write your name on any studymaterials, so no one can match your identity to the answers that you provide. CompensationUpon completing this survey, you may enter a drawing for one of two Amazon gift cards. What if you have questions about this study?If you have questions at any time about the study or the procedures, you may contact thePrincipal Investigator, Jim Witschey, at [email protected], or (919/3228058). What if you have questions about your rights as a research participant? If you feel you have not been treated according to the descriptions in this form, or yourrights as a participant in research have been violated during the course of this project, youmay contact Deb Paxton, Regulatory Compliance Administrator, Box 7514, NCSU Campus(919/5154514).

Consent To Participate

I have read and understand the above information.

I have received a copy of this form.

I agree to participate in this study with the understanding that Imay choose not to participate or to stop participating at anytime without penalty or loss of benefits to which I am otherwiseentitled.

Introduction

How long have you been professionally involved in developing or testing software?



I prefer not to answer.

Software developer

Software tester

Manager

Security expert

Other

I usually use security tools when I develop software, or security tools automatically analyze the code Idevelop when I check in or build my code.

I use security tools only occasionally or when I am performing specific tasks, like looking for vulnerabilities.

I never or almost never use security tools.

What best describes your role in software development?

In what domain do you develop software? (e.g. "webapps" or "compilers")

For the purposes of this survey, we consider software secure if it:executes predictably and correctly, even in hostile conditions,contains few, if any, vulnerabilities or weaknesses that can be exploited, andis resilient enough to resist or tolerate (i.e., continue operating dependably in spite of)most known attacks and as many novel attacks as possible.

We'll be asking you some questions concerning security tools. We define security toolsas any tools that help developers find or fix security vulnerabilities in source code duringsoftware development. Security tools include:

static analysis tools that scan application source code (such as Fortify SCA, ArmorizeCodeSecure, and FindBugs), anddynamic analysis tools that scan running applications and programs (such as HPWebInspect, IBM AppScan, and Valgrind).

The following questions ask you about your experiences with and attitudes towards thesesecurity tools and the environment in which you work where people may use these tools.

Which of the following statements describes you best?



Security Awareness

Security Awareness

Strongly Agree AgreeNeither Agreenor Disagree Disagree

StronglyDisagree Don't Know

I could explain software securitydesign to a new developer onmy project.

I am aware of securedevelopment standards such asthose from OWASP or theMicrosoft Secure DevelopmentLifecycle.

I apply secure developmentstandards such as those fromOWASP or the Microsoft SecureDevelopment Lifecycle.

Security is best emphasizedprimarily in early design.

Security is best emphasizedprimarily in endstage testing.

Adding security functionality isimportant to the developers Iwork with.

Complexity, Compatibility, Exposure

These questions ask you questions about security tools in general. While we know thatsecurity tools are all different, we'd like you to generalize about the ones you know.

Complexity



My using security toolsrequires a lot of mental effort.

I believe that it is easy to getsecurity tools to do what I wantthem to do.

Learning to operate securitytools is easy for me.

Using security tools requiresdeep knowledge of softwaresecurity.

The internal workings ofsecurity tools are complex.

Security tools present theiranalyses in understandableways.

http://www.microsoft.com/security/sdl/default.aspx

https://www.owasp.org/index.php/Main_Page





(Optional) Anything else to note about the complexity of security tools?

Compatibility



I think that using security tools$e://Field/fit well with the wayI like to work.

Using security tools$e://Field/fit into my workstyle.

Security tools are highlyconfigurable.

There are good security toolsthat are compatible with myworkflow.

There are good security toolsthat are compatible with thetechnologies I use.

(Optional) Anything else to note about the compatibility of security tools with your workflowor the technologies you use?

Exposure



I frequently learn aboutsecurity tools from otherdevelopers.

I frequently learn aboutsecurity tools from blogs andtechnical websites.

I frequently learn aboutsecurity tools fromadvertisements, online orotherwise.

I frequently learn aboutsecurity tools from managersin my organization.



(Optional) Anything else to note about how you have learned about security tools?

Advantages, Concern, Training


Advantages



Using security tools$e://Field/help me do mywork more quickly.

Using security tools$e://Field/improve the qualityof the work I do.

Using security tools$e://Field/make it easier to domy job.

Using security tools$e://Field/improve my jobperformance.

Using security tools$e://Field/is resourceintensive.

Using security tools$e://Field/is costeffective.

Using security tools$e://Field/is a good use of mytime.

Security tools are easy toautomate.

Given multiple security tools, Ican easily choose which to usefor a given task.

(Optional) Anything else to note about the advantages and disadvantages of using securitytools?



Security Concern



I work on software for whichsecurity is very important.

If the software I work on wereinsecure, it would putimportant resources at risk.

If the software I work on wereinsecure, it would causeproblems for customers andusers.

(Optional) Anything else to note about the importance of security in the software youdevelop or how that makes you think about using security tools?

Education and Training



My organization holds frequenttrainings on security tools.

My organization holds frequenttrainings on software security.

I learned about security toolsin university courses.

I prefer to learn to use asecurity tool by playing with it.

I prefer to learn to use asecurity tool by reading itsmanual.

I prefer to learn to use asecurity tool from a colleaguewho uses it.

I prefer to learn to use asecurity tool from tutorials.

(Optional) Anything else to note about how you have learned or would learn how to use a



new security tool?

Policies, Culture, Observability


Policies



My superiors expect me to usesecurity tools.

If the software I wrote wereinsecure, I would be punished.

My superiors reward me forwriting secure software.

In my organization, there areexplicit standards for thesecurity of the software Idevelop.

In my organization, there areinformal standards for thesecurity of the software Idevelop.

In my organization, there areexplicit standards thatprescribe processes by whichto develop secure software.

In my organization, there areinformal standards thatprescribe processes by whichto develop secure software.

The software I develop isanalyzed by security toolswhen it is built or tested.

In my organization, using anew security tool wouldrequire getting approval to useit.

(Optional) Anything else to note about your organization's policies regarding security andsecurity tools?



Culture



Using security tools$e://Field/improve my imagewithin my organization.

Using security tools$e://Field/make others in myorganization see me as a morevaluable employee.

People in my organization whouse security tools have moreprestige than those who donot.

If the software I develop wereinsecure, I would beembarrassed.

Functional requirements of thesoftware I develop take priorityover its security.

(Optional) Anything else to note about the general attitude toward security and securitytools in your organization?

Observability



I have seen what others dousing security tools.

Security tools are not veryvisible in my organization.

It is easy for me to observeothers using security tools inmy organization.

(Optional) Anything else to note about how much you see or are able to see others usingsecurity tools in your organization?



Trial Ease, Inquisitiveness, Trust, Organizational Structure

These questions ask you questions about security tools and sources for information aboutthem in general. While we know that security tools are all different, and your attitudestoward information sources will vary, we'd like you to generalize about them.

Trial Ease



I know how I can satisfactorilytry out various uses of securitytools.

Security tools are available tome to adequately try out.

I was permitted to use securitytools on a trial basis longenough to see what it coulddo.

I am able to experiment withsecurity tools as necessary.

I did not have to expend verymuch effort to try out securitytools.

(Optional) Anything else to note about the ease or difficulty of trying out security tools?

Trust



If I learned about a securitytool from another developer, Iwould trust that information.

If I learned about a securitytool from a blog or technicalwebsite, I would trust thatinformation.



If I learned about a securitytool from an advertisement,online or otherwise, I wouldtrust that information.

If I learned about a securitytool from a manager in myorganization, I would trust thatinformation.

(Optional) Anything else to note about what makes you trust an individual or informationchannel for information about security tools?

Inquisitiveness



I enjoy learning about newsecurity tools.

I actively seek out informationabout security tools.

If I wanted to make mysoftware more secure, I wouldlook for security tools to helpme do so.

(Optional) Anything else to note about seeking out new security tools? Why do or don't youlook for new security tools? How do or would you do so?

Organizational Structure



My peers thoroughly reviewthe software I develop toensure it is secure.

Security experts thoroughlyreview the software I developto ensure it is secure.

I am personally responsible for



the security of the software Idevelop.

Those who test the software Idevelop are responsible for itssecurity.

I interact frequently with othersin my organization who helpimprove the security of thesoftware I develop.

(Optional) Anything else to note about the others in your organization who are responsiblefor the security of the software you develop or how they make you think about usingsecurity tools?

General Comments

Do you have any general comments about your perceptions of security tools? Forinstance,

Are they easy or difficult to use?How compatible are they with your current workflow?Are they worth the effort?How do you usually learn about them?What influences your choices when you decide whether or not to use one?What does your organization do that makes you less likely to use security tools? Whatcould it do to encourage you to use them?

Thank you for your input! If you'd like to be entered into a drawing for one of two $100Amazon gift cards, please follow this link to a form where you can enter your email address:

Drawing Entry Form

Your response on that form will not be linked in any way to your responses to the survey,and only Jim Witschey, a Graduate Research Assistant, will see the email addressesentered there.

If you'd prefer not to use the form, you may contact Jim Witschey directly [email protected].

https://docs.google.com/forms/d/1yUtg1LalpdiajOk1Yk8UxJRDpAYGFCWMHYIkrDujylE/viewform



Thank you again for your participation!

emerson

Typewritten Text

Iteration 2



Greetings and Consent

Thanks for participating in our survey! It consists of this consent form, and a page ofquestions.

North Carolina State UniversityINFORMED CONSENT FORM for RESEARCHSecurity Tool Attitudes SurveyJim Witschey and Dr. Emerson MurphyHill, North Carolina State University

What are some general things you should know about research studies?You are being asked to take part in a research study. Your participation in this study isvoluntary. You have the right to be a part of this study, to choose not to participate or tostop participating at any time without penalty. The purpose of research studies is to gain abetter understanding of a certain topic or issue. You are not guaranteed any personalbenefits from being in a study. Research studies also may pose risks to those thatparticipate. In this consent form you will find specific details about the research in which youare being asked to participate. If you do not understand something in this form it is yourright to ask the researcher for clarification or more information. A copy of this consent formwill be provided to you. If at any time you have questions about your participation, do nothesitate to contact the researcher(s) named above. What is the purpose of this study?We would like to understand why developers use or do not use tools that help themdevelop more secure software. This study will collect data about developers' perceptionsabout these tools. We plan to use this data to develop a quantitative model that predictswhether an individual developer will or will not use such a tool. What will happen if you take part in the study?If you agree to participate in this study, you will be asked to take one online survey. Youwill be asked to answer a number of questions about your perceptions of tools that helpdevelopers develop more secure software. We estimate that this survey will take less than15 minutes. You may take this survey anywhere you have access to it.Participation in this study is not a requirement of your employment, and your participation orlack thereof will not affect your job. RisksWe do not anticipate any risks to participation. However, if you experience any discomfortor choose to stop taking the survey for any reason, you may leave the survey at any timeby closing your browser. BenefitsWe do not anticipate any direct benefits to you for participating in this survey. Yourresponses will help researchers, toolsmiths, and software development managers increase



Privacy & Terms

the adoption of tools that help developers develop more secure software. We will also usethis data to compare the adoption of such tools within different organizations. ConfidentialityThe information in the study records will be kept confidential to the full extent allowed bylaw. Data will be stored securely on passwordprotected computers and hard drivesbelonging to the researchers. No reference will be made in oral or written reports whichcould link you to the study. You will NOT be asked to write your name on any studymaterials, so no one can match your identity to the answers that you provide.

You may enter an email address at the end of this survey so we may contact you to giveyou an Amazon gift card. This is the only purpose for which we will use this email address,and it will not be shared with anyone outside the researchers listed above. CompensationUpon completing this survey, the first 50 participants will receive an Amazon gift card for 15dollars. Others will receive no compensation. What if you have questions about this study?If you have questions at any time about the study or the procedures, you may contact thePrincipal Investigator, Jim Witschey, at [email protected], or (919/3228058). What if you have questions about your rights as a research participant? If you feel you have not been treated according to the descriptions in this form, or yourrights as a participant in research have been violated during the course of this project, youmay contact Deb Paxton, Regulatory Compliance Administrator, Box 7514, NCSU Campus(919/5154514).

Consent To Participate

I have read and understand the above information.

I have received a copy of this form.

I agree to participate in this study with the understanding that Imay choose not to participate or to stop participating at anytime without penalty or loss of benefits to which I am otherwiseentitled.

Pleas complete out this Captcha to indicate that you are human.

Type the text

http://www.google.com/intl/en/policies/



I am not a professional software developer or tester.

1 year or less

1 2 years

3 5 years

610 years

11 20 years

more than 20 years

I prefer not to answer.

Software developer

Software tester

Manager

Security expert

Other

Warning Block

Please note: you are not among the first 50 developers to take this survey, so wecannot give you an Amazon gift card if you complete this survey. We'd still love it ifyou took the survey, though! But no pressure. Thanks for considering it.

Introduction

How long have you been professionally involved in developing or testing software?

What best describes your role in software development?

In what domain do you develop software? (e.g. "webapps" or "compilers")

For the purposes of this survey, we consider software secure if it:executes predictably and correctly, even in hostile conditions,contains few, if any, vulnerabilities or weaknesses that can be exploited, andis resilient enough to resist or tolerate (i.e., continue operating dependably in spite of)



I usually use security tools when I develop software, or security tools automatically analyze the code Idevelop when I check in or build my code.

I use security tools only occasionally or when I am performing specific tasks, like looking for vulnerabilities.

I never or almost never use security tools.

most known attacks and as many novel attacks as possible.

We'll be asking you some questions concerning security tools. We define security toolsas any tools that help developers find or fix security vulnerabilities in source code duringsoftware development. Security tools include:

static analysis tools that scan application source code (such as Fortify SCA, ArmorizeCodeSecure, and FindBugs), anddynamic analysis tools that scan running applications and programs (such as HPWebInspect, IBM AppScan, and Valgrind).

The following questions ask you about your experiences with and attitudes towards thesesecurity tools and the environment in which you work where people may use these tools.

Which of the following statements describes you best?

Security Tools

Please indicate your agreement with the following statements:

StronglyDisagree Disagree

NeitherAgree norDisagree Agree

StronglyAgree

My peers thoroughly review the software I develop to ensure it issecure.

I apply secure development standards such as those fromOWASP or the Microsoft Secure Development Lifecycle.

If the software I work on were insecure, it would put importantresources at risk.

Given multiple security tools, I can easily choose which to use fora given task.

I interact frequently with others in my organization or working onmy project who help improve the security of the software Idevelop.

If the software I work on were insecure, it would cause problemsfor customers and users.

I actively seek out information about security tools.

I was permitted to use security tools on a trial basis long enoughto see what it could do.

I frequently have access to trainings on security tools.

Using security tools $e://Field/improve my image within myorganization.

The internal workings of security tools are complex.

In my organization or for my project, there are explicit standards



for the security of the software I develop.

Using security tools $e://Field/is costeffective.

I work on software for which security is very important.

I frequently learn about security tools from managers in myorganization or project.

I am personally responsible for the security of the software Idevelop.

My organization or project holds frequent trainings on softwaresecurity.

Security tools present their analyses in understandable ways.

I have seen what others do using security tools.

Using security tools $e://Field/make it easier to do my job.

Using security tools $e://Field/help me do my work more quickly.

Using security tools $e://Field/is a good use of my time.

Security is best emphasized primarily in endstage testing.

It is easy for me to observe others using security tools in myorganization or on the project I work on.

Using security tools $e://Field/improve my job performance.

The software I develop is analyzed by security tools when it isbuilt or tested.

My superiors reward me for writing secure software.

I frequently learn about security tools from other developers.

Security tools are not very visible in my organization or in myproject.

I am aware of secure development standards such as those fromOWASP or the Microsoft Secure Development Lifecycle.

I frequently learn about security tools from blogs and technicalwebsites.

If the software I develop were insecure, I would be embarrassed.

I know how I can satisfactorily try out various uses of securitytools.

People in my organization or working on my project who usesecurity tools have more prestige than those who do not.

Adding security functionality is important to the developers I workwith.

I could explain software security design to a new developer onmy project.

My superiors expect me to use security tools.

I learned about security tools in university courses.

Security tools are available to me to adequately try out.

Block 4

Thank you for your responses; please proceed to the next page.



Documents

Iteration 1 - Nc State University · Software tester Manager Security expert Other I usually use security tools when I develop software, or security tools automatically analyze the