Security Notifications in Static Analysis Tools: Developers' Attitudes, Comprehension, and Ability to Act on Them

Mohammad Tahaei, Kami E Vaniea, Konstantin Beznosov, Maria K Wolters

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools’ notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the appropriate fix. Participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Seeing SAT notifications also led to more detailed open-ended answers and slightly improved code correction answers. Still, most SAT (SpotBugs 67%, SonarQube 86%) and Control (96%) participants answered at least one code-correction question incorrectly. Prior software development experience, perceived vulnerability severity, and answer confidence all positively impacted answer accuracy.
Original languageEnglish
Title of host publicationProceedings of the SIGCHI Conference on Human Factors in Computing Systems
PublisherAssociation for Computing Machinery (ACM)
Pages1-17
Number of pages17
ISBN (Print)9781450380966
DOIs
Publication statusPublished - 6 May 2021
EventThe ACM CHI Conference on Human Factors in Computing Systems 2021 - Virtual Conference, Japan
Duration: 8 May 202113 May 2021
https://chi2021.acm.org/

Conference

ConferenceThe ACM CHI Conference on Human Factors in Computing Systems 2021
Abbreviated titleCHI 2021
Country/TerritoryJapan
CityVirtual Conference
Period8/05/2113/05/21
Internet address

Keywords / Materials (for Non-textual outputs)

  • usable security
  • software developers
  • security notifications
  • static analysis tools

Fingerprint

Dive into the research topics of 'Security Notifications in Static Analysis Tools: Developers' Attitudes, Comprehension, and Ability to Act on Them'. Together they form a unique fingerprint.

Cite this