000000340 001__ 340
000000340 005__ 20210409111733.0
000000340 037__ $$aLERSSE-RefConfPaper-2021-004
000000340 100__ $$aMohammad Tahaei
000000340 245__ $$aSecurity Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them
000000340 260__ $$c2021-05-07
000000340 300__ $$amult. p
000000340 520__ $$aStatic analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools’ notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the appropriate fix. Participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Seeing SAT notifications also led to more detailed open-ended answers and slightly improved code correction answers. Still, most SAT (SpotBugs 67%, SonarQube 86%) and Control (96%) participants answered at least one code-correction question incorrectly. Prior software development experience, perceived vulnerability severity, and answer confidence all positively impacted answer accuracy.
000000340 6531_ $$ausable security
000000340 6531_ $$asoftware developers
000000340 6531_ $$asecurity notifications
000000340 6531_ $$astatic analysis tools
000000340 700__ $$aKami Vaniea
000000340 700__ $$aKonstantin Beznosov
000000340 700__ $$aMaria K. Wolters
000000340 8560_ $$flersse-it@ece.ubc.ca
000000340 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/340/files/tahaei2021SAT.pdf
000000340 909C4 $$pMohammad Tahaei, Kami Vaniea, Konstantin Beznosov, Maria K. Wolters. Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them. Proceedings of the ACM CHI Conference on Human Factors in Computing Systems (ACM CHI'21), 2021
000000340 980__ $$aRefConfPaper