Azadeh Mokhberi ; Tiffany Quon ; Konstantin Beznosov

06 September 2021

Abstract: Developers relying on code examples (CEs) in software engineering can impact code security. We conducted semistructured interviews with seven professional developers to investigate developers’ habits, challenges, and strategies in the life cycle of using security-related code examples (SRCEs), with a focus on exploring the differences between security and non-security-related CEs. Results indicate that a lack of adequately differentiating between SRCEs and non-security-related code examples (NSRCEs) is a reason for introducing vulnerabilities into the code. We found that developers had a habit of reusing vulnerable code from their previous projects. This code reuse unintentionally introduced the same vulnerability into new projects, while that vulnerability had already been fixed in later iterations of the original resource the CE had been taken from. Our results highlight that professional developers need the same number of such CEs even as they gain experience over time, while this may not be the case for NSRCEs.

Keyword(s): usable security ; software developers ; security-related code examples ; Human-centred research ; HCI

Published in: Azadeh Mokhberi, Tiffany Quon, Konstantin Beznosov. What Makes Security-Related Code Examples Different. In The 7th Workshop on Security Information Workers at SOUPS workshops, 2021.: