Security Notifications in Static Analysis Tools: Developers' Attitudes, Comprehension, and Ability to Act on Them

要旨

Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools' notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the appropriate fix. Participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Seeing SAT notifications also led to more detailed open-ended answers and slightly improved code correction answers. Still, most SAT (SpotBugs 67%, SonarQube 86%) and Control (96%) participants answered at least one code-correction question incorrectly. Prior software development experience, perceived vulnerability severity, and answer confidence all positively impacted answer accuracy.

著者
Mohammad Tahaei
University of Edinburgh, Edinburgh, United Kingdom
Kami Vaniea
University of Edinburgh, Edinburgh, United Kingdom
Konstantin (Kosta) Beznosov
University of British Columbia, Vancouver, British Columbia, Canada
Maria K. Wolters
University of Edinburgh, Edinburgh, United Kingdom
DOI

10.1145/3411764.3445616

論文URL

https://doi.org/10.1145/3411764.3445616

動画

会議: CHI 2021

The ACM CHI Conference on Human Factors in Computing Systems (https://chi2021.acm.org/)

セッション: Developers / Authentication / Privacy Risks from Children to Adults

[A] Paper Room 12, 2021-05-12 17:00:00~2021-05-12 19:00:00 / [B] Paper Room 12, 2021-05-13 01:00:00~2021-05-13 03:00:00 / [C] Paper Room 12, 2021-05-13 09:00:00~2021-05-13 11:00:00
Paper Room 12
11 件の発表
2021-05-12 17:00:00
2021-05-12 19:00:00
日本語まとめ
読み込み中…