A cross-tool communication study on program analysis tool notifications

Pandita, Rahul; SMITH, JEAN C.; Ford, Denae; Elder, Sarah; Murphy-Hill, Emerson; Heckman, Sarah; Sadowski, Caitlin

doi:10.1145/2950290.2950304

Cited by 24 publications

(10 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Looking at SAT notification information specifically, notification content can be confusing and require a search engine to understand the words used [53]. Empirically, developers also require an unexpectedly large amount of time to fix low-complexity SAT-identified issues [46] suggesting that comprehending and applying the notification content was not straight-forward.…”

Section: Communicating With Developersmentioning

confidence: 99%

“…These results suggest that there is room for improvement in our understanding of how developers interpret SAT notification content and how that interpretation translates into their ability to correct identified issues. We extend the body of research on developers comprehension of and attitudes towards SAT security notification [53,54,89,90] by conducting a quantitative study with a larger sample and also looking at the effectiveness of SAT security notification content at assisting developers in fixing vulnerabilities.…”

Section: Communicating With Developersmentioning

confidence: 99%

“…SAT notification content can also be hard to understand [72,82]. Developers use web search engines to figure out what SAT notifications say [53]. At Microsoft, developers ranked "bad error messages" as their second most important issue with SATs [22], it was also the case that 75% of Google developer SAT bug reports were because of notifications misunderstandings [83].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei

Vaniea

Beznosov

et al. 2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools' notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the appropriate fix. Participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Seeing SAT notifications also led to more detailed open-ended answers and slightly improved code correction answers. Still, most SAT (SpotBugs 67%, SonarQube 86%) and Control (96%) participants answered at least one code-correction question incorrectly. Prior software development experience, perceived vulnerability severity, and answer confidence all positively impacted answer accuracy. CCS CONCEPTS• Human-centered computing → Empirical studies in HCI; • Security and privacy → Usability in security and privacy; Software and application security.

show abstract

Section: Communicating With Developersmentioning

confidence: 99%

Section: Communicating With Developersmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei

Vaniea

Beznosov

et al. 2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…Software engineering researchers and practitioners are often frustrated by the low adoption of practices and tools, such as static analysis, refactoring tools, program comprehension, or security testing, even though many of them are generally perceived to be beneficial. Researchers have found a wide range of technical and social pain points in tool adoption, such as false positives in static analysis tools [e.g., 39,64,71], missing trust in correctness [e.g., 74], crypting tool messages [e.g., 38,39], slow response times [e.g., 80], lack of workflow integration [e.g., 36,41,64,86], lack of collaboration support [39], lack of management buy-in [e.g., 18,80], overwhelming configuration effort [e.g., 25,36,39,71,80], and simply a lack of knowledge about tools [e.g., 60,74,87]. In response, most software engineering research has focused on technical solutions, such as improving functionality, accuracy, and performance [e.g., 8,64,72], improving usability [e.g., 38,46,51,72,79], and improving discoverability through recommendation mechanisms or process integration [e.g., 49,64,87].…”

Section: Theory and Related Workmentioning

confidence: 99%

Heard it through the Gitvine: an empirical study of tool diffusion across the npm ecosystem

Lamba

Trockman

Armanios

et al. 2020

Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Softw

View full text Add to dashboard Cite

“…Johnson et al [46], who investigated the reasons why developers rarely used static analyzers, found that large volumes of warnings, false positives, and poor warning presentation caused developers to stop using analyzers. Furthermore, Johnson et al [45] conducted a qualitative study, in which 26 participants interacted with warnings from FindBugs, the Eclipse Compiler, and EclEmma. The authors presented their resulting communication theory, which revealed understanding the notifications posed multiple challenges, which are caused by gaps and mismatches between developers' programming knowledge and communication methods used by the notifications.…”

Section: Related Workmentioning

confidence: 99%

One size does not fit all

Danilova

Naiakshina

Smith

2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

View full text Add to dashboard Cite

A wide range of tools exist to assist developers in creating secure software. Many of these tools, such as static analysis engines or security checkers included in compilers, use warnings to communicate security issues to developers. The effectiveness of these tools relies on developers heeding these warnings, and there are many ways in which these warnings could be displayed. Johnson et al. [46] conducted qualitative research and found that warning presentation and integration are main issues. We built on Johnson et al.'s work and examined what developers want from security warnings, including what form they should take and how they should integrate into their workflow and work context. To this end, we conducted a Grounded Theory study with 14 professional software developers and 12 computer science students as well as a focus group with 7 academic researchers to gather qualitative insights. To back up the theory developed from the qualitative research, we ran a quantitative survey with 50 professional software developers. Our results show that there is significant heterogeneity amongst developers and that no one warning type is preferred over all others. The context in which the warnings are shown is also highly relevant, indicating that it is likely to be beneficial if IDEs and other development tools become more flexible in their warning interactions with developers. Based on our findings, we provide concrete recommendations for both future research as well as how IDEs and other security tools can improve their interaction with developers. CCS CONCEPTS • Human-centered computing → Empirical studies in HCI; • Security and privacy → Usability in security and privacy.

show abstract

A cross-tool communication study on program analysis tool notifications

Cited by 24 publications

References 32 publications

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Heard it through the Gitvine: an empirical study of tool diffusion across the npm ecosystem

One size does not fit all

Contact Info

Product

Resources

About