A Stitch in Time

Nguyen, Duc Cuong; Wermke, Dominik; Acar, Yasemin; Backes, Michael; Weir, Charles; Fahl, Sascha

doi:10.1145/3133956.3133977

Cited by 58 publications

(16 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Security and privacy can be challenging for developers to get right, even with the support of tools [12,22,49]. Developer errors are a common source of vulnerabilities [24] with many causes ranging from APIs with poor developer support [1,47] to static analysis tools that produce too many false positives [38].…”

Section: Introductionmentioning

confidence: 99%

Understanding Privacy-Related Questions on Stack Overflow

Tahaei

Vaniea

Saphra

2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

We analyse Stack Overflow (SO) to understand challenges and confusions developers face while dealing with privacy-related topics. We apply topic modelling techniques to 1,733 privacyrelated questions to identify topics and then qualitatively analyse a random sample of 315 privacy-related questions. Identified topics include privacy policies, privacy concerns, access control, and version changes. Results show that developers do ask SO for support on privacy-related issues. We also find that platforms such as Apple and Google are defining privacy requirements for developers by specifying what "sensitive" information is and what types of information developers need to communicate to users (e.g. privacy policies). We also examine the accepted answers in our sample and find that 28% of them link to official documentation and more than half are answered by SO users without references to any external resources.

show abstract

Section: Introductionmentioning

confidence: 99%

Understanding Privacy-Related Questions on Stack Overflow

Tahaei

Vaniea

Saphra

2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…This means that developers were only aware of such security mistakes at the end of or after their development cycle. Other tools [29,39] provided developers support while they were writing code. Krüger et al [29] developed Cognicryptto support developers in securely using crypto APIs.…”

Section: Related Workmentioning

confidence: 99%

Up2Dep: Android Tool Support to Fix Insecure Code Dependencies

Nguyen

Derr

Backes

et al. 2020

Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

“…Nguyen et al [55] proposed the plugin FixDroid, which offered warnings and quick fix dialogues for security issues in the Android Studio IDE, and found that developers approved FixDroid, which helped produce more secure code.…”

Section: Related Workmentioning

confidence: 99%

“…Many tools can be used by developers to spot potential security issues, such as compilers or static and dynamic code analyzers (e.g., [12,47,55]) and there is already work underway looking at these different types of systems. For instance, recent work by Gorski et al has shown that warnings shown by the compiler can improve code security [42]; however, Barik et al showed that reading compiler warnings takes a significant amount of effort and that improvements are needed [11,12].…”

Section: Introductionmentioning

confidence: 99%

One size does not fit all

Danilova

Naiakshina

Smith

2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

View full text Add to dashboard Cite

A wide range of tools exist to assist developers in creating secure software. Many of these tools, such as static analysis engines or security checkers included in compilers, use warnings to communicate security issues to developers. The effectiveness of these tools relies on developers heeding these warnings, and there are many ways in which these warnings could be displayed. Johnson et al. [46] conducted qualitative research and found that warning presentation and integration are main issues. We built on Johnson et al.'s work and examined what developers want from security warnings, including what form they should take and how they should integrate into their workflow and work context. To this end, we conducted a Grounded Theory study with 14 professional software developers and 12 computer science students as well as a focus group with 7 academic researchers to gather qualitative insights. To back up the theory developed from the qualitative research, we ran a quantitative survey with 50 professional software developers. Our results show that there is significant heterogeneity amongst developers and that no one warning type is preferred over all others. The context in which the warnings are shown is also highly relevant, indicating that it is likely to be beneficial if IDEs and other development tools become more flexible in their warning interactions with developers. Based on our findings, we provide concrete recommendations for both future research as well as how IDEs and other security tools can improve their interaction with developers. CCS CONCEPTS • Human-centered computing → Empirical studies in HCI; • Security and privacy → Usability in security and privacy.

show abstract

A Stitch in Time

Cited by 58 publications

References 27 publications

Understanding Privacy-Related Questions on Stack Overflow

Understanding Privacy-Related Questions on Stack Overflow

Up2Dep: Android Tool Support to Fix Insecure Code Dependencies

One size does not fit all

Contact Info

Product

Resources

About