An Anatomy of Security Conversations in Stack Overflow

López, Tamara González; Tun, Thein Than; Bandara, Arosha K.; Levine, Mark; Nuseibeh, Bashar; Sharp, Helen

doi:10.1109/icse-seis.2019.00012

Cited by 27 publications

(26 citation statements)

References 31 publications

(46 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers have also studied the topics developers talk about; including analysis with natural language processing techniques (NLP) [5,16,18,56,71,76] and manual qualitative techniques [18,36,43,44,47,48,52,55,71]. For example, an analysis of questions about Puppet, a configuration language tool, shows a need to support Puppet syntax error finding [55].…”

Section: Stack Overflowmentioning

confidence: 99%

“…It attracts a wide range of developers who ask questions about programming, security, and data management [18,56,76]. SO's dataset has been heavily used for research on such topics as: what factors makes it a successful Q&A platform [45], security issues developers face and how they interact and build knowledge around it [43,76], and the negative impact of SO code snippets in software security [2].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Understanding Privacy-Related Questions on Stack Overflow

Tahaei

Vaniea

Saphra

2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

We analyse Stack Overflow (SO) to understand challenges and confusions developers face while dealing with privacy-related topics. We apply topic modelling techniques to 1,733 privacyrelated questions to identify topics and then qualitatively analyse a random sample of 315 privacy-related questions. Identified topics include privacy policies, privacy concerns, access control, and version changes. Results show that developers do ask SO for support on privacy-related issues. We also find that platforms such as Apple and Google are defining privacy requirements for developers by specifying what "sensitive" information is and what types of information developers need to communicate to users (e.g. privacy policies). We also examine the accepted answers in our sample and find that 28% of them link to official documentation and more than half are answered by SO users without references to any external resources.

show abstract

Section: Stack Overflowmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Understanding Privacy-Related Questions on Stack Overflow

Tahaei

Vaniea

Saphra

2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…The interactions and conversations we have observed within office settings [9] and comment streams on Stack Overflow [7], [8] suggest that secure coding practice is supported in both kinds of environment through personal networks of practice [14] that operate within larger environments. Online, in websites like Stack Overflow, such networks operate within the comment streams attached to question and answer posts.…”

Section: Network Of Practicementioning

confidence: 99%

“…It takes time to learn and understand good practices, and the shifting landscape of threats requires ongoing attention to ensure that mechanisms remain effective and up-to-date. Security tagged posts on Stack Overflow reflect this, and often remain active for months or even years after an answer is accepted [8]. Ongoing activity may be primarily curatorial-links might be kept up-to-date or added to dictionary entries or other documents, or the language of the question and answer posts might be refined for clarity.…”

Section: Look For Tended Posts and Comment Streamsmentioning

confidence: 99%

“…Our larger research program is investigating ways to initiate and sustain secure software development practice. In a series of studies, we have shown how developers talk about security in Stack Overflow posts given the "security" tag [7] [8], and examined how security figures into practice within office settings [9]. The approach taken in these studies does not assess the quality of the information about security developers provide to one another, but rather seeks to understand more about how they engage with and guide one another in practice.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Taking the Middle Path: Learning About Security Through Online Social Interaction

et al. 2020

Self Cite

View full text Add to dashboard Cite

As software-intensive digital systems become an integral part of modern life, ensuring that these systems are developed to satisfy security and privacy requirements is an increasingly important societal concern. Integrating security into software development involves more than learning security principles or applying techniques. Security in practice is shaped through experience. It can be integrated into software development by following a middle path, through which developers draw together formal knowledge and software development techniques. Social interactions facilitate this process. This article recommends four strategies developers can use to maximise security in practice using online communities like Stack Overflow, including approaching security from within specific tasks, critically assessing content in posts, actively participating, and bringing online information into real-world situations.

show abstract