The Impact of Surface Features on Choice of (in)Secure Answers by Stackoverflow Readers

Linden, Dirk van der; Williams, Emma; Hallett, Joseph; Rashid, Awais

doi:10.1109/tse.2020.2981317

Cited by 10 publications

(11 citation statements)

References 48 publications

(122 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If a developer struggles to understand how to use an API correctly (the miscommunication challenge in Table I), they may search Stack Overflow for solutions. The answers to Stack Overflow questions are voted and this may create herding behaviors (Table II), regardless of whether the answer they follow is correct or not [42]. The intangibility challenge represents a challenge with security as a whole, rather than being specific to any particular development practice.…”

Section: Challenges and Consequent Behaviorsmentioning

confidence: 99%

“…Van der Linden et al conduct an observation of developer's use of Stack Overflow with 1,188 participants. They found developers go by surface features of Stack Overflow posts (such as answer length) over correctness [42]. Hidden information has a bearing on our characterization of shifting responsibility.…”

Section: Mental Models Shifting Responsibilitymentioning

confidence: 99%

“…• Prior Beliefs -Developers exhibit a tendency to bring their own privacy and security beliefs into their development process. [2], [4], [10], [27], [28], [42], [43], [45], [46], [49], [52], [53] Herding…”

Section: Biasmentioning

confidence: 99%

“…The incentives for inducing developers to spend the effort to program securely are also not aligned with expected returns from doing so [28], [48]. The challenges result in bias and group behavior [42], [52]. The improvisations to which developers resort are aided by online sources which can be insecure [43], [52], [59].…”

Section: Table III Describes Four Classes Of Interventions Proposed Tomentioning

confidence: 99%

See 3 more Smart Citations

Developers Are Neither Enemies Nor Users: They Are Collaborators

Chowdhury

Hallett

Patnaik

et al. 2021

2021 IEEE Secure Development Conference (SecDev)

Self Cite

View full text Add to dashboard Cite

Developers struggle to program securely. Prior works have reviewed the methods used to run user-studies with developers, systematized the ancestry of security API usability recommendations, and proposed research agendas to help understand developers' knowledge, attitudes towards security and priorities. In contrast we study the research to date and abstract out categories of challenges, behaviors and interventions from the results of developer-centered studies. We analyze the abstractions and identify five misplaced beliefs or tropes about developers embedded in the core design of APIs and tools. These tropes hamper the effectiveness of interventions to help developers program securely. Increased collaboration between developers, security experts and API designers to help developers understand the security assumptions of APIs alongside creating new useful abstractions-derived from such collaborations-will lead to systems with better security.

show abstract

Section: Challenges and Consequent Behaviorsmentioning

confidence: 99%

Section: Mental Models Shifting Responsibilitymentioning

confidence: 99%

Section: Biasmentioning

confidence: 99%

Section: Table III Describes Four Classes Of Interventions Proposed Tomentioning

confidence: 99%

See 2 more Smart Citations

Developers Are Neither Enemies Nor Users: They Are Collaborators

Chowdhury

Hallett

Patnaik

et al. 2021

2021 IEEE Secure Development Conference (SecDev)

Self Cite

View full text Add to dashboard Cite

show abstract

“…For instance, profiling developer expertise contributes to heightening the members' awareness about the reliability of responses [5] [6]. In particular, platforms such as Stack Overflow contain insecure code snippets and inexperienced developers blindly use such snippets [7]. Due to the lack of secure code examples in cryptography, we hypothesize that mapping the activity of top crypto developers cross-platform can provide an interesting path to find and evaluate their practices from the security perspective, and present such results for developers who are looking for reliable, secure crypto examples.…”

Section: Introductionmentioning

confidence: 99%

Crypto Experts Advise What They Adopt

Hazhirpasand¹,

Nierstrasz²,

Ghafari³

2021

Preprint

View full text Add to dashboard Cite

Previous studies have shown that developers regularly seek advice on online forums to resolve their cryptography issues. We investigated whether users who are active in cryptography discussions also use cryptography in practice. We collected the top 1% of responders who have participated in crypto discussions on Stack Overflow, and we manually analyzed their crypto contributions to open source projects on GitHub. We could identify 319 GitHub profiles that belonged to such crypto responders and found that 189 of them used cryptography in their projects. Further investigation revealed that the majority of analyzed users (i.e., 85%) use the same programming languages for crypto activity on Stack Overflow and crypto contributions on GitHub. Moreover, 90% of the analyzed users employed the same concept of cryptography in their projects as they advised about on Stack Overflow.

show abstract