Challenges with Responding to Static Analysis Tool Alerts

Imtiaz, Nasif; Rahman, Akond; Farhana, Effat; Williams, Laurie

doi:10.1109/msr.2019.00049

Cited by 33 publications

(17 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers have also studied the topics developers talk about; including analysis with natural language processing techniques (NLP) [5,16,18,56,71,76] and manual qualitative techniques [18,36,43,44,47,48,52,55,71]. For example, an analysis of questions about Puppet, a configuration language tool, shows a need to support Puppet syntax error finding [55].…”

Section: Stack Overflowmentioning

confidence: 99%

Understanding Privacy-Related Questions on Stack Overflow

Tahaei

Vaniea

Saphra

2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

We analyse Stack Overflow (SO) to understand challenges and confusions developers face while dealing with privacy-related topics. We apply topic modelling techniques to 1,733 privacyrelated questions to identify topics and then qualitatively analyse a random sample of 315 privacy-related questions. Identified topics include privacy policies, privacy concerns, access control, and version changes. Results show that developers do ask SO for support on privacy-related issues. We also find that platforms such as Apple and Google are defining privacy requirements for developers by specifying what "sensitive" information is and what types of information developers need to communicate to users (e.g. privacy policies). We also examine the accepted answers in our sample and find that 28% of them link to official documentation and more than half are answered by SO users without references to any external resources.

show abstract

Section: Stack Overflowmentioning

confidence: 99%

Understanding Privacy-Related Questions on Stack Overflow

Tahaei

Vaniea

Saphra

2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…The experience the organisation has had with program analysis is similar to that described in the literature [1]- [3]. This has lead to practices where teams reduce the noise by a limited selection of analyzers (Finding 2).…”

Section: III Discussionmentioning

confidence: 79%

“…Program analysis tools can provide useful information to help software developers improve performance, make code more maintainable, fix bugs and perform many other tasks. However, the use of program analysis results is hindered by a number of usability issues [1]- [3]. These include distracting false positives, incomprehensible messages, and poor integration into developer's workflows.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Case Study on Data-Driven Deployment of Program Analysis on an Open Tools Stack

Ljungberg¹,

Akerman²,

Söderberg

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

View full text Add to dashboard Cite

Program analysis can assist software development but its use is limited by a number of usability issues, including false positives and integration issues. Previous systems have show significant progress addressing these by using a data-driven approach to track the 'not useful' results, and integrating the results into code review. However, these systems were very context dependent. In this paper, we motivate the application of the same data-driven principles and code-review based integration to the design of the MEAN system, an analysis infrastructure running on an open tools stack. We then evaluate its implementation within a local software company, and present implications for the design of future program analysis systems.

show abstract

“…To select which SATs to use in the study, we made a list of SATs that appeared in: (1) SAT benchmark papers [43,79], (2) developer studies [6,88], and (3) Stack Overflow discussions about SATs [47]. Then, we filtered for SATs that appeared in more than one source and had pre-written security rules capable of detecting a range of vulnerabilities.…”

Section: Tool Selectionmentioning

confidence: 99%

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei

Vaniea

Beznosov

et al. 2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools' notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the appropriate fix. Participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Seeing SAT notifications also led to more detailed open-ended answers and slightly improved code correction answers. Still, most SAT (SpotBugs 67%, SonarQube 86%) and Control (96%) participants answered at least one code-correction question incorrectly. Prior software development experience, perceived vulnerability severity, and answer confidence all positively impacted answer accuracy. CCS CONCEPTS• Human-centered computing → Empirical studies in HCI; • Security and privacy → Usability in security and privacy; Software and application security.

show abstract

Challenges with Responding to Static Analysis Tool Alerts

Cited by 33 publications

References 17 publications

Understanding Privacy-Related Questions on Stack Overflow

Understanding Privacy-Related Questions on Stack Overflow

Case Study on Data-Driven Deployment of Program Analysis on an Open Tools Stack

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Contact Info

Product

Resources

About