Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems 2021
DOI: 10.1145/3411764.3445616
|View full text |Cite
|
Sign up to set email alerts
|

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Abstract: Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools' notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the ap… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
10
0

Year Published

2021
2021
2023
2023

Publication Types

Select...
4
3
1

Relationship

3
5

Authors

Journals

citations
Cited by 22 publications
(10 citation statements)
references
References 86 publications
0
10
0
Order By: Relevance
“…But there are few tools that help developers write things like user-friendly consent popups and accurate privacy policies, and even fewer that take into account both regulations and the current behaviours of common third-party APIs [44,46], like ad networks. A line of future research would be to look into the practicalities of creating such a tool, potentially learning from usability studies in security APIs [16,23] and notifcations [47]. Ad networks also implied that making the more privacy-friendly choices would negatively impact developers' ability to make money from the ads.…”
Section: Discussion and Future Workmentioning
confidence: 99%
“…But there are few tools that help developers write things like user-friendly consent popups and accurate privacy policies, and even fewer that take into account both regulations and the current behaviours of common third-party APIs [44,46], like ad networks. A line of future research would be to look into the practicalities of creating such a tool, potentially learning from usability studies in security APIs [16,23] and notifcations [47]. Ad networks also implied that making the more privacy-friendly choices would negatively impact developers' ability to make money from the ads.…”
Section: Discussion and Future Workmentioning
confidence: 99%
“…After recognition of the human factor as one of the main elements of secure systems in the early 2000s [1,87], in the 2010s, researchers started to study security and privacy interfaces directed at developers. Early work found that security libraries and tools can be unusable and counterintuitive (e.g., cryptographic libraries and static analysis tools), resulting in developers not being able to fully benefit from these tools or sometimes making mistakes that can lead to security vulnerabilities [21,24,28,73,79]. Moving to the privacy domain, privacy is often overloaded with legal language, which makes it difficult for developers first to understand it and second to transfer it to technical requirements [11,77].…”
Section: Privacy Studies With Developersmentioning
confidence: 99%
“…We recruited participants from four channels: Freelancer.com, CS student mailing list, Prolific, and social media. These channels have been used to recruit participants for studies with developers [73,79,84].…”
Section: Recruitmentmentioning
confidence: 99%
“…The study conducted in [116] performed an online experiment where Android developers were the participants. Vulnerable code samples containing hard-coded credentials, encryptions, Structured Query Language (SQL) injections, and logging with sensitive data were given to the participants together with the guidance of static analysis tools and asked to indicate the appropriate fix.…”
Section: Static Dynamic and Hybrid Source Code Analysismentioning
confidence: 99%