One Size Does Not Fit All: A Grounded Theory and Online Survey Study of Developer Preferences for Security Warning TypesTechnical
A wide range of tools exist to assist developers in creating secure software. Many of these tools, such as static analysis engines or security checkers included in compilers, use warnings to communicate security issues to developers. The effectiveness of these tools relies on developers heeding these warnings, and there are many ways in which these warnings could be displayed. While ample research has been invested into understanding how end users interact with security warnings, there is far less information on developers. For this paper, we intend to gather insights into what developers want from security warnings, including what form they should take and how they should integrate into their workflow and work context. To this end, we conducted a Grounded Theory study with 14 professional software developers and 12 computer science students as well as a focus group with 7 academic researchers to gather qualitative insights. To back up the theories developed from the qualitative research, we ran a quantitative survey with 50 professional software developers. Our results show that there is significant heterogeneity amongst developers and that no one warning type is preferred over all others. The context in which the warnings are shown is also highly relevant, indicating that it is likely to be beneficial if IDEs and other development tools become more flexible in their warning interactions with developers. Based on our findings, we provide concrete recommendations for both future research as well as how IDEs and other security tools can improve their interaction with developers.
Tue 7 JulDisplayed time zone: (UTC) Coordinated Universal Time change
07:00 - 08:00 | I2-SecurityNew Ideas and Emerging Results / Technical Papers at Goguryeo Chair(s): Andrea Stocco Università della Svizzera italiana | ||
07:00 12mTalk | Targeted Greybox Fuzzing with Static Lookahead AnalysisTechnical Technical Papers Pre-print | ||
07:12 12mTalk | HyDiff: Hybrid Differential Software Analysis Technical Papers Yannic Noller Humboldt-Universität zu Berlin, Corina S. Pasareanu Carnegie Mellon University Silicon Valley, NASA Ames Research Center, Marcel Böhme Monash University, Youcheng Sun Queen's University Belfast, Hoang Lam Nguyen Humboldt-Universität zu Berlin, Lars Grunske Humboldt-Universität zu Berlin Pre-print | ||
07:24 12mTalk | Towards Characterizing Adversarial Defects of Deep Learning Software from the Lens of UncertaintyTechnical Technical Papers Xiyue Zhang Peking University, Xiaofei Xie Nanyang Technological University, Lei Ma Kyushu University, Xiaoning Du Nanyang Technological University, Qiang Hu Kyushu University, Japan, Yang Liu Nanyang Technological University, Singapore, Jianjun Zhao Kyushu University, Meng Sun Peking University Pre-print | ||
07:36 12mTalk | One Size Does Not Fit All: A Grounded Theory and Online Survey Study of Developer Preferences for Security Warning TypesTechnical Technical Papers Anastasia Danilova University of Bonn, Alena Naiakshina University of Bonn, Matthew Smith University of Bonn, Fraunhofer FKIE | ||
07:48 6mTalk | Hey, my data are mine! Active data to empower the userNIER New Ideas and Emerging Results Gian Luca Scoccia University of L'Aquila, Matteo Maria Fiore University of L'Aquila, Patrizio Pelliccione University of L'Aquila and Chalmers | University of Gothenburg, Marco Autili University of L'Aquila, Italy, Paola Inverardi University of L'Aquila, Alejandro Russo Chalmers University of Technology, Sweden | ||
07:54 6mTalk | Threat modeling: from infancy to maturityNIER New Ideas and Emerging Results Koen Yskout imec - DistriNet, KU Leuven, Thomas Heyman Toreon, Dimitri Van Landuyt Katholieke Universiteit Leuven, Laurens Sion imec-DistriNet, KU Leuven, Kim Wuyts imec-DistriNet, KU Leuven, Wouter Joosen Katholieke Universiteit Leuven Pre-print | ||