What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool

Authors: 

Tyler W Thomas, Heather Lipford, and Bill Chu, University of North Carolina at Charlotte; Justin Smith and Emerson Murphy-Hill, North Carolina State University

Abstract: 

Security vulnerabilities are often accidentally introduced as developers implement code. While there are a variety of existing tools to help detect security vulnerabilities, they are seldom used by developers due to the time or security expertise required. We are investigating techniques integrated within the IDE to help developers detect and mitigate security vulnerabilities. In previous work, we examined the questions developers ask when investigating security vulnerabilities with static analysis tools. With those questions as a lens, we now investigate our proposed approach of interactive static analysis. We evaluated the interactions and perceptions of professional developers as they interacted with warnings produced by our tool. Our results provide evidence that our approach e ectively communicates security vulnerability information to software developers and provides design guidance for such tools.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Thomas PDF
BibTeX
@inproceedings {197848,
author = {Tyler W. Thomas and Heather Lipford and Bill Chu and Justin Smith and Emerson Murphy-Hill},
title = {What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool},
booktitle = {Twelfth Symposium on Usable Privacy and Security ({SOUPS} 2016)},
year = {2016},
address = {Denver, CO},
url = {https://www.usenix.org/conference/soups2016/workshop-program/wsiw16/presentation/thomas},
publisher = {{USENIX} Association},
}
Download