Visible to the public One Size Does Not Fit All: A Grounded Theory and Online Survey Study of Developer Preferences for Security Warning Types

TitleOne Size Does Not Fit All: A Grounded Theory and Online Survey Study of Developer Preferences for Security Warning Types
Publication TypeConference Paper
Year of Publication2020
AuthorsDanilova, A., Naiakshina, A., Smith, M.
Conference Name2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE)
Date Publishedoct
Keywords14 professional software developers, 50 professional software developers, code security, compiler security, compositionality, developer preferences, developer security warnings, development tools, Grounded Theory study, machine learning, Metrics, Organizations, program diagnostics, pubcrawl, Qualitative research, Resiliency, Scalability, secure software, security, security checkers, security issues, security of data, security tools, security warning types, security warnings, Software, Software development, software engineering, static analysis, static analysis engines, Tools, warning interactions, warning type
AbstractA wide range of tools exist to assist developers in creating secure software. Many of these tools, such as static analysis engines or security checkers included in compilers, use warnings to communicate security issues to developers. The effectiveness of these tools relies on developers heeding these warnings, and there are many ways in which these warnings could be displayed. Johnson et al. [46] conducted qualitative research and found that warning presentation and integration are main issues. We built on Johnson et al.'s work and examined what developers want from security warnings, including what form they should take and how they should integrate into their workflow and work context. To this end, we conducted a Grounded Theory study with 14 professional software developers and 12 computer science students as well as a focus group with 7 academic researchers to gather qualitative insights. To back up the theory developed from the qualitative research, we ran a quantitative survey with 50 professional software developers. Our results show that there is significant heterogeneity amongst developers and that no one warning type is preferred over all others. The context in which the warnings are shown is also highly relevant, indicating that it is likely to be beneficial if IDEs and other development tools become more flexible in their warning interactions with developers. Based on our findings, we provide concrete recommendations for both future research as well as how IDEs and other security tools can improve their interaction with developers.
Citation Keydanilova_one_2020