Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools’ notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the appropriate fix. Participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Seeing SAT notifications also led to more detailed open-ended answers and slightly improved code correction answers. Still, most SAT (SpotBugs 67%, SonarQube 86%) and Control (96%) participants answered at least one code-correction question incorrectly. Prior software development experience, perceived vulnerability severity, and answer confidence all positively impacted answer accuracy.

• Publication year

  2021

• Venue

  International Conference on Human Factors in Computing Systems

• Publication date

  2021-05-06

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1145/3411764.3445616
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Programming Skills

  2022cited by this paper
• MAdLens: Investigating Into Android In-App Ad Practice at API Granularity

  2021cited by this paper
• Fluid Intelligence Doesn't Matter! Effects of Code Examples on the Usability of Crypto APIs

  2020cited by this paper
• Will You Trust This TLS Certificate?

  2020cited by this paper
• Schrödinger's Security: Opening the Box on App Developers' Security Rationale

  2020cited by this paper
• Why Do Software Developers Use Static Analysis Tools? A User-Centered Study of Developer Needs and Motivations

  2020cited by this paper
• DoD Developer’s Guidebook for Software Assurance

  2020cited by this paper
• Why Can't Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security

  2020influential reference
• A Case Study of Software Security Red Teams at Microsoft

  2020influential reference
• Coding Practices and Recommendations of Spring Security for Enterprise Applications

  2020cited by this paper
• Sensei: Enforcing secure coding guidelines in the integrated development environment

  2020cited by this paper
• One Size Does Not Fit All: A Grounded Theory and Online Survey Study of Developer Preferences for Security Warning Types

  2020cited by this paper
• On Conducting Security Developer Studies with CS Students: Examining a Password-Storage Study with CS Students, Freelancers, and Company Developers

  2020cited by this paper
• Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs

  2020cited by this paper
• Building and Validating a Scale for Secure Software Development Self-Efficacy

  2020cited by this paper
• A Survey on Developer-Centred Security

  2019cited by this paper
• A synopsis of static analysis alerts on open source software

  2019cited by this paper
• The Seven Sins: Security Smells in Infrastructure as Code Scripts

  2019cited by this paper
• "If you want, I can store the encrypted password": A Password-Storage Field Study with Freelance Developers

  2019cited by this paper
• How Developers Diagnose Potential Security Vulnerabilities with a Static Analysis Tool

  2019cited by this paper
• Securing the Human: A Review of Literature on Broadening Diversity in Cybersecurity Education

  2019cited by this paper
• How Do Developers Act on Static Analysis Alerts? An Empirical Study of Coverity Usage

  2019cited by this paper
• Compiler Error Messages Considered Unhelpful: The Landscape of Text-Based Programming Error Message Research

  2019cited by this paper
• CryptoAPI-Bench: A Comprehensive Benchmark on Java Cryptographic API Misuses

  2019cited by this paper
• Static Analysis for Proactive Security

  2019cited by this paper
• Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers

  2019cited by this paper
• Scaling static analyses at Facebook

  2019cited by this paper
• How developers engage with static analysis tools in different contexts

  2019cited by this paper
• Challenges with Responding to Static Analysis Tool Alerts

  2019cited by this paper
• How Usable Are Rust Cryptography APIs?

  2018cited by this paper
• Lessons from building static analysis tools at Google

  2018influential reference
• Static Analysis-Based Approaches for Secure Software Development

  2018cited by this paper
• Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse

  2018influential reference
• How Many of All Bugs Do We Find? A Study of Static Bug Detectors

  2018cited by this paper
• "We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products

  2018cited by this paper
• An Empirical Assessment of Security Risks of Global Android Banking Apps

  2018cited by this paper
• The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators

  2018cited by this paper
• Context is king: The developer perspective on the usage of static analysis tools

  2018cited by this paper
• Communication-Human Information Processing (C-HIP) Model in Forensic Warning Analysis

  2018cited by this paper
• CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects

  2018influential reference
• How should compilers explain problems to developers?

  2018cited by this paper
• Usability and Security Effects of Code Examples on Crypto APIs

  2018cited by this paper
• Comparing the Usability of Cryptographic APIs

  2017cited by this paper
• Secure Coding Practices in Java: Challenges and Vulnerabilities

  2017cited by this paper
• CogniCrypt: Supporting developers in using cryptography

  2017cited by this paper
• Static analysis of android apps: A systematic literature review

  2017cited by this paper
• A Stitch in Time: Supporting Android Developers in WritingSecure Code

  2017cited by this paper
• Security Developer Studies with GitHub Users: Exploring a Convenience Sample

  2017cited by this paper
• Do Developers Read Compiler Error Messages?

  2017cited by this paper
• Bad and good news about using software assurance tools

  2017cited by this paper
• Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study

  2017cited by this paper
• How Open Source Projects Use Static Code Analysis Tools in Continuous Integration Pipelines

  2017cited by this paper
• Identifying and Documenting False Positive Patterns Generated by Static Code Analysis Tools

  2017cited by this paper
• Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security

  2017cited by this paper
• Beyond the Turk: Alternative Platforms for Crowdsourcing Behavioral Research

  2017influential reference
• You Get Where You're Looking for: The Impact of Information Sources on Code Security

  2016cited by this paper
• Encyclopedia Of Research Design

  2016cited by this paper
• Automated Analysis of Privacy Requirements for Mobile Apps

  2016cited by this paper
• What developers want and need from program analysis: An empirical study

  2016influential reference
• "Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs?

  2016cited by this paper
• What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool

  2016cited by this paper
• A cross-tool communication study on program analysis tool notifications

  2016influential reference
• Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software

  2016cited by this paper
• An Effective Approach to Enhancing Compiler Error Messages

  2016cited by this paper
• Developers are Not the Enemy!: The Need for Usable Security APIs

  2016cited by this paper
• Tricorder: Building a Program Analysis Ecosystem

  2015influential reference
• Questions developers ask while diagnosing potential security vulnerabilities with static analysis

  2015cited by this paper
• Should I Protect You? Understanding Developers' Behavior to Privacy-Preserving APIs

  2014cited by this paper
• Fitting Linear Mixed-Effects Models Using lme4

  2014cited by this paper
• It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots

  2014cited by this paper
• ALETHEIA: Improving the Usability of Static Security Analysis

  2014cited by this paper
• arm: Data Analysis Using Regression and Multilevel/Hierarchical Models

  2014cited by this paper
• Why don't software developers use static analysis tools to find bugs?

  2013influential reference
• Rethinking SSL development in an appified world

  2013cited by this paper
• Warning Design Guidelines

  2013cited by this paper
• Analyzing Likert Data

  2012cited by this paper
• The most dangerous code in the world: validating SSL certificates in non-browser software

  2012cited by this paper
• Analysis of covariance (ANCOVA)

  2010cited by this paper
• Exploratory Factor Analysis: A Five-Step Guide for Novices

  2010cited by this paper
• The Google FindBugs fixit

  2010influential reference
• On Compiler Error Messages: What They Say and What They Mean

  2010cited by this paper
• Data Analysis Using Regression and Multilevel/Hierarchical Models

  2009influential reference
• A report on a survey and study of static analysis users

  2008cited by this paper
• A Framework for Reasoning About the Human in the Loop

  2008cited by this paper
• Using Static Analysis to Find Bugs

  2008influential reference
• Resolving the 50‐year debate around using and misusing Likert scales

  2008cited by this paper
• google,我,萨娜

  2006cited by this paper
• When can odds ratios mislead?

  1998cited by this paper
• Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA

  1997cited by this paper
• Related-Key Cryptanalysis of 3-WAY

  1997cited by this paper
• A note on a general definition of the coefficient of determination

  1991cited by this paper
• Factor Analysis

  1986cited by this paper
• Designing computer system messages

  1982cited by this paper
• Please Scroll down for Article Qualitative Research in Psychology Using Thematic Analysis in Psychology

  year unknowncited by this paper

• Reading Between the Code Lines: On the Use of Self-Admitted Technical Debt for Security Analysis

  2026influential citation
• Recommender system for secure mobile application based on permission pairs using explainable artificial intelligence

  2025cites this paper
• Software defect prediction based on support vector machine optimized by reverse differential chimp optimization algorithm

  2025cites this paper
• Actionable Warning Is Not Enough: Recommending Valid Actionable Warnings with Weak Supervision

  2025cites this paper
• Software Vulnerability Management in the Era of Artificial Intelligence: An Industry Perspective

  2025cites this paper
• Usability of Static Application Security Testing Workflows

  2025cites this paper
• Bug Detective and Quality Coach: Developers' Mental Models of AI-Assisted IDE Tools

  2025cites this paper
• Software security in practice: knowledge and motivation

  2025cites this paper
• Usage patterns of software product metrics in assessing developers' output: A comprehensive study

  2025cites this paper
• Two Approaches to Fast Bytecode Frontend for Static Analysis

  2025cites this paper
• A Qualitative Analysis of Fuzzer Usability and Challenges

  2025cites this paper
• Understanding VR Accessibility Practices of VR Professionals

  2025cites this paper
• "I Don't Know If We're Doing Good. I Don't Know If We're Doing Bad": Investigating How Practitioners Scope, Motivate, and Conduct Privacy Work When Developing AI Products

  2024cites this paper
• "I'm Getting Information that I Can Act on Now": Exploring the Level of Actionable Information in Tool-generated Threat Reports

  2024influential citation
• Write, Read, or Fix? Exploring Alternative Methods for Secure Development Studies

  2024cites this paper
• What the Fix? A Study of ASATs Rule Documentation

  2024influential citation
• “A method like this would be overkill”: Developers’ Perceived Issues with Privacy-preserving Computation Methods

  2023cites this paper
• Stuck in the Permissions With You: Developer & End-User Perspectives on App Permissions & Their Privacy Ramifications

  2023cites this paper
• Analyzing the Use of Public and In-house Secure Development Guidelines in U.S. and Japanese Industries

  2023cites this paper
• A Usability Evaluation of AFL and libFuzzer with CS Students

  2023cites this paper
• The State of Secure Coding Practice: Small Organisations and “Lone, Rogue Coders”

  2023cites this paper
• Why Johnny Can’t Use Secure Docker Images: Investigating the Usability Challenges in Using Docker Image Vulnerability Scanners through Heuristic Evaluation

  2023cites this paper
• Unhelpful Assumptions in Software Security Research

  2023cites this paper
• Android Source Code Vulnerability Detection: A Systematic Literature Review

  2022cites this paper
• Charting App Developers' Journey Through Privacy Regulation Features in Ad Networks

  2022cites this paper
• Recruiting Participants With Programming Skills: A Comparison of Four Crowdsourcing Platforms and a CS Student Mailing List

  2022influential citation
• Detecting False Alarms from Automatic Static Analysis Tools: How Far are We?

  2022influential citation
• Towards Immediate Feedback for Security Relevant Code in Development Environments

  2022cites this paper
• Automated Identification of Security Discussions in Microservices Systems: Industrial Surveys and Experiments

  2021cites this paper
• “Developers Are Responsible”: What Ad Networks Tell Developers About Privacy

  2021cites this paper
• Developers Are Neither Enemies Nor Users: They Are Collaborators

  2021cites this paper
• SoK: Human, Organizational, and Technological Dimensions of Developers’ Challenges in Engineering Secure Software

  2021cites this paper
• Android Mobile Malware Detection Using Machine Learning: A Systematic Review

  2021cites this paper
• Conducting Malicious Cybersecurity Experiments on Crowdsourcing Platforms

  2021cites this paper
• CodeCity: 3-dimensional visualization of software security facets

  year unknowncites this paper
• Lessons Learned From Recruiting Participants With Programming Skills for Empirical Privacy and Security Studies

  year unknowncites this paper
• Getting Information that I Can Act on Now”: Exploring the Level of Actionable Information in Tool-generated Threat Reports

  year unknowninfluential citation
• This paper is included in the Proceedings of the Twentieth Symposium on Usable Privacy and Security.

  year unknowncites this paper