Software Security during Modern Code Review: The Developer's Perspective
Larissa Braz, Alberto Bacchelli
TL;DR
This study explores developers' perspectives on assessing software security during code review, highlighting challenges like lack of training and difficulties with third-party libraries, and emphasizing the need for better security support in development processes.
Contribution
It provides empirical insights into developers' perceptions and challenges regarding security during code review, revealing gaps in training and organizational support.
Findings
Most developers do not prioritize security unless prompted.
Lack of security training is a major challenge.
Developers struggle with third-party libraries and code interactions.
Abstract
To avoid software vulnerabilities, organizations are shifting security to earlier stages of the software development, such as at code review time. In this paper, we aim to understand the developers' perspective on assessing software security during code review, the challenges they encounter, and the support that companies and projects provide. To this end, we conduct a two-step investigation: we interview 10 professional developers and survey 182 practitioners about software security assessment during code review. The outcome is an overview of how developers perceive software security during code review and a set of identified challenges. Our study revealed that most developers do not immediately report to focus on security issues during code review. Only after being asked about software security, developers state to always consider it during review and acknowledge its importance. Most…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.