Communicating on Security within Software Development Issue Tracking

TL;DR

This paper examines how software development issue trackers support security communication, revealing gaps in interface design and user understanding, and suggests improvements to enhance security awareness among non-security experts.

Contribution

It provides an analysis of issue tracker interfaces for security communication and presents findings from a user study on developer attitudes towards security scoring.

Findings

Projects reference CVSS and CVE reports but lack dedicated interfaces.

Developers are uncomfortable with CVSS analysis but can reason about security.

Explanations and advice improve security decision-making.

Abstract

During software development, balancing security and non security issues is challenging. We focus on security awareness and approaches taken by non-security experts using software development issue trackers when considering security. We first analyse interfaces from prominent issue trackers to see how they support security communication and how they integrate security scoring. Then, we investigate through a small scale user study what criteria developers take when prioritising issues, in particular observing their attitudes to security. We find projects make reference to CVSS summaries (Common Vulnerability Scoring System), often alongside CVE reports (Common Vulnerabilities and Exposures), but issue trackers do not often have interfaces designed for this. Users in our study were not comfortable with CVSS analysis, though were able to reason in a manner compatible with CVSS. Detailed explanations and advice were seen as helpful in making security decisions. This suggests that adding improvements to communication through CVSS-like questioning in issue tracking software can elicit better security interactions.