Where do developers admit their security-related concerns?

TL;DR

This paper investigates where developers document security concerns in open-source projects, finding a preference for code comments and issue trackers, and proposes a reminder system to improve security issue awareness.

Contribution

It provides an empirical analysis of security concern documentation sources and introduces a pipeline to remind developers about security-related comments.

Findings

Developers prefer documenting security concerns in source code comments and issue trackers.

Longer unaddressed comments tend to remain unfixed.

A reminder pipeline can enhance security concern awareness.

Abstract

Developers use different means to document the security concerns of their code. Because of all of these opportunities, they may forget where the information is stored, or others may not be aware of it, and leave it unmaintained for so long that it becomes obsolete, if not useless. In this work, we analyzed different sources of code documentation from four large-scale, real-world, open-source projects in an industrial setting to understand where developers report their security concerns. In particular, we manually inspected 2.559 instances taken from source code comments, commit messages, and issue trackers. Overall, we found that developers prefer to document security concerns in source code comments and issue trackers. We also found that the longer the comments stay unfixed, the more likely they remain unfixed. Thus, to create awareness among developers, we implemented a pipeline to remind them about the introduction or removal of comments pointing to a security problem.