Log In Sign Up

Demystifying the Mysteries of Security Vulnerability Discussions on Developer Q A Sites

by   Triet H. M. Le, et al.

Detection and mitigation of Security Vulnerabilities (SVs) are integral tasks in software development and maintenance. Software developers often explore developer Question and Answer (Q A) websites to find solutions for securing their software. However, there is empirically little known about the on-going SV-related discussions and how the Q A sites are supporting such discussions. To demystify such mysteries, we conduct large-scale qualitative and quantitative experiments to study the characteristics of 67,864 SV-related posts on Stack Overflow (SO) and Security StackExchange (SSE). We first find that the existing SV categorization of formal security sources is not frequently used on Q A sites. Therefore, we use Latent Dirichlet Allocation topic modeling to extract a new taxonomy of thirteen SV discussion topics on Q A sites. We then study the characteristics of such SV topics. Brute-force/Timing Attacks and Vulnerability Testing are found the most popular and difficult topics, respectively. We discover that despite having higher user expertise than other domains, the difficult SV topics do not gain as much attention from experienced users as the more popular ones. Seven types of answers to SV-related questions are also identified on Q A sites, in which SO usually gives instructions and code, while SSE provides more explanations and/or experience-based advice. Our findings can help practitioners and researchers to utilize Q A sites more effectively to learn and share SV knowledge.


page 1

page 10


An Empirical Study of Developer Discussions on Low-Code Software Development Challenges

Low-code software development (LCSD) is an emerging paradigm that combin...

StackOverflow vs Kaggle: A Study of Developer Discussions About Data Science

Software developers are increasingly required to understand fundamental ...

How Reliable is the Crowdsourced Knowledge of Security Implementation?

Stack Overflow (SO) is the most popular online Q&A site for developers t...

PUMiner: Mining Security Posts from Developer Question and Answer Websites with PU Learning

Security is an increasing concern in software development. Developer Que...

Characterizing Activity on the Deep and Dark Web

The deep and darkweb (d2web) refers to limited access web sites that req...