Demystifying the Mysteries of Security Vulnerability Discussions on Developer Q A Sites

by   Triet H. M. Le, et al.

Detection and mitigation of Security Vulnerabilities (SVs) are integral tasks in software development and maintenance. Software developers often explore developer Question and Answer (Q A) websites to find solutions for securing their software. However, there is empirically little known about the on-going SV-related discussions and how the Q A sites are supporting such discussions. To demystify such mysteries, we conduct large-scale qualitative and quantitative experiments to study the characteristics of 67,864 SV-related posts on Stack Overflow (SO) and Security StackExchange (SSE). We first find that the existing SV categorization of formal security sources is not frequently used on Q A sites. Therefore, we use Latent Dirichlet Allocation topic modeling to extract a new taxonomy of thirteen SV discussion topics on Q A sites. We then study the characteristics of such SV topics. Brute-force/Timing Attacks and Vulnerability Testing are found the most popular and difficult topics, respectively. We discover that despite having higher user expertise than other domains, the difficult SV topics do not gain as much attention from experienced users as the more popular ones. Seven types of answers to SV-related questions are also identified on Q A sites, in which SO usually gives instructions and code, while SSE provides more explanations and/or experience-based advice. Our findings can help practitioners and researchers to utilize Q A sites more effectively to learn and share SV knowledge.


page 1

page 10


Insights into Software Development Approaches: Mining Q A Repositories

Context: Software practitioners adopt approaches like DevOps, Scrum, and...

StackOverflow vs Kaggle: A Study of Developer Discussions About Data Science

Software developers are increasingly required to understand fundamental ...

How Reliable is the Crowdsourced Knowledge of Security Implementation?

Stack Overflow (SO) is the most popular online Q&A site for developers t...

Exploring Technical Debt in Security Questions on Stack Overflow

Background: Software security is crucial to ensure that the users are pr...

PUMiner: Mining Security Posts from Developer Question and Answer Websites with PU Learning

Security is an increasing concern in software development. Developer Que...

Characterizing Activity on the Deep and Dark Web

The deep and darkweb (d2web) refers to limited access web sites that req...

Discovering discussion topics about development of cross-platform mobile applications using a cross-compiler development framework

A cross-platform mobile application is an application that runs on multi...

Please sign up or login with your details

Forgot password? Click here to reset