1 research outputs found
Demystifying the Mysteries of Security Vulnerability Discussions on Developer Q&A Sites
Detection and mitigation of Security Vulnerabilities (SVs) are integral tasks
in software development and maintenance. Software developers often explore
developer Question and Answer (Q&A) websites to find solutions for securing
their software. However, there is empirically little known about the on-going
SV-related discussions and how the Q&A sites are supporting such discussions.
To demystify such mysteries, we conduct large-scale qualitative and
quantitative experiments to study the characteristics of 67,864 SV-related
posts on Stack Overflow (SO) and Security StackExchange (SSE). We first find
that the existing SV categorization of formal security sources is not
frequently used on Q&A sites. Therefore, we use Latent Dirichlet Allocation
topic modeling to extract a new taxonomy of thirteen SV discussion topics on
Q&A sites. We then study the characteristics of such SV topics.
Brute-force/Timing Attacks and Vulnerability Testing are found the most popular
and difficult topics, respectively. We discover that despite having higher user
expertise than other domains, the difficult SV topics do not gain as much
attention from experienced users as the more popular ones. Seven types of
answers to SV-related questions are also identified on Q&A sites, in which SO
usually gives instructions and code, while SSE provides more explanations
and/or experience-based advice. Our findings can help practitioners and
researchers to utilize Q&A sites more effectively to learn and share SV
knowledge