TY - GEN
T1 - Write, Read, or Fix? Exploring Alternative Methods for Secure Development Studies
AU - Fulton, Kelsey R.
AU - Lewis, Joseph
AU - Malkin, Nathan
AU - Mazurek, Michelle L.
N1 - Publisher Copyright:
Copyright is held by the author/owner.
PY - 2024
Y1 - 2024
N2 - When studying how software developers perform security tasks, researchers often ask participants to write code. These studies can be challenging because programming can be time-consuming and frustrating. This paper explores whether alternatives to code-writing can yield scientifically valid results while reducing participant stress. We conducted a remote study in which Python programmers completed two encryption tasks using an assigned library by either writing code from scratch, reading existing code and identifying issues, or fixing issues in existing code. We found that the read and fix conditions were less effective than the write condition in revealing security problems with APIs and their documentation, but still provided useful insights. Meanwhile, the read and especially fix conditions generally resulted in more positive participant experiences. Based on these findings, we make preliminary recommendations for how and when researchers might best use all three study design methods; we also recommend future work to further explore the uses and trade-offs of these approaches.
AB - When studying how software developers perform security tasks, researchers often ask participants to write code. These studies can be challenging because programming can be time-consuming and frustrating. This paper explores whether alternatives to code-writing can yield scientifically valid results while reducing participant stress. We conducted a remote study in which Python programmers completed two encryption tasks using an assigned library by either writing code from scratch, reading existing code and identifying issues, or fixing issues in existing code. We found that the read and fix conditions were less effective than the write condition in revealing security problems with APIs and their documentation, but still provided useful insights. Meanwhile, the read and especially fix conditions generally resulted in more positive participant experiences. Based on these findings, we make preliminary recommendations for how and when researchers might best use all three study design methods; we also recommend future work to further explore the uses and trade-offs of these approaches.
UR - https://www.scopus.com/pages/publications/85204873400
UR - https://www.scopus.com/inward/citedby.url?scp=85204873400&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85204873400
T3 - Proceedings of the 20th Symposium on Usable Privacy and Security, SOUPS 2024
SP - 81
EP - 100
BT - Proceedings of the 20th Symposium on Usable Privacy and Security, SOUPS 2024
PB - USENIX Association
T2 - 20th Symposium on Usable Privacy and Security, SOUPS 2024
Y2 - 12 August 2024 through 13 August 2024
ER -