Given programming languages can provide different types and levels of security support, it is critically important to consider security aspects while selecting programming languages for developing software systems. Inadequate consideration of security in the choice of a programming language may lead to potential ramifications for secure development. Whilst theoretical analysis of the supposed security properties of different programming languages has been conducted, there has been relatively little effort to empirically explore the actual security challenges experienced by developers. We have performed a large-scale study of the security challenges of 15 programming languages by quantitatively and qualitatively analysing the developers' discussions from Stack Overflow and GitHub. By leveraging topic modelling, we have derived a taxonomy of 18 major security challenges for 6 topic categories. We have also conducted comparative analysis to understand how the identified challenges vary regarding the different programming languages and data sources. Our findings suggest that the challenges and their characteristics differ substantially for different programming languages and data sources, i.e., Stack Overflow and GitHub. The findings provide evidence-based insights and understanding of security challenges related to different programming languages to software professionals (i.e., practitioners or researchers). The reported taxonomy of security challenges can assist both practitioners and researchers in better understanding and traversing the secure development landscape. This study highlights the importance of the choice of technology, e.g., programming language, in secure software engineering. Hence, the findings are expected to motivate practitioners to consider the potential impact of the choice of programming languages on software security.
翻译:鉴于编程语言可以提供不同类型的安全支助,在为开发软件系统选择编程语言时,考虑安全因素至关重要。在选择编程语言时,对安全因素的考虑不足,可能会对安全发展产生潜在影响。虽然对不同编程语言的假定安全特性进行了理论分析,但对编程语言和数据来源的不同编程语言的实际安全挑战进行了相对较少的尝试,对编程语言的15种编程语言的安全挑战进行了大规模研究。我们通过定量和定性分析Stack Overproll和GitHub的编程语言,对15种编程语言的安全挑战进行了大规模研究。我们利用专题建模,为6个专题类别提出了18种主要安全挑战的分类。我们还进行了比较分析,以了解已查明的关于不同编程语言和数据来源的挑战如何不同。我们的调查结果表明,不同编程语言和数据来源(即Stack Overprop和GitHub)的挑战及其特点差异很大。我们通过定量和定性分析,对编程语言的不同编程专家(即从业者或研究人员)在编程过程中对安全挑战进行了基于证据的深入了解和理解。所报告的分类方法分析有助于了解安全从业者和研究的动态研究,从而了解了对安全从业者和研究的预期的动态研究的重要性。关于安全学系的动态研究的预期的预期,可以考虑对安全学的动态研究。关于安全学的动态的动态的动态研究。