To avoid software vulnerabilities, organizations are shifting security to earlier stages of the software development, such as at code review time. In this paper, we aim to understand the developers' perspective on assessing software security during code review, the challenges they encounter, and the support that companies and projects provide. To this end, we conduct a two-step investigation: we interview 10 professional developers and survey 182 practitioners about software security assessment during code review. The outcome is an overview of how developers perceive software security during code review and a set of identified challenges. Our study revealed that most developers do not immediately report to focus on security issues during code review. Only after being asked about software security, developers state to always consider it during review and acknowledge its importance. Most companies do not provide security training, yet expect developers to still ensure security during reviews. Accordingly, developers report the lack of training and security knowledge as the main challenges they face when checking for security issues. In addition, they have challenges with third-party libraries and to identify interactions between parts of code that could have security implications. Moreover, security may be disregarded during reviews due to developers' assumptions about the security dynamic of the application they develop. Data and materials: https://doi.org/10.5281/zenodo.6875435
翻译:为了避免软件的脆弱性,各组织正在将安全转移到软件开发的早期阶段,例如代码审查时间。在本文件中,我们的目标是了解开发商对代码审查期间评估软件安全的看法,他们遇到的挑战,以及公司和项目提供的支助。为此,我们进行两步调查:我们采访10名专业开发商和182名从业人员,调查代码审查期间软件安全评估的情况。结果概述开发商在代码审查和一系列已查明的挑战期间如何看待软件安全。我们的研究显示,大多数开发商在代码审查期间没有立即报告安全问题。只有在被问及软件安全之后,开发商才会在审查期间始终考虑并承认其重要性。大多数公司不提供安全培训,但期望开发商在审查期间仍然能够确保安全。因此,开发商报告说,缺乏培训和安全知识是他们在检查安全问题时面临的主要挑战。此外,他们与第三方图书馆存在挑战,并查明可能具有安全影响的部分代码之间的相互作用。此外,在审查期间,安全可能被忽略了开发商对其应用程序的安全动态所作的假设。数据和材料:https://do5251/10.org/10。