Context: Security Vulnerabilities (SVs) pose many serious threats to software systems. Developers usually seek solutions to addressing these SVs on developer Question and Answer (Q&A) websites. However, there is still little known about on-going SV-specific discussions on different developer Q&A sites. Objective: We present a large-scale empirical study to understand developers' SV discussions and how these discussions are being supported by Q&A sites. Method: We first curate 71,329 SV posts from two large Q&A sites, namely Stack Overflow (SO) and Security StackExchange (SSE). We then use topic modeling to uncover the topics of SV-related discussions and analyze the popularity, difficulty, and level of expertise for each topic. We also perform a qualitative analysis to identify the types of solutions to SV-related questions. Results: We identify 13 main SV discussion topics on Q&A sites. Many topics do not follow the distributions and trends in expert-based security sources such as Common Weakness Enumeration (CWE) and Open Web Application Security Project (OWASP). We also discover that SV discussions attract more experts to answer than many other domains, but some difficult SV topics (e.g., Vulnerability Scanning Tools) still receive quite limited support from experts. Moreover, we identify seven key types of answers given to SV questions on Q&A sites, in which SO often provides code and instructions, while SSE usually gives experience-based advice and explanations. Conclusion: Our findings provide support for researchers and practitioners to effectively acquire, share and leverage SV knowledge on Q&A sites.
翻译:目标:我们提出大规模的经验性研究,以了解开发者SV的讨论以及这些讨论如何得到 ⁇ A站点的支持。方法:我们首先从两个大型ZA站点,即Stack Overflow (SO) 和安全搜索系统(SSE) 网站,找到解决这些SV问题的办法。我们通常在开发者问答网站上寻找解决这些SV问题的办法。然而,对于目前就不同的开发者 ⁇ A站点进行的SV具体讨论,仍然鲜为人知。目标:我们提出了大规模的经验性研究,以了解开发者SV的讨论以及这些讨论如何得到 ⁇ A站点的支持。方法:我们首先从两个大型的ZA站点,即Stack Overflow (SO) 和安全搜索系统(SSSSSE),我们经常使用主题模型模型来揭示与SV相关的讨论主题,我们从SSSSSSSS A 安全项目(SAA) 找到一些关键数据,我们从SV网站获得的答案。我们从SVSV网站获得的答案。