Software engineer

Why can't Johnny fix vulnerabilities: a usability evaluation of static analysis tools for security

Justin Smith, Lisa Nguyen Quang Do, Emerson Murphy-Hill

[pdf][proceedings]

Static analysis tools can help prevent security incidents, but to do so, they must enable developers to resolve the defects they detect. Unfortunately, developers often struggle to interact with the interfaces of these tools, leading to tool abandonment, and consequently the proliferation of preventable vulnerabilities. Simply put, the usability of static analysis tools is crucial.

The usable security community has successfully identified and remedied usability issues in end user security applications, like PGP and Tor browsers, by conducting usability evaluations. Inspired by the success of these studies, we conducted a heuristic walkthrough evaluation and user study focused on four security-oriented static analysis tools. Through the lens of these evaluations, we identify several issues that detract from the usability of static analysis tools. The issues we identified range from workflows that do not support developers to interface features that do not scale. We make these findings actionable by outlining how our results can be used to improve the state-of-the-art in static analysis tool interfaces.

Artifacts

@inbook{10.5555/3488905.3488918,
  author = {Smith, Justin and Do, Lisa Nguyen Quang and Murphy-Hill, Emerson},
  title = {Why Can't Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security},
  year = {2020},
  isbn = {978-1-939133-16-8},
  publisher = {USENIX Association},
  address = {USA},
  abstract = {Static analysis tools can help prevent security incidents, but to do so, they must enable developers to resolve the defects they detect. Unfortunately, developers often struggle to interact with the interfaces of these tools, leading to tool abandonment, and consequently the proliferation of preventable vulnerabilities. Simply put, the usability of static analysis tools is crucial. The usable security community has successfully identified and remedied usability issues in end user security applications, like PGP and Tor browsers, by conducting usability evaluations. Inspired by the success of these studies, we conducted a heuristic walkthrough evaluation and user study focused on four security-oriented static analysis tools. Through the lens of these evaluations, we identify several issues that detract from the usability of static analysis tools. The issues we identified range from workflows that do not support developers to interface features that do not scale. We make these findings actionable by outlining how our results can be used to improve the state-of-the-art in static analysis tool interfaces.},
  booktitle = {Proceedings of the Sixteenth USENIX Conference on Usable Privacy and Security},
  articleno = {13},
  numpages = {18}
}