{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T17:24:43Z","timestamp":1782926683003,"version":"3.54.5"},"publisher-location":"New York, NY, USA","reference-count":77,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T00:00:00Z","timestamp":1667779200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001711","name":"Schweizerischer Nationalfonds zur F&ouml;rderung der Wissenschaftlichen Forschung","doi-asserted-by":"publisher","award":["200021M_205146"],"award-info":[{"award-number":["200021M_205146"]}],"id":[{"id":"10.13039\/501100001711","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001711","name":"Schweizerischer Nationalfonds zur F&ouml;rderung der Wissenschaftlichen Forschung","doi-asserted-by":"publisher","award":["PZ00P2_186090"],"award-info":[{"award-number":["PZ00P2_186090"]}],"id":[{"id":"10.13039\/501100001711","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,7]]},"DOI":"10.1145\/3540250.3549135","type":"proceedings-article","created":{"date-parts":[[2022,11,9]],"date-time":"2022-11-09T20:46:22Z","timestamp":1668026782000},"page":"810-821","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":24,"title":["Software security during modern code review: the developer\u2019s perspective"],"prefix":"10.1145","author":[{"given":"Larissa","family":"Braz","sequence":"first","affiliation":[{"name":"University of Zurich, Switzerland"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Alberto","family":"Bacchelli","sequence":"additional","affiliation":[{"name":"University of Zurich, Switzerland"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2022,11,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2020. GitLab: Mapping the DevSecOps Landscape - 2020 Survey. https:\/\/about.gitlab.com\/developer-survey \t\t\t\t  2020. GitLab: Mapping the DevSecOps Landscape - 2020 Survey. https:\/\/about.gitlab.com\/developer-survey"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/52.28121"},{"key":"e_1_3_2_1_3_1","volume-title":"Proceedings of the Symposium on Software Validation: Inspection-Testing-Verification-Alternatives. 13\u201340","author":"Ackerman A.","unstructured":"A. Ackerman , P. Fowler , and R. Ebenau . 1984. Software Inspections and the Industrial Production of Software . In Proceedings of the Symposium on Software Validation: Inspection-Testing-Verification-Alternatives. 13\u201340 . A. Ackerman, P. Fowler, and R. Ebenau. 1984. Software Inspections and the Industrial Production of Software. In Proceedings of the Symposium on Software Validation: Inspection-Testing-Verification-Alternatives. 13\u201340."},{"key":"e_1_3_2_1_4_1","volume-title":"Last accessed","author":"Alphabet Google","year":"2022","unstructured":"Google Alphabet . Last accessed in March 2022 . Vulnerability Rewards Program . https:\/\/bughunters.google.com\/. Google Alphabet. Last accessed in March 2022. Vulnerability Rewards Program. https:\/\/bughunters.google.com\/."},{"key":"e_1_3_2_1_5_1","volume-title":"Proceedings of the symposium on usable privacy and security. 281\u2013296","author":"Assal H.","unstructured":"H. Assal and S. Chiasson . 2018. Security in the software development lifecycle . In Proceedings of the symposium on usable privacy and security. 281\u2013296 . H. Assal and S. Chiasson. 2018. Security in the software development lifecycle. In Proceedings of the symposium on usable privacy and security. 281\u2013296."},{"key":"e_1_3_2_1_6_1","volume-title":"Proceedings of the workshop on Defects in large software systems. 1\u20135.","author":"Ayewah N.","unstructured":"N. Ayewah and W. Pugh . 2008. A report on a survey and study of static analysis users . In Proceedings of the workshop on Defects in large software systems. 1\u20135. N. Ayewah and W. Pugh. 2008. A report on a survey and study of static analysis users. In Proceedings of the workshop on Defects in large software systems. 1\u20135."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"crossref","unstructured":"N. Ayewah W. Pugh D. Hovemeyer J. Morgenthaler and J. Penix. 2008. Using static analysis to find bugs. IEEE software 25 5 (2008) 22\u201329. \t\t\t\t  N. Ayewah W. Pugh D. Hovemeyer J. Morgenthaler and J. Penix. 2008. Using static analysis to find bugs. IEEE software 25 5 (2008) 22\u201329.","DOI":"10.1109\/MS.2008.130"},{"key":"e_1_3_2_1_8_1","volume-title":"Proceedings of the International Conference on Software Engineering. 712\u2013721","author":"Bacchelli A.","unstructured":"A. Bacchelli and C. Bird . 2013. Expectations, outcomes, and challenges of modern code review . In Proceedings of the International Conference on Software Engineering. 712\u2013721 . A. Bacchelli and C. Bird. 2013. Expectations, outcomes, and challenges of modern code review. In Proceedings of the International Conference on Software Engineering. 712\u2013721."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2013.6606642"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.71"},{"key":"e_1_3_2_1_11_1","volume-title":"Proceedings of the international symposium on foundations of software engineering. 85\u201396","author":"Baum T.","unstructured":"T. Baum , O. Liskin , K. Niklas , and K. Schneider . 2016. Factors influencing code review processes in industry . In Proceedings of the international symposium on foundations of software engineering. 85\u201396 . T. Baum, O. Liskin, K. Niklas, and K. Schneider. 2016. Factors influencing code review processes in industry. In Proceedings of the international symposium on foundations of software engineering. 85\u201396."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"crossref","unstructured":"B. Boehm and V. Basili. 2001. Software Defect Reduction Top 10 List. 34 1 (2001) 135\u2013137. \t\t\t\t  B. Boehm and V. Basili. 2001. Software Defect Reduction Top 10 List. 34 1 (2001) 135\u2013137.","DOI":"10.1109\/2.962984"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2007.101"},{"key":"e_1_3_2_1_14_1","volume-title":"Proceedings of the 44th International Conference on Software Engineering. 1317\u20131329","author":"Braz L.","unstructured":"L. Braz , C. Aeberhard , G. \u00c7alikli , and A. Bacchelli . 2022. Less is more: supporting developers in vulnerability detection during code review . In Proceedings of the 44th International Conference on Software Engineering. 1317\u20131329 . L. Braz, C. Aeberhard, G. \u00c7alikli, and A. Bacchelli. 2022. Less is more: supporting developers in vulnerability detection during code review. In Proceedings of the 44th International Conference on Software Engineering. 1317\u20131329."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.5281\/zenodo.6969369"},{"key":"e_1_3_2_1_16_1","volume-title":"Proceedings of the International Conference on Software Engineering. 499\u2013511","author":"Braz L.","unstructured":"L. Braz , E. Fregnan , G. \u00c7alikli , and A. Bacchelli . 2021. Why Don\u2019t Developers Detect Improper Input Validation? \u2019; DROP TABLE Papers;\u2013 . In Proceedings of the International Conference on Software Engineering. 499\u2013511 . L. Braz, E. Fregnan, G. \u00c7alikli, and A. Bacchelli. 2021. Why Don\u2019t Developers Detect Improper Input Validation? \u2019; DROP TABLE Papers;\u2013. In Proceedings of the International Conference on Software Engineering. 499\u2013511."},{"key":"e_1_3_2_1_17_1","volume-title":"Proceedings of the international conference on automated software engineering. 332\u2013343","author":"Christakis M.","unstructured":"M. Christakis and C. Bird . 2016. What developers want and need from program analysis: an empirical study . In Proceedings of the international conference on automated software engineering. 332\u2013343 . M. Christakis and C. Bird. 2016. What developers want and need from program analysis: an empirical study. In Proceedings of the international conference on automated software engineering. 332\u2013343."},{"key":"e_1_3_2_1_18_1","unstructured":"Cisco. 2014. The Cisco 2014 Annual Security Reporte. http:\/\/www.cisco.com\/web\/offers\/lp\/2014-annual-securityreport\/index.html. \t\t\t\t  Cisco. 2014. The Cisco 2014 Annual Security Reporte. http:\/\/www.cisco.com\/web\/offers\/lp\/2014-annual-securityreport\/index.html."},{"key":"e_1_3_2_1_19_1","unstructured":"J. Cohen. 2010. Modern Code Review. In Making Software. O\u2019Reilly 329\u2013338. \t\t\t\t  J. Cohen. 2010. Modern Code Review. In Making Software. O\u2019Reilly 329\u2013338."},{"key":"e_1_3_2_1_20_1","unstructured":"T. Cook and D. Campbell. 1979. Quasi-Experimentation: Design and Analysis Issues for Field Settings. Houghton Mifflin Company. \t\t\t\t  T. Cook and D. Campbell. 1979. Quasi-Experimentation: Design and Analysis Issues for Field Settings. Houghton Mifflin Company."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"crossref","unstructured":"A. Danilova A. Naiakshina S. Horstmann and M. Smith. 2021. Do You Really Code? Designing and Evaluating Screening Questions for Online Surveys with Programmers. 537\u2013548. \t\t\t\t  A. Danilova A. Naiakshina S. Horstmann and M. Smith. 2021. Do You Really Code? Designing and Evaluating Screening Questions for Online Surveys with Programmers. 537\u2013548.","DOI":"10.1109\/ICSE43902.2021.00057"},{"key":"e_1_3_2_1_22_1","volume-title":"Last accessed","year":"2022","unstructured":"Defcon. Last accessed in March 2022 . Capture the Flag Competition . https:\/\/defcon.org\/html\/links\/dc-ctf-history.html. Defcon. Last accessed in March 2022. Capture the Flag Competition. https:\/\/defcon.org\/html\/links\/dc-ctf-history.html."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"crossref","unstructured":"K. Dempsey P. Eavy and G. Moore. 2017. Automation Support for Security Control Assessments. Technical Report NISTIR 8011 National Institute of Standards and Technology. \t\t\t\t  K. Dempsey P. Eavy and G. Moore. 2017. Automation Support for Security Control Assessments. Technical Report NISTIR 8011 National Institute of Standards and Technology.","DOI":"10.6028\/NIST.IR.8011-1"},{"key":"e_1_3_2_1_24_1","volume-title":"Proceedings of the International Symposium on Engineering Secure Software and Systems. 197\u2013212","author":"Edmundson A.","unstructured":"A. Edmundson , B. Holtkamp , E. Rivera , M. Finifter , A. Mettler , and D. Wagner . 2013. An empirical study on the effectiveness of security code review . In Proceedings of the International Symposium on Engineering Secure Software and Systems. 197\u2013212 . A. Edmundson, B. Holtkamp, E. Rivera, M. Finifter, A. Mettler, and D. Wagner. 2013. An empirical study on the effectiveness of security code review. In Proceedings of the International Symposium on Engineering Secure Software and Systems. 197\u2013212."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.177365"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9523-3"},{"key":"e_1_3_2_1_27_1","volume-title":"Risks Report","author":"Forum World Economic","year":"2022","unstructured":"World Economic Forum . 2022. Global Risks Report 2022 . https:\/\/www.weforum.org\/reports\/global-risks-report-2022\/in-full\/chapter-3-digital-dependencies-and-cyber-vulnerabilities\/. World Economic Forum. 2022. Global Risks Report 2022. https:\/\/www.weforum.org\/reports\/global-risks-report-2022\/in-full\/chapter-3-digital-dependencies-and-cyber-vulnerabilities\/."},{"key":"e_1_3_2_1_28_1","volume-title":"Last accessed","author":"Foundation The OWASP","year":"2022","unstructured":"The OWASP Foundation . Last accessed March 2022 . OWASP Foundation . https:\/\/owasp.org\/ The OWASP Foundation. Last accessed March 2022. OWASP Foundation. https:\/\/owasp.org\/"},{"key":"e_1_3_2_1_29_1","volume-title":"Response bias, social desirability and dissimulation. Personality and individual differences, 7, 3","author":"Furnham A.","year":"1986","unstructured":"A. Furnham . 1986. Response bias, social desirability and dissimulation. Personality and individual differences, 7, 3 ( 1986 ), 385\u2013400. A. Furnham. 1986. Response bias, social desirability and dissimulation. Personality and individual differences, 7, 3 (1986), 385\u2013400."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"crossref","unstructured":"M. Galesic and M. Bosnjak. 2009. Effects of questionnaire length on participation and indicators of response quality in a web survey. Public opinion quarterly 73 2 (2009) 349\u2013360. \t\t\t\t  M. Galesic and M. Bosnjak. 2009. Effects of questionnaire length on participation and indicators of response quality in a web survey. Public opinion quarterly 73 2 (2009) 349\u2013360.","DOI":"10.1093\/poq\/nfp031"},{"key":"e_1_3_2_1_31_1","volume-title":"Proceedings of the Working Conference on Software Visualization. 115\u2013119","author":"Gasparini L.","unstructured":"L. Gasparini , E. Fregnan , L. Braz , T. Baum , and A. Bacchelli . 2021. ChangeViz: Enhancing the GitHub Pull Request Interface with Method Call Information . In Proceedings of the Working Conference on Software Visualization. 115\u2013119 . L. Gasparini, E. Fregnan, L. Braz, T. Baum, and A. Bacchelli. 2021. ChangeViz: Enhancing the GitHub Pull Request Interface with Method Call Information. In Proceedings of the Working Conference on Software Visualization. 115\u2013119."},{"key":"e_1_3_2_1_32_1","volume-title":"Understanding reliability and validity in qualitative research. The qualitative report, 8, 4","author":"Golafshani N.","year":"2003","unstructured":"N. Golafshani . 2003. Understanding reliability and validity in qualitative research. The qualitative report, 8, 4 ( 2003 ), 597\u2013607. N. Golafshani. 2003. Understanding reliability and validity in qualitative research. The qualitative report, 8, 4 (2003), 597\u2013607."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2016.111"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1037\/h0040518"},{"key":"e_1_3_2_1_35_1","volume-title":"Proceedings of the Working Conference on Software Visualization. 43\u201353","author":"Khaloo P.","unstructured":"P. Khaloo , M. Maghoumi , E. Taranta , D. Bettner , and J. Laviola . 2017. Code park: A new 3d code visualization tool . In Proceedings of the Working Conference on Software Visualization. 43\u201353 . P. Khaloo, M. Maghoumi, E. Taranta, D. Bettner, and J. Laviola. 2017. Code park: A new 3d code visualization tool. In Proceedings of the Working Conference on Software Visualization. 43\u201353."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2868367"},{"key":"e_1_3_2_1_37_1","unstructured":"T. Lindlof and B. Taylor. 2002. Qualitative communication research methods. Sage. \t\t\t\t  T. Lindlof and B. Taylor. 2002. Qualitative communication research methods. Sage."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.41"},{"key":"e_1_3_2_1_39_1","volume-title":"Proceedings of the 20th International Academic Mindtrek Conference. 262\u2013271","author":"Mattila A.","unstructured":"A. Mattila , P. Ihantola , T. Kilamo , A. Luoto , M. Nurminen , and H. V\u00e4\u00e4t\u00e4j\u00e4 . 2016. Software visualization today: Systematic literature review . In Proceedings of the 20th International Academic Mindtrek Conference. 262\u2013271 . A. Mattila, P. Ihantola, T. Kilamo, A. Luoto, M. Nurminen, and H. V\u00e4\u00e4t\u00e4j\u00e4. 2016. Software visualization today: Systematic literature review. In Proceedings of the 20th International Academic Mindtrek Conference. 262\u2013271."},{"key":"e_1_3_2_1_40_1","unstructured":"McAfee. 2018. The Economic Impact of Cybercrime\u2014No Slowing Down. \t\t\t\t  McAfee. 2018. The Economic Impact of Cybercrime\u2014No Slowing Down."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2004.1281254"},{"key":"e_1_3_2_1_42_1","volume-title":"Proceedings of the International Symposium on Empirical Software Engineering and Measurement. 1\u201310","author":"Meneely A.","unstructured":"A. Meneely and L. Williams . 2010. Strengthening the Empirical Analysis of the Relationship between Linus\u2019 Law and Software Security . In Proceedings of the International Symposium on Empirical Software Engineering and Measurement. 1\u201310 . A. Meneely and L. Williams. 2010. Strengthening the Empirical Analysis of the Relationship between Linus\u2019 Law and Software Security. In Proceedings of the International Symposium on Empirical Software Engineering and Measurement. 1\u201310."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382756.2382785"},{"key":"e_1_3_2_1_44_1","volume-title":"Last accessed","year":"2022","unstructured":"Microsoft. Last accessed in March 2022 . Insider risk management in Microsoft 365. https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/insider-risk-management?view=o365-worldwide. Microsoft. Last accessed in March 2022. Insider risk management in Microsoft 365. https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/insider-risk-management?view=o365-worldwide."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.3200\/GENP.135.2.151-166"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"crossref","unstructured":"A. Onwuegbuzie and N. Leech. 2007. Validity and qualitative research: An oxymoron? Quality & quantity 41 2 (2007) 233\u2013249. \t\t\t\t  A. Onwuegbuzie and N. Leech. 2007. Validity and qualitative research: An oxymoron? Quality & quantity 41 2 (2007) 233\u2013249.","DOI":"10.1007\/s11135-006-9000-3"},{"key":"e_1_3_2_1_47_1","volume-title":"Proceedings of the New Security Paradigms Workshop. Association for Computing Machinery, 46\u201356","author":"Pieczul O.","unstructured":"O. Pieczul , S. Foley , and M. Zurko . 2017. Developer-Centered Security and the Symmetry of Ignorance . In Proceedings of the New Security Paradigms Workshop. Association for Computing Machinery, 46\u201356 . O. Pieczul, S. Foley, and M. Zurko. 2017. Developer-Centered Security and the Symmetry of Ignorance. In Proceedings of the New Security Paradigms Workshop. Association for Computing Machinery, 46\u201356."},{"key":"e_1_3_2_1_48_1","volume-title":"Last accessed","author":"Platform XM","year":"2022","unstructured":"XM Platform . Last accessed March 2022 . Qualtrics . https:\/\/www.qualtrics.com. XM Platform. Last accessed March 2022. Qualtrics. https:\/\/www.qualtrics.com."},{"key":"e_1_3_2_1_49_1","volume-title":"Proceedings of the conference on computer supported cooperative work and social computing. 2489\u20132503","author":"Poller A.","unstructured":"A. Poller , L. Kocksch , S. Trpe , F. Epp , and K. Kinder-Kurlanda . 2017. Can security become a routine? A study of organizational change in an agile software development group . In Proceedings of the conference on computer supported cooperative work and social computing. 2489\u20132503 . A. Poller, L. Kocksch, S. Trpe, F. Epp, and K. Kinder-Kurlanda. 2017. Can security become a routine? A study of organizational change in an agile software development group. In Proceedings of the conference on computer supported cooperative work and social computing. 2489\u20132503."},{"key":"e_1_3_2_1_50_1","unstructured":"CWE Project. 2021. CWE-327: Use of a Broken or Risky Cryptographic Algorithm. https:\/\/cwe.mitre.org\/data\/definitions\/327.html \t\t\t\t  CWE Project. 2021. CWE-327: Use of a Broken or Risky Cryptographic Algorithm. https:\/\/cwe.mitre.org\/data\/definitions\/327.html"},{"key":"e_1_3_2_1_51_1","unstructured":"OWASP Project. 2017. OWASP Code Review Guide 2.0. https:\/\/owasp.org\/www-pdf-archive\/OWASP_Code_Review_Guide_v2.pdf \t\t\t\t  OWASP Project. 2017. OWASP Code Review Guide 2.0. https:\/\/owasp.org\/www-pdf-archive\/OWASP_Code_Review_Guide_v2.pdf"},{"key":"e_1_3_2_1_52_1","unstructured":"OWASP Project. 2017. OWASP Top Ten. https:\/\/owasp.org\/www-project-top-ten \t\t\t\t  OWASP Project. 2017. OWASP Top Ten. https:\/\/owasp.org\/www-project-top-ten"},{"key":"e_1_3_2_1_53_1","volume-title":"Proceedings of the International Conference on Software Engineering Companion (ICSE-C). 222\u2013231","author":"Rahman M.","unstructured":"M. Rahman , C. K. Roy , and J. Collins . 2016. CORRECT: Code Reviewer Recommendation in GitHub Based on Cross-Project and Technology Experience . In Proceedings of the International Conference on Software Engineering Companion (ICSE-C). 222\u2013231 . M. Rahman, C. K. Roy, and J. Collins. 2016. CORRECT: Code Reviewer Recommendation in GitHub Based on Cross-Project and Technology Experience. In Proceedings of the International Conference on Software Engineering Companion (ICSE-C). 222\u2013231."},{"key":"e_1_3_2_1_54_1","volume-title":"Proceedings of the Joint Meeting on Foundations of Software Engineering. 202\u2013212","author":"Rigby P.","unstructured":"P. Rigby and C. Bird . 2013. Convergent contemporary software peer review practices . In Proceedings of the Joint Meeting on Foundations of Software Engineering. 202\u2013212 . P. Rigby and C. Bird. 2013. Convergent contemporary software peer review practices. In Proceedings of the Joint Meeting on Foundations of Software Engineering. 202\u2013212."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594458"},{"key":"e_1_3_2_1_56_1","volume-title":"Proceedings of the International Conference on Software Engineering: Software Engineering in Practice. 181\u2013190","author":"Sadowski C.","unstructured":"C. Sadowski , E. S\u00f6derberg , L. Church , M. Sipko , and A. Bacchelli . 2018. Modern code review: a case study at Google . In Proceedings of the International Conference on Software Engineering: Software Engineering in Practice. 181\u2013190 . C. Sadowski, E. S\u00f6derberg, L. Church, M. Sipko, and A. Bacchelli. 2018. Modern code review: a case study at Google. In Proceedings of the International Conference on Software Engineering: Software Engineering in Practice. 181\u2013190."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2010.81"},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1086\/268650"},{"key":"e_1_3_2_1_59_1","volume-title":"Proceedings of the Joint Meeting on Foundations of Software Engineering. 248\u2013259","author":"Smith J.","unstructured":"J. Smith , B. Johnson , E. Murphy-Hill , B. Chu , and H. Lipford . 2015. Questions developers ask while diagnosing potential security vulnerabilities with static analysis . In Proceedings of the Joint Meeting on Foundations of Software Engineering. 248\u2013259 . J. Smith, B. Johnson, E. Murphy-Hill, B. Chu, and H. Lipford. 2015. Questions developers ask while diagnosing potential security vulnerabilities with static analysis. In Proceedings of the Joint Meeting on Foundations of Software Engineering. 248\u2013259."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2810116"},{"key":"e_1_3_2_1_61_1","volume-title":"Last accessed","year":"2022","unstructured":"Snyk. Last accessed in March 2022 . Snyk Code . https:\/\/snyk.io\/product\/snyk-code\/. Snyk. Last accessed in March 2022. Snyk Code. https:\/\/snyk.io\/product\/snyk-code\/."},{"key":"e_1_3_2_1_62_1","volume-title":"Last accessed","author":"Source Sonar","year":"2022","unstructured":"Sonar Source . Last accessed in March 2022 . SonarQube . https:\/\/www.sonarqube.org\/. Sonar Source. Last accessed in March 2022. SonarQube. https:\/\/www.sonarqube.org\/."},{"key":"e_1_3_2_1_63_1","unstructured":"D. Spencer. 2009. Card sorting: Designing usable categories. Rosenfeld Media. \t\t\t\t  D. Spencer. 2009. Card sorting: Designing usable categories. Rosenfeld Media."},{"key":"e_1_3_2_1_64_1","volume-title":"Proceedings of the Symposium on Security and Privacy Workshops. 129\u2013138","author":"Tahaei M.","unstructured":"M. Tahaei and K. Vaniea . 2019. A survey on developer-centred security . In Proceedings of the Symposium on Security and Privacy Workshops. 129\u2013138 . M. Tahaei and K. Vaniea. 2019. A survey on developer-centred security. In Proceedings of the Symposium on Security and Privacy Workshops. 129\u2013138."},{"key":"e_1_3_2_1_65_1","volume-title":"Proceedings of the International Conference on Software Engineering Companion. 346\u2013355","author":"Theisen C.","unstructured":"C. Theisen , L. Williams , K. Oliver , and E. Murphy-Hill . 2016. Software security education at scale . In Proceedings of the International Conference on Software Engineering Companion. 346\u2013355 . C. Theisen, L. Williams, K. Oliver, and E. Murphy-Hill. 2016. Software security education at scale. In Proceedings of the International Conference on Software Engineering Companion. 346\u2013355."},{"key":"e_1_3_2_1_66_1","volume-title":"Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. 1\u201312","author":"Thomas T.","unstructured":"T. Thomas , M. Tabassum , B. Chu , and H. Lipford . 2018. Security during application development: An application security expert perspective . In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. 1\u201312 . T. Thomas, M. Tabassum, B. Chu, and H. Lipford. 2018. Security during application development: An application security expert perspective. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. 1\u201312."},{"key":"e_1_3_2_1_67_1","volume-title":"Proceedings of the International Conference on Predictive Models and Data Analytics in Software Engineering. 83\u201392","author":"Thompson C.","unstructured":"C. Thompson and D. Wagner . 2017. A Large-Scale Study of Modern Code Review and Security in Open Source Projects . In Proceedings of the International Conference on Predictive Models and Data Analytics in Software Engineering. 83\u201392 . C. Thompson and D. Wagner. 2017. A Large-Scale Study of Modern Code Review and Security in Open Source Projects. In Proceedings of the International Conference on Predictive Models and Data Analytics in Software Engineering. 83\u201392."},{"key":"e_1_3_2_1_68_1","volume-title":"Proceedings of the International Conference on Software Analysis, Evolution, and Reengineering. 141\u2013150","author":"Thongtanunam P.","unstructured":"P. Thongtanunam , C. Tantithamthavorn , R. Kula , N. Yoshida , H. Iida , and K. Matsumoto . 2015. Who should review my code? A file location-based code-reviewer recommendation approach for Modern Code Review . In Proceedings of the International Conference on Software Analysis, Evolution, and Reengineering. 141\u2013150 . P. Thongtanunam, C. Tantithamthavorn, R. Kula, N. Yoshida, H. Iida, and K. Matsumoto. 2015. Who should review my code? A file location-based code-reviewer recommendation approach for Modern Code Review. In Proceedings of the International Conference on Software Analysis, Evolution, and Reengineering. 141\u2013150."},{"key":"e_1_3_2_1_69_1","volume-title":"Proceedings of the Symposium on Usable Privacy and Security.","author":"Weir C.","unstructured":"C. Weir , A. Rashid , and J. Noble . 2016. How to improve the security skills of mobile app developers? Comparing and contrasting expert views . In Proceedings of the Symposium on Usable Privacy and Security. C. Weir, A. Rashid, and J. Noble. 2016. How to improve the security skills of mobile app developers? Comparing and contrasting expert views. In Proceedings of the Symposium on Usable Privacy and Security."},{"key":"e_1_3_2_1_70_1","volume-title":"Learning from Strangers: The art and method of qualitative interview studies","author":"Weiss R.","unstructured":"R. Weiss . 1995. Learning from Strangers: The art and method of qualitative interview studies . The Free Press . R. Weiss. 1995. Learning from Strangers: The art and method of qualitative interview studies. The Free Press."},{"key":"e_1_3_2_1_71_1","volume-title":"Proceedings of the International Conference on Evaluation and Assessment in Software Engineering. 205\u2013210","author":"Wijayarathna C.","unstructured":"C. Wijayarathna and N. Arachchilage . 2018. Why Johnny Can\u2019t Store Passwords Securely? A Usability Evaluation of Bouncycastle Password Hashing . In Proceedings of the International Conference on Evaluation and Assessment in Software Engineering. 205\u2013210 . C. Wijayarathna and N. Arachchilage. 2018. Why Johnny Can\u2019t Store Passwords Securely? A Usability Evaluation of Bouncycastle Password Hashing. In Proceedings of the International Conference on Evaluation and Assessment in Software Engineering. 205\u2013210."},{"key":"e_1_3_2_1_72_1","volume-title":"Last accessed","year":"2022","unstructured":"Wikipedia. Last accessed in 2022 . Massive open online course. https:\/\/en.wikipedia.org\/wiki\/Massive_open_online_course Wikipedia. Last accessed in 2022. Massive open online course. https:\/\/en.wikipedia.org\/wiki\/Massive_open_online_course"},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.ijhcs.2006.08.003"},{"key":"e_1_3_2_1_74_1","volume-title":"Microsoft: More secure but mission not over. https:\/\/www.infoworld.com\/article\/2618608\/microsoft\u2013more-secure-but-mission-not-over.html","author":"World Info","year":"2004","unstructured":"Info World . 2004 . Microsoft: More secure but mission not over. https:\/\/www.infoworld.com\/article\/2618608\/microsoft\u2013more-secure-but-mission-not-over.html Info World. 2004. Microsoft: More secure but mission not over. https:\/\/www.infoworld.com\/article\/2618608\/microsoft\u2013more-secure-but-mission-not-over.html"},{"key":"e_1_3_2_1_75_1","volume-title":"Proceedings of the New Security Paradigms Workshop. 89\u201397","author":"Wurster G.","unstructured":"G. Wurster and P. Van Oorschot . 2008. The developer is the . In Proceedings of the New Security Paradigms Workshop. 89\u201397 . G. Wurster and P. Van Oorschot. 2008. The developer is the. In Proceedings of the New Security Paradigms Workshop. 89\u201397."},{"key":"e_1_3_2_1_76_1","volume-title":"Proceedings of the Conference on Computer supported cooperative work and social computing. 1095\u20131106","author":"Xiao S.","unstructured":"S. Xiao , J. Witschey , and E. Murphy-Hill . 2014. Social influences on secure development tool adoption: why security tools spread . In Proceedings of the Conference on Computer supported cooperative work and social computing. 1095\u20131106 . S. Xiao, J. Witschey, and E. Murphy-Hill. 2014. Social influences on secure development tool adoption: why security tools spread. In Proceedings of the Conference on Computer supported cooperative work and social computing. 1095\u20131106."},{"key":"e_1_3_2_1_77_1","volume-title":"Proceedings of the Symposium on Visual Languages and Human-Centric Computing. 161\u2013164","author":"Xie J.","unstructured":"J. Xie , H. Lipford , and B. Chu . 2011. Why do programmers make security errors? In Proceedings of the Symposium on Visual Languages and Human-Centric Computing. 161\u2013164 . J. Xie, H. Lipford, and B. Chu. 2011. Why do programmers make security errors? In Proceedings of the Symposium on Visual Languages and Human-Centric Computing. 161\u2013164."}],"event":{"name":"ESEC\/FSE '22: 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","location":"Singapore Singapore","acronym":"ESEC\/FSE '22","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering","NUS NUS"]},"container-title":["Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3540250.3549135","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3540250.3549135","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:51:02Z","timestamp":1750182662000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3540250.3549135"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,11,7]]},"references-count":77,"alternative-id":["10.1145\/3540250.3549135","10.1145\/3540250"],"URL":"https:\/\/doi.org\/10.1145\/3540250.3549135","relation":{},"subject":[],"published":{"date-parts":[[2022,11,7]]},"assertion":[{"value":"2022-11-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}