Characterizing and Understanding Software Developer Networks in Security Development

To build secure software, developers often work together during software development and maintenance to find, fix, and prevent security vulnerabilities. Examining the nature of developer interactions in security development can provide valuable insights for improving current practices. In this work, we first conduct a large-scale empirical study to mine developer interactions in security development regarding their security introducing and fixing activities on a benchmark dataset, which involves more 1.8M commits from nine large-scale open-source software projects. We then build software developer networks with the identified developer interactions and conduct network analysis to characterize and understand security development. For our analysis, we first study the interaction patterns between developers. Second, we characterize the nature of developer interaction in security development in comparison to developer interaction in non-security development. Then, we explore the relation between developer interaction and the quality of projects regarding security. Among our findings we identify that: the dominating interaction patterns among developers in the security and non-security development are different, which may suggest the needs of differing social and communication support for security and non-security development; the distribution of interaction patterns has a correlation with the quality of software projects; different from general software development, most of the projects are non hero-centric regarding security development. We believe the findings from this study can help developers understand how vulnerabilities originate and evolve under the interaction of developers and further improve software maintenance.