While we have been focusing on reducing false positives in vulnerability detection, my IEEE S&P'24 paper, in collaboration with Kevin Moran, Denys Poshyvanyk, and Adwait Nadkarni, shows the contrary: developers would rather have more false positives if the tool finds the vulnerabilities. FNs are of more concern to them. Key insights below:

1. While we found several insights that match existing literature, e.g., "Select situations can lead to the de-prioritization of software security," the rest challenge existing literature, identifying challenges that need attention from practitioners, SAST developers, and researchers.

2. For example, "Developer Happiness is Key" is the primary design goal of program analysis tools, thus focusing on reducing false positives in general. However, participants strongly favor reducing false negatives because "that one is going to kill you".

Further Key insights and the full paper are available below:

tags: #IEEESSP'24 #sp #security #sast #study #stem #WM

Our the technical report of recent research regarding #accountability in #UC frameworks is now available (and will be presented on #IEEESSP '23: https://eprint.iacr.org/2022/1606