Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack Overflow

Richard May; Christian Biermann; Xenia M. Zerweck; Kai Ludwig; Jacob Krüger; Thomas Leich

doi:10.1145/3634713.3634729

Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack Overflow

Richard May, Christian Biermann, Xenia M. Zerweck, Kai Ludwig, Jacob Krüger, Thomas Leich

Engineering of Software-Intensive Systems

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

5 Citations (Scopus)

209 Downloads (Pure)

Abstract

The increasing number of attacks exploiting system vulnerabilities in recent years underpins the growing importance of security; especially for software comprising configuration options that may cause unintended vulnerabilities. So, not surprisingly, developers discuss secure software configurations extensively, for instance, via community-question-answering systems like Stack Overflow. In this exploratory study, we analyzed 651 Stack Overflow posts from 2013 until 2022 to investigate what vulnerabilities in the context of configuring software developers discuss. We employed a manual data analysis and automated topic modeling using Latent Dirichlet Allocation to identify and classify relevant topics and contexts. Our results show that vulnerabilities in the context of configuring receive more and more interest, with most posts discussing issues related to faulty security configurations and dependencies causing vulnerabilities that could be or have actually been exploited. Overall, we contribute insights into configuration and security issues that developers experience in the real world. Such insights help researchers and practitioners understand and resolve these issues, thereby guiding future improvements.

Original language	English
Title of host publication	VaMoS '24
Subtitle of host publication	Proceedings of the 18th International Working Conference on Variability Modelling of Software-Intensive Systems
Editors	Timo Kehrer, Marianne Huchard, Leopoldo Teixeira, Christian Birchler
Publisher	Association for Computing Machinery, Inc.
Pages	112-122
Number of pages	11
ISBN (Electronic)	979-8-4007-0877-0
DOIs	https://doi.org/10.1145/3634713.3634729
Publication status	Published - 7 Feb 2024
Event	18th International Working Conference on Variability Modelling of Software-Intensive Systems, VaMoS 2024 - Bern, Switzerland Duration: 7 Feb 2024 → 9 Feb 2024

Conference

Conference	18th International Working Conference on Variability Modelling of Software-Intensive Systems, VaMoS 2024
Abbreviated title	VaMoS 2024
Country/Territory	Switzerland
City	Bern
Period	7/02/24 → 9/02/24

Keywords

Variability
Configuration
Vulnerability management
Security
Stack Overflow
Community-question answering system
security
configuration
community-question-answering system
vulnerability management

Access to Document

10.1145/3634713.3634729

May2024MisconfiguredFinal author version , 773 KB
pdfFinal published version, 847 KBLicence: TAVERNE

https://jacobkrueger.github.io/assets/papers/May2024Misconfigured.pdf

Cite this

May, R., Biermann, C., Zerweck, X. M., Ludwig, K., Krüger, J., & Leich, T. (2024). Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack Overflow. In T. Kehrer, M. Huchard, L. Teixeira, & C. Birchler (Eds.), VaMoS '24: Proceedings of the 18th International Working Conference on Variability Modelling of Software-Intensive Systems (pp. 112-122). Association for Computing Machinery, Inc.. https://doi.org/10.1145/3634713.3634729

May, Richard ; Biermann, Christian ; Zerweck, Xenia M. et al. / Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack Overflow. VaMoS '24: Proceedings of the 18th International Working Conference on Variability Modelling of Software-Intensive Systems. editor / Timo Kehrer ; Marianne Huchard ; Leopoldo Teixeira ; Christian Birchler. Association for Computing Machinery, Inc., 2024. pp. 112-122

@inproceedings{efa96fa75e4a4276a77492e66f437d4a,

title = "Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q\&As on Stack Overflow",

abstract = "The increasing number of attacks exploiting system vulnerabilities in recent years underpins the growing importance of security; especially for software comprising configuration options that may cause unintended vulnerabilities. So, not surprisingly, developers discuss secure software configurations extensively, for instance, via community-question-answering systems like Stack Overflow. In this exploratory study, we analyzed 651 Stack Overflow posts from 2013 until 2022 to investigate what vulnerabilities in the context of configuring software developers discuss. We employed a manual data analysis and automated topic modeling using Latent Dirichlet Allocation to identify and classify relevant topics and contexts. Our results show that vulnerabilities in the context of configuring receive more and more interest, with most posts discussing issues related to faulty security configurations and dependencies causing vulnerabilities that could be or have actually been exploited. Overall, we contribute insights into configuration and security issues that developers experience in the real world. Such insights help researchers and practitioners understand and resolve these issues, thereby guiding future improvements.",

keywords = "Variability, Configuration, Vulnerability management, Security, Stack Overflow, Community-question answering system, security, configuration, community-question-answering system, vulnerability management",

author = "Richard May and Christian Biermann and Zerweck, \{Xenia M.\} and Kai Ludwig and Jacob Kr{\"u}ger and Thomas Leich",

year = "2024",

month = feb,

day = "7",

doi = "10.1145/3634713.3634729",

language = "English",

pages = "112--122",

editor = "Timo Kehrer and Marianne Huchard and Leopoldo Teixeira and Christian Birchler",

booktitle = "VaMoS '24",

publisher = "Association for Computing Machinery, Inc.",

address = "United States",

note = "18th International Working Conference on Variability Modelling of Software-Intensive Systems, VaMoS 2024, VaMoS 2024 ; Conference date: 07-02-2024 Through 09-02-2024",

}

May, R, Biermann, C, Zerweck, XM, Ludwig, K, Krüger, J & Leich, T 2024, Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack Overflow. in T Kehrer, M Huchard, L Teixeira & C Birchler (eds), VaMoS '24: Proceedings of the 18th International Working Conference on Variability Modelling of Software-Intensive Systems. Association for Computing Machinery, Inc., pp. 112-122, 18th International Working Conference on Variability Modelling of Software-Intensive Systems, VaMoS 2024, Bern, Switzerland, 7/02/24. https://doi.org/10.1145/3634713.3634729

Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack Overflow. / May, Richard; Biermann, Christian; Zerweck, Xenia M. et al.
VaMoS '24: Proceedings of the 18th International Working Conference on Variability Modelling of Software-Intensive Systems. ed. / Timo Kehrer; Marianne Huchard; Leopoldo Teixeira; Christian Birchler. Association for Computing Machinery, Inc., 2024. p. 112-122.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack Overflow

AU - May, Richard

AU - Biermann, Christian

AU - Zerweck, Xenia M.

AU - Ludwig, Kai

AU - Krüger, Jacob

AU - Leich, Thomas

PY - 2024/2/7

Y1 - 2024/2/7

N2 - The increasing number of attacks exploiting system vulnerabilities in recent years underpins the growing importance of security; especially for software comprising configuration options that may cause unintended vulnerabilities. So, not surprisingly, developers discuss secure software configurations extensively, for instance, via community-question-answering systems like Stack Overflow. In this exploratory study, we analyzed 651 Stack Overflow posts from 2013 until 2022 to investigate what vulnerabilities in the context of configuring software developers discuss. We employed a manual data analysis and automated topic modeling using Latent Dirichlet Allocation to identify and classify relevant topics and contexts. Our results show that vulnerabilities in the context of configuring receive more and more interest, with most posts discussing issues related to faulty security configurations and dependencies causing vulnerabilities that could be or have actually been exploited. Overall, we contribute insights into configuration and security issues that developers experience in the real world. Such insights help researchers and practitioners understand and resolve these issues, thereby guiding future improvements.

AB - The increasing number of attacks exploiting system vulnerabilities in recent years underpins the growing importance of security; especially for software comprising configuration options that may cause unintended vulnerabilities. So, not surprisingly, developers discuss secure software configurations extensively, for instance, via community-question-answering systems like Stack Overflow. In this exploratory study, we analyzed 651 Stack Overflow posts from 2013 until 2022 to investigate what vulnerabilities in the context of configuring software developers discuss. We employed a manual data analysis and automated topic modeling using Latent Dirichlet Allocation to identify and classify relevant topics and contexts. Our results show that vulnerabilities in the context of configuring receive more and more interest, with most posts discussing issues related to faulty security configurations and dependencies causing vulnerabilities that could be or have actually been exploited. Overall, we contribute insights into configuration and security issues that developers experience in the real world. Such insights help researchers and practitioners understand and resolve these issues, thereby guiding future improvements.

KW - Variability

KW - Configuration

KW - Vulnerability management

KW - Security

KW - Stack Overflow

KW - Community-question answering system

KW - security

KW - configuration

KW - community-question-answering system

KW - vulnerability management

UR - https://www.scopus.com/pages/publications/85184284565

U2 - 10.1145/3634713.3634729

DO - 10.1145/3634713.3634729

M3 - Conference contribution

SP - 112

EP - 122

BT - VaMoS '24

A2 - Kehrer, Timo

A2 - Huchard, Marianne

A2 - Teixeira, Leopoldo

A2 - Birchler, Christian

PB - Association for Computing Machinery, Inc.

T2 - 18th International Working Conference on Variability Modelling of Software-Intensive Systems, VaMoS 2024

Y2 - 7 February 2024 through 9 February 2024

ER -

May R, Biermann C, Zerweck XM, Ludwig K, Krüger J, Leich T. Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack Overflow. In Kehrer T, Huchard M, Teixeira L, Birchler C, editors, VaMoS '24: Proceedings of the 18th International Working Conference on Variability Modelling of Software-Intensive Systems. Association for Computing Machinery, Inc. 2024. p. 112-122 doi: 10.1145/3634713.3634729

Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack Overflow

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this