Array (Sep 2022)
Eye tracking technologies to visualize secure coding behavior
Abstract
Secure coders' experiences and performances vary greatly and any missed security flaws in source code may lead to costly consequences. Their behavior to analyze source code and develop mitigation techniques is not well understood. Our objective is to gain insight into the strategies and techniques from both novice and experienced developers. Proper understanding can help us to inform inexperienced coders to efficiently and accurately approach, discover, and mitigate security flaws. Our research relies upon eye tracking hardware and software to collect and analyze the eye gazes. Unlike existing approaches, we incorporate a wide range of tasks simultaneously reading documentation, writing code, and using security coding analysis tools. We analyze both static and dynamic (interactive) stimuli in a realistic software development environment. Our pictorial visualizations represent a coder's eye gazes that visually demonstrates their behavior and patterns. In addition, we provide the full context of the stimuli that a participant observed. This allows for investigating the behavior at a range of tasks for a single participant and between participants. Our secure coding tasks include reading documentation, reading source code, and writing source code for a web application as well as utilizing security code scanning tools. Our contributions also include (1) novel visualization techniques to present transitions among components within and between applications, and (2) presentations of coders' attention levels during secure coding by investigating the change of pupil sizes. The eye tracking collection and analysis techniques support both modifiable stimuli and stimuli presented in different sequences based upon individual participant's behavior.
