Characterizing and Understanding Software Developer Networks in Security Development

To build secure software, developers often work together during software development and maintenance to find, fix, and prevent security vulnerabilities. Examining the nature of developer interactions during their security activities regarding security introducing and fixing activities can provide insights for improving current practices. In this work, we conduct a large-scale empirical study to characterize and understand developers' interactions during their security activities regarding security introducing and fixing, which involves more than 16K security fixing commits and over 28K security introducing commits from nine large-scale open-source software projects. For our analysis, we first examine whether a project is a hero-centric project when assessing developers' contribution in their security activities. Then we study the interaction patterns between developers, explore how the distribution of the patterns changes over time, and study the impact of developers' interactions on the quality of projects. In addition, we also characterize the nature of developer interaction in security activities in comparison to developer interaction in non-security activities (i.e., introducing and fixing non-security bugs). Among our findings we identify that: most of the experimental projects are non hero-centric projects when evaluating developers' contribution by using their security activities; there exist common dominating interaction patterns across our experimental projects; the distribution of interaction patterns has correlation with the quality of software projects. We believe the findings from this study can help developers understand how vulnerabilitiesoriginate and fix under the interactions of software developers.