OASIcs.ICPEC.2024.14.pdf
- Filesize: 0.77 MB
- 11 pages
In pursuing a secure software development lifecycle, industrial developers employ a combination of automated and manual techniques to mitigate vulnerabilities in source code. Among manual techniques, code review is a promising approach, with growing interest within the industry around it. However, the effectiveness of code reviews for security purposes relies on developers' empowerment and awareness, particularly in the domain-specific knowledge required for identifying security issues. Our study explores the use of DuckDebugger, a serious game designed specifically to enhance industrial practitioners' security knowledge for code reviews. By exploring analytics data collected from game interactions, we provide insights into player behavior and explore how the game influences their approach to security-focused code reviews. Altogether, we explore data from 13 events conducted in the industry together with 224 practitioners, and derive metrics such as the time it takes participants spend to reviewing a line of code and the time required to compose a comment. We offer empirical indicators on how serious games may effectively be utilized to empower developers, propose potential design improvements for educational tools, and discuss broader implications for the use of Serious Games in industrial settings. Furthermore, our discussion extends to include a discussion outlining the next steps for our work, together with possible limitations.
Feedback for Dagstuhl Publishing