Nowadays software is widely used in almost every domain. When software applications contain defects or errors, these errors or software bugs can trigger security problems, cause financial loss, or even jeopardize human health. However, maintaining software to remove all those errors is usually challenging. This is because to resolve a software issue, developers usually spend lots of time and effort in order to comprehend programs, so that they can apply program changes consistently, completely, and correctly. When developers have insufficient domain knowledge or misunderstand the program logic, they may fail to fix the bug or their bug fixes can actually introduce new bugs.

In this talk, I will present our recent research that intends to bridge the gap between program complexity and developers’ programming capabilities. Thus, there are three parts in my talk. For the first part, I will introduce our empirical study on developers’ secure coding practices. By crawling and analyzing developers’ technical discussions on the StackOverflow website, we identified various programming challenges that developers encounter when they build security functionalities. We also showed security vulnerabilities due to developers’ security API misuses. For the second part, I’ll introduce our related empirical study to examine the reliability of security suggestions on StackOverflow, which study reveals a worrisome reality in the software development industry. For the third part, I will present our recent tool that recommends code refactorings for developers. All our empirical studies and techniques have the potential to help developers (1) better understand program complexity and the complexity of software maintenance, and (2) improve program maintenance as well as software quality.