SLR_Dataset

Producing secure software is challenging. The poor usabilityof security Application Programming Interfaces (APIs) makes this evenharder. Many recommendations have been proposed to support developersby improving the usability of cryptography libraries and APIs; rooted inwider best practice guidance in software engineering and API design. Inthis SLR, we systematize knowledge regarding these recommendations.We identify and analyze 65 papers spanning 45 years, offering a total of883 recommendations. We undertake a thematic analysis to identify7 core ways to improve usability of APIs. We find that most of therecommendations focus on helping API developers to construct andstructure their code and make it more usable and easier for programmersto understand. There is less focus, however, on documentation, writingrequirements, code quality assessment and the impact of organizationalsoftware development practices. By tracing and analyzing paper ancestry,we map how this knowledge becomes validated and translated overtime. We find evidence that less than a quarter of all API usabilityrecommendations are empirically validated, and that recommendationsspecific to usable security APIs lag even further behind in this regard.

研发安全软件本就极具挑战性。安全应用程序编程接口（Application Programming Interfaces，API）的可用性欠佳，进一步加剧了这一难题。学界已提出诸多建议，通过提升密码学库与API的可用性来辅助开发者，这些建议根植于软件工程与API设计领域更为广泛的最佳实践指南。在本次系统文献综述（Systematic Literature Review，SLR）中，我们对上述相关建议的知识体系进行了系统化梳理。我们筛选并分析了跨越45年的65篇学术论文，总计提炼出883条相关建议。通过主题分析，我们识别出7种提升API可用性的核心路径。研究发现，绝大多数建议聚焦于帮助API开发者构建、规范代码，提升代码的可用性，使其更便于程序员理解。但现有建议对文档编写、需求撰写、代码质量评估以及组织级软件开发实践的影响关注度不足。通过追踪并分析论文的引用谱系，我们梳理了该类知识随时间推移如何得到验证与传播。研究证据显示，所有API可用性建议中仅有不到四分之一得到了实证验证，而针对可用安全API的专项建议在这方面的表现甚至更差。