My current research is based around a few studies of the way Static Analysis tools are used by software development teams. (Here, static analysis tools includes tools for finding programming bugs or security holes.)
We plan to conduct these studies using contextual inquiry — a method in which the researcher (me) visits the site where developers work, and watches them as they program or run tests. This approach should yield details that even developers do not notice as they work.
We hope to identify features that make these tools easier to understand, and easier to fit into a software development process.
Right now, we are trying to identify local companies that actually use static analysis tools. Its proving to be hard to find regular users, but security consultants, and software developers serving high risk markets may be good targets.
