@article{mcnamara_smith_murphy-hill_2018, title={Does ACM's Code of Ethics Change Ethical Decision Making in Software Development?}, DOI={10.1145/3236024.3264833}, abstractNote={Ethical decisions in software development can substantially impact end-users, organizations, and our environment, as is evidenced by recent ethics scandals in the news. Organizations, like the ACM, publish codes of ethics to guide software-related ethical decisions. In fact, the ACM has recently demonstrated renewed interest in its code of ethics and made updates for the first time since 1992. To better understand how the ACM code of ethics changes software-related decisions, we replicated a prior behavioral ethics study with 63 software engineering students and 105 professional software developers, measuring their responses to 11 ethical vignettes. We found that explicitly instructing participants to consider the ACM code of ethics in their decision making had no observed effect when compared with a control group. Our findings suggest a challenge to the research community: if not a code of ethics, what techniques can improve ethical decision making in software engineering?}, journal={ESEC/FSE'18: PROCEEDINGS OF THE 2018 26TH ACM JOINT MEETING ON EUROPEAN SOFTWARE ENGINEERING CONFERENCE AND SYMPOSIUM ON THE FOUNDATIONS OF SOFTWARE ENGINEERING}, author={McNamara, Andrew and Smith, Justin and Murphy-Hill, Emerson}, year={2018}, pages={729–733} }
 @article{do_ali_livshits_bodden_smith_murphy-hill_2017, title={Cheetah: Just-in-Time Taint Analysis for Android Apps}, ISSN={["2574-1926"]}, DOI={10.1109/icse-c.2017.20}, abstractNote={Current static-analysis tools are often long-running, which causes them to be sidelined into nightly build checks. As a result, developers rarely use such tools to detect bugs when writing code, because they disrupt their workflow. In this paper, we present Cheetah, a static taint analysis tool for Android apps that interleaves bug fixing and code development in the Eclipse integrated development environment. Cheetah is based on the novel concept of Just-in-Time static analysis that discovers and reports the most relevant results to the developer fast, and computes the more complex results incrementally later. Unlike traditional batch-style static-analysis tools, Cheetah causes minimal disruption to the developer's workflow. This video demo showcases the main features of Cheetah: https://www.youtube.com/watch?v=i_KQD-GTBdA.}, journal={PROCEEDINGS OF THE 2017 IEEE/ACM 39TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING COMPANION (ICSE-C 2017)}, author={Do, Lisa Nguyen Quang and Ali, Karim and Livshits, Benjamin and Bodden, Eric and Smith, Justin and Murphy-Hill, Emerson}, year={2017}, pages={39–42} }
 @inproceedings{smith_2016, title={Identifying successful strategies for resolving static analysis notifications}, booktitle={2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C)}, author={Smith, J.}, year={2016}, pages={662–664} }
 @inproceedings{smith_2016, title={Resolving input validation vulnerabilities by retracing taint flow through source code}, booktitle={2016 ieee symposium on visual languages and human-centric computing (vl/hcc)}, author={Smith, J.}, year={2016}, pages={252–253} }
 @inproceedings{thomas_chu_lipford_smith_murphy-hill_2015, title={A study of interactive code annotation for access control vulnerabilities}, DOI={10.1109/vlhcc.2015.7357200}, abstractNote={While there are a variety of existing tools to help detect security vulnerabilities in code, they are seldom used by developers due to the time or security expertise required. We are investigating techniques integrated within the IDE to help developers detect and mitigate security vulnerabilities. In this paper, we examine using interactive annotation for access control vulnerabilities. We evaluated whether developers could indicate access control logic using interactive annotation and understand the vulnerabilities reported as a result. Our study indicates that developers can easily find and annotate access control logic but can struggle to use our tool to trace the cause of the vulnerability. Our results provide design guidance for improving the interaction and communication of such security tools with developers.}, booktitle={Proceedings 2015 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC)}, author={Thomas, T. and Chu, B. and Lipford, H. and Smith, J. and Murphy-Hill, E.}, year={2015}, pages={73–77} }
 @article{barik_lubick_smith_slankas_murphy-hill_2015, title={FUSE: A Reproducible, Extendable, Internet-scale Corpus of Spreadsheets}, DOI={10.1109/msr.2015.70}, abstractNote={Spreadsheets are perhaps the most ubiquitous form of end-user programming software. This paper describes a corpus, called Fuse, containing 2,127,284 URLs that return spreadsheets (and their HTTP server responses), and 249,376 unique spreadsheets, contained within a public web archive of over 26.83 billion pages. Obtained using nearly 60,000 hours of computation, the resulting corpus exhibits several useful properties over prior spreadsheet corpora, including reproducibility and extendability. Our corpus is unencumbered by any license agreements, available to all, and intended for wide usage by end-user software engineering researchers. In this paper, we detail the data and the spreadsheet extraction process, describe the data schema, and discuss the trade-offs of Fuse with other corpora.}, journal={12TH WORKING CONFERENCE ON MINING SOFTWARE REPOSITORIES (MSR 2015)}, author={Barik, Titus and Lubick, Kevin and Smith, Justin and Slankas, John and Murphy-Hill, Emerson}, year={2015}, pages={486–489} }
 @article{smith_johnson_murphy-hill_chu_lipford_2015, title={Questions Developers Ask While Diagnosing Potential Security Vulnerabilities with Static Analysis}, DOI={10.1145/2786805.2786812}, abstractNote={Security tools can help developers answer questions about potential vulnerabilities in their code. A better understanding of the types of questions asked by developers may help toolsmiths design more effective tools. In this paper, we describe how we collected and categorized these questions by conducting an exploratory study with novice and experienced software developers. We equipped them with Find Security Bugs, a security-oriented static analysis tool, and observed their interactions with security vulnerabilities in an open-source system that they had previously contributed to. We found that they asked questions not only about security vulnerabilities, associated attacks, and fixes, but also questions about the software itself, the social ecosystem that built the software, and related resources and tools. For example, when participants asked questions about the source of tainted data, their tools forced them to make imperfect tradeoffs between systematic and ad hoc program navigation strategies.}, journal={2015 10TH JOINT MEETING OF THE EUROPEAN SOFTWARE ENGINEERING CONFERENCE AND THE ACM SIGSOFT SYMPOSIUM ON THE FOUNDATIONS OF SOFTWARE ENGINEERING (ESEC/FSE 2015) PROCEEDINGS}, author={Smith, Justin and Johnson, Brittany and Murphy-Hill, Emerson and Chu, Bill and Lipford, Heather Richter}, year={2015}, pages={248–259} }
 @inproceedings{baran_padmanabhan_chouhan_yuan_smith_mayfield_2014, title={A model based fault locating method for distribution systems}, DOI={10.1109/pesgm.2014.6939019}, abstractNote={This paper presents a Fault Locating Method (FLM) which uses the current waveforms from Power Quality (PQ) Monitors located on a distribution feeder to determine the location of a permanent fault on the feeder. The method is model based in that it uses a detailed feeder model to estimate the fault currents and compares it with the data obtained from PQ monitors. Test results on the proposed FLM have been provided for two different distribution feeders.}, booktitle={2014 ieee pes general meeting - conference & exposition}, author={Baran, Mesut and Padmanabhan, A. and Chouhan, S. and Yuan, X. Y. and Smith, J. and Mayfield, H.}, year={2014} }