Secure coding is essential, yet the strategies developers use to detect and mitigate flaws are not well understood. We present an eye-tracking-based approach that captures developers’ visual patterns while reading, coding, and applying security tools. Our framework uses participant-editable stimuli and dynamic environments to reflect authentic coding development. By visualizing gaze transitions and attention shifts, we expose how developers allocate effort during secure coding. By leveraging techniques that reveal gaze transitions, attention levels, and pupil size changes, we are able to gain insight into their behavior. Our study provides a fine-grained, process-oriented account of behavior in CWE-based secure coding educational tasks, uncovering attentional patterns and decision timelines that traditional methods may not capture. These contributions provide a foundation for improving training and understanding developer differences.
Davis et al. (Mon,) studied this question.