The demand for automated security analysis techniques, such as static analysis based security testing (SAST) tools continues to increase. To develop SASTs that are effectively leveraged by developers for finding vulnerabilities, researchers and tool designers must understand how developers perceive, select, and use SASTs, what they expect from the tools, whether they know of the limitations of the tools, and how they address those limitations. This paper describes a qualitative study that explores the assumptions, expectations, beliefs, and challenges experienced by developers who use SASTs. We perform in-depth, semi-structured interviews with 20 practitioners who possess a diverse range of software development expertise, as well as a variety of unique security, product, and organizational backgrounds. We identify $17$ key findings that shed light on developer perceptions and desires related to SASTs, and also expose gaps in the status quo -- challenging long-held beliefs in SAST design priorities. Finally, we provide concrete future directions for researchers and practitioners rooted in an analysis of our findings.

翻译：对自动化安全分析技术（例如基于静态分析的安全测试工具）的需求持续增长。为了让研究人员和工具设计者开发出能被开发者有效用于发现漏洞的SAST工具，必须了解开发者如何看待、选择和运用SAST工具，他们对工具有何期望，是否了解工具的局限性，以及如何应对这些局限。本文通过质性研究探讨了使用SAST工具的开发者所持有的假设、期望、信念及面临的挑战。我们对20位从业者进行了深度半结构化访谈，他们拥有多样化的软件开发经验，以及独特的专业背景（涵盖安全、产品与组织）。我们识别出17个关键发现，揭示了开发者对SAST工具的认知与诉求，同时暴露了现状中的差距——挑战了SAST设计优先级中长期存在的固有观念。最后，基于对这些发现的分析，我们为研究人员和从业者提供了具体的未来研究方向。