Reviewing source code from a security perspective has proven to be a difficult task. Indeed, previous research has shown that developers often miss even popular and easy-to-detect vulnerabilities during code review. Initial evidence suggests that a significant cause may lie in the reviewers' mental attitude and common practices. In this study, we investigate whether and how explicitly asking developers to focus on security during a code review affects the detection of vulnerabilities. Furthermore, we evaluate the effect of providing a security checklist to guide the security review. To this aim, we conduct an online experiment with 150 participants, of which 71% report to have three or more years of professional development experience. Our results show that simply asking reviewers to focus on security during the code review increases eight times the probability of vulnerability detection. The presence of a security checklist does not significantly improve the outcome further, even when the checklist is tailored to the change under review and the existing vulnerabilities in the change. These results provide evidence supporting the mental attitude hypothesis and call for further work on security checklists' effectiveness and design. Data and materials: https://doi.org/10.5281/zenodo.6026291

翻译：从安全角度审查源代码证明是一项困难的任务。事实上,以前的研究表明,开发商在代码审查期间往往甚至忽略了流行和容易发现的脆弱性。初步证据表明,一个重要的原因可能在于审查者的精神态度和常见做法。在本研究中,我们调查是否以及如何明确要求开发商在代码审查期间注重安全影响对脆弱性的检测。此外,我们评估提供安全清单以指导安全审查的效果。为此,我们与150名参与者进行了在线试验,其中71%的参与者报告说有三年或三年以上的专业发展经验。我们的结果显示,仅仅要求审查者在代码审查期间侧重于安全,就会使发现脆弱性的概率增加八倍。安全清单的存在不会大大改善结果,即使清单是针对审查中的变化和变化中的现有脆弱性而设计的。这些结果提供了支持心理态度假设的证据,并要求就安全清单的有效性和设计开展进一步工作。数据和材料:https://doi.org.5281/zenodo.6026591。