Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs

Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

Autoren

  • Peter Leo Gorski
  • Yasemin Acar
  • Luigi Lo Iacono
  • Sascha Fahl

Organisationseinheiten

Externe Organisationen

  • Technische Hochschule Köln
Forschungs-netzwerk anzeigen

Details

OriginalspracheEnglisch
Titel des SammelwerksCHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems
Herausgeber (Verlag)Association for Computing Machinery (ACM)
Seitenumfang13
ISBN (elektronisch)9781450367080
PublikationsstatusVeröffentlicht - 21 Apr. 2020
Veranstaltung2020 ACM CHI Conference on Human Factors in Computing Systems, CHI 2020 - Honolulu, USA / Vereinigte Staaten
Dauer: 25 Apr. 202030 Apr. 2020

Publikationsreihe

NameConference on Human Factors in Computing Systems - Proceedings

Abstract

The positive effect of security information communicated to developers through API warnings has been established. However, current prototypical designs are based on security warnings for end-users. To improve security feedback for developers, we conducted a participatory design study with 25 professional software developers in focus groups. We identify which security information is considered helpful in avoiding insecure cryptographic API use during development. Concerning console messages, participants suggested five core elements, namely message classification, title message, code location, link to detailed external resources, and color. Design guidelines for end-user warnings are only partially suitable in this context. Participants emphasized the importance of tailoring the detail and content of security information to the context. Console warnings call for concise communication; further information needs to be linked externally. Therefore, security feedback should transcend tools and should be adjustable by software developers across development tools, considering the work context and developer needs.

ASJC Scopus Sachgebiete

Zitieren

Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs. / Gorski, Peter Leo; Acar, Yasemin; Lo Iacono, Luigi et al.
CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery (ACM), 2020. 3376142 (Conference on Human Factors in Computing Systems - Proceedings).

Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

Gorski, PL, Acar, Y, Lo Iacono, L & Fahl, S 2020, Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs. in CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems., 3376142, Conference on Human Factors in Computing Systems - Proceedings, Association for Computing Machinery (ACM), 2020 ACM CHI Conference on Human Factors in Computing Systems, CHI 2020, Honolulu, USA / Vereinigte Staaten, 25 Apr. 2020. https://doi.org/10.1145/3313831.3376142
Gorski, P. L., Acar, Y., Lo Iacono, L., & Fahl, S. (2020). Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs. In CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems Artikel 3376142 (Conference on Human Factors in Computing Systems - Proceedings). Association for Computing Machinery (ACM). https://doi.org/10.1145/3313831.3376142
Gorski PL, Acar Y, Lo Iacono L, Fahl S. Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs. in CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery (ACM). 2020. 3376142. (Conference on Human Factors in Computing Systems - Proceedings). doi: 10.1145/3313831.3376142
Gorski, Peter Leo ; Acar, Yasemin ; Lo Iacono, Luigi et al. / Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs. CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery (ACM), 2020. (Conference on Human Factors in Computing Systems - Proceedings).
Download
@inproceedings{980f650c662a44b2801676255689cd7f,
title = "Listen to Developers!: A Participatory Design Study on Security Warnings for Cryptographic APIs",
abstract = "The positive effect of security information communicated to developers through API warnings has been established. However, current prototypical designs are based on security warnings for end-users. To improve security feedback for developers, we conducted a participatory design study with 25 professional software developers in focus groups. We identify which security information is considered helpful in avoiding insecure cryptographic API use during development. Concerning console messages, participants suggested five core elements, namely message classification, title message, code location, link to detailed external resources, and color. Design guidelines for end-user warnings are only partially suitable in this context. Participants emphasized the importance of tailoring the detail and content of security information to the context. Console warnings call for concise communication; further information needs to be linked externally. Therefore, security feedback should transcend tools and should be adjustable by software developers across development tools, considering the work context and developer needs.",
keywords = "cryptographic apis, developer console, focus groups, participatory design, security warning design, software development",
author = "Gorski, {Peter Leo} and Yasemin Acar and {Lo Iacono}, Luigi and Sascha Fahl",
note = "Funding Information: The authors would like to thank the anonymous reviewers and shepherd for providing valuable feedback; and all participants of this study for their generous voluntary participation. This work was partially funded by the German Federal Ministry of Education and Research within the funding program {"}Forschung an Fachhochschulen{"} (contract no. 13FH016IX6). ; 2020 ACM CHI Conference on Human Factors in Computing Systems, CHI 2020 ; Conference date: 25-04-2020 Through 30-04-2020",
year = "2020",
month = apr,
day = "21",
doi = "10.1145/3313831.3376142",
language = "English",
series = "Conference on Human Factors in Computing Systems - Proceedings",
publisher = "Association for Computing Machinery (ACM)",
booktitle = "CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems",
address = "United States",

}

Download

TY - GEN

T1 - Listen to Developers!

T2 - 2020 ACM CHI Conference on Human Factors in Computing Systems, CHI 2020

AU - Gorski, Peter Leo

AU - Acar, Yasemin

AU - Lo Iacono, Luigi

AU - Fahl, Sascha

N1 - Funding Information: The authors would like to thank the anonymous reviewers and shepherd for providing valuable feedback; and all participants of this study for their generous voluntary participation. This work was partially funded by the German Federal Ministry of Education and Research within the funding program "Forschung an Fachhochschulen" (contract no. 13FH016IX6).

PY - 2020/4/21

Y1 - 2020/4/21

N2 - The positive effect of security information communicated to developers through API warnings has been established. However, current prototypical designs are based on security warnings for end-users. To improve security feedback for developers, we conducted a participatory design study with 25 professional software developers in focus groups. We identify which security information is considered helpful in avoiding insecure cryptographic API use during development. Concerning console messages, participants suggested five core elements, namely message classification, title message, code location, link to detailed external resources, and color. Design guidelines for end-user warnings are only partially suitable in this context. Participants emphasized the importance of tailoring the detail and content of security information to the context. Console warnings call for concise communication; further information needs to be linked externally. Therefore, security feedback should transcend tools and should be adjustable by software developers across development tools, considering the work context and developer needs.

AB - The positive effect of security information communicated to developers through API warnings has been established. However, current prototypical designs are based on security warnings for end-users. To improve security feedback for developers, we conducted a participatory design study with 25 professional software developers in focus groups. We identify which security information is considered helpful in avoiding insecure cryptographic API use during development. Concerning console messages, participants suggested five core elements, namely message classification, title message, code location, link to detailed external resources, and color. Design guidelines for end-user warnings are only partially suitable in this context. Participants emphasized the importance of tailoring the detail and content of security information to the context. Console warnings call for concise communication; further information needs to be linked externally. Therefore, security feedback should transcend tools and should be adjustable by software developers across development tools, considering the work context and developer needs.

KW - cryptographic apis

KW - developer console

KW - focus groups

KW - participatory design

KW - security warning design

KW - software development

UR - http://www.scopus.com/inward/record.url?scp=85091317195&partnerID=8YFLogxK

U2 - 10.1145/3313831.3376142

DO - 10.1145/3313831.3376142

M3 - Conference contribution

AN - SCOPUS:85091317195

T3 - Conference on Human Factors in Computing Systems - Proceedings

BT - CHI 2020 - Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

PB - Association for Computing Machinery (ACM)

Y2 - 25 April 2020 through 30 April 2020

ER -