Details
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 14th Symposium on Usable Privacy and Security, SOUPS 2018 |
| Pages | 265-280 |
| Number of pages | 16 |
| ISBN (electronic) | 9781939133106 |
| Publication status | Published - 2019 |
| Event | 14th Symposium on Usable Privacy and Security, SOUPS 2018 - Baltimore, United States Duration: 12 Aug 2018 → 14 Aug 2018 |
Publication series
| Name | Proceedings of the 14th Symposium on Usable Privacy and Security, SOUPS 2018 |
|---|
Abstract
Cryptographic API misuse is responsible for a large number of software vulnerabilities. In many cases developers are overburdened by the complex set of programming choices and their security implications. Past studies have identified significant challenges when using cryptographic APIs that lack a certain set of usability features (e. g. easy-to-use documentation or meaningful warning and error messages) leading to an especially high likelihood of writing functionally correct but insecure code. To support software developers in writing more secure code, this work investigates a novel approach aimed at these hard-to-use cryptographic APIs. In a controlled online experiment with 53 participants, we study the effectiveness of API-integrated security advice which informs about an API misuse and places secure programming hints as guidance close to the developer. This allows us to address insecure cryptographic choices including encryption algorithms, key sizes, modes of operation and hashing algorithms with helpful documentation in the guise of warnings. Whenever possible, the security advice proposes code changes to fix the responsible security issues. We find that our approach significantly improves code security. 73% of the participants who received the security advice fixed their insecure code. We evaluate the opportunities and challenges of adopting API-integrated security advice and illustrate the potential to reduce the negative implications of cryptographic API misuse and help developers write more secure code.
ASJC Scopus subject areas
- Computer Science(all)
- Computer Networks and Communications
- Engineering(all)
- Safety, Risk, Reliability and Quality
Cite this
- Standard
- Harvard
- Apa
- Vancouver
- BibTeX
- RIS
Proceedings of the 14th Symposium on Usable Privacy and Security, SOUPS 2018. 2019. p. 265-280 (Proceedings of the 14th Symposium on Usable Privacy and Security, SOUPS 2018).
Research output: Chapter in book/report/conference proceeding › Conference contribution › Research › peer review
}
TY - GEN
T1 - Developers deserve security warnings, too
T2 - 14th Symposium on Usable Privacy and Security, SOUPS 2018
AU - Gorski, Peter Leo
AU - Iacono, Luigi Lo
AU - Wermke, Dominik
AU - Stransky, Christian
AU - Moeller, Sebastian
AU - Acar, Yasemin
AU - Fahl, Sascha
N1 - Funding Information: The authors would like to thank Joe Calandrino and the anonymous reviewers for providing feedback; and all participants of this study for their voluntary participation. This work has been partially funded by the German Federal Ministry of Education and Research within the funding program ”Forschung an Fachhochschulen”(contract no. 13FH016IX6).
PY - 2019
Y1 - 2019
N2 - Cryptographic API misuse is responsible for a large number of software vulnerabilities. In many cases developers are overburdened by the complex set of programming choices and their security implications. Past studies have identified significant challenges when using cryptographic APIs that lack a certain set of usability features (e. g. easy-to-use documentation or meaningful warning and error messages) leading to an especially high likelihood of writing functionally correct but insecure code. To support software developers in writing more secure code, this work investigates a novel approach aimed at these hard-to-use cryptographic APIs. In a controlled online experiment with 53 participants, we study the effectiveness of API-integrated security advice which informs about an API misuse and places secure programming hints as guidance close to the developer. This allows us to address insecure cryptographic choices including encryption algorithms, key sizes, modes of operation and hashing algorithms with helpful documentation in the guise of warnings. Whenever possible, the security advice proposes code changes to fix the responsible security issues. We find that our approach significantly improves code security. 73% of the participants who received the security advice fixed their insecure code. We evaluate the opportunities and challenges of adopting API-integrated security advice and illustrate the potential to reduce the negative implications of cryptographic API misuse and help developers write more secure code.
AB - Cryptographic API misuse is responsible for a large number of software vulnerabilities. In many cases developers are overburdened by the complex set of programming choices and their security implications. Past studies have identified significant challenges when using cryptographic APIs that lack a certain set of usability features (e. g. easy-to-use documentation or meaningful warning and error messages) leading to an especially high likelihood of writing functionally correct but insecure code. To support software developers in writing more secure code, this work investigates a novel approach aimed at these hard-to-use cryptographic APIs. In a controlled online experiment with 53 participants, we study the effectiveness of API-integrated security advice which informs about an API misuse and places secure programming hints as guidance close to the developer. This allows us to address insecure cryptographic choices including encryption algorithms, key sizes, modes of operation and hashing algorithms with helpful documentation in the guise of warnings. Whenever possible, the security advice proposes code changes to fix the responsible security issues. We find that our approach significantly improves code security. 73% of the participants who received the security advice fixed their insecure code. We evaluate the opportunities and challenges of adopting API-integrated security advice and illustrate the potential to reduce the negative implications of cryptographic API misuse and help developers write more secure code.
UR - http://www.scopus.com/inward/record.url?scp=85075912193&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85075912193
T3 - Proceedings of the 14th Symposium on Usable Privacy and Security, SOUPS 2018
SP - 265
EP - 280
BT - Proceedings of the 14th Symposium on Usable Privacy and Security, SOUPS 2018
Y2 - 12 August 2018 through 14 August 2018
ER -