Despite the availability of various methods and tools to facilitate secure coding, developers continue to write code that contains common vulnerabilities. It is important to understand why technological advances do not sufficiently facilitate developers in writing secure code. To widen our understanding of developers' behaviour, we considered the complexity of the security decision space of developers using theory from cognitive and social psychology. Our interdisciplinary study reported in this article (1) draws on the psychology literature to provide conceptual underpinnings for three categories of impediments to achieving security goals, (2) reports on an in-depth meta-analysis of existing software security literature that identified a catalogue of factors that influence developers' security decisions, and (3) characterises the landscape of existing security interventions that are available to the developer during coding and identifies gaps. Collectively, these show that different forms of impediments to achieving security goals arise from different contributing factors. Interventions will be more effective where they reflect psychological factors more sensitively and marry technical sophistication, psychological frameworks, and usability. Our analysis suggests “adaptive security interventions” as a solution that responds to the changing security needs of individual developers and a present a proof-of-concept tool to substantiate our suggestion.
A web service interface contains information about the names of the operations that can be invoked on the service and the input and output parameters of these operations. This information is not enough to facilitate service developer and consumer in understanding the behavior of the service. In the context of RESTful web services, the requirements of RESTful interface should also be met that are not fulfilled by just advertising the allowed operations on the resources. In addition, RESTful services take hypermedia as an engine of application states. Such services are defined to be at level 3 of Richardson Maturity Model(RMM). In this paper, we present an approach to model the structural and behavioral interface of a RESTful web service using UML class and UML protocol diagrams. These models lead to RESTful interfaces that conform to level 3 of RMM and describe the behavior of operations in terms of preconditions and post-conditions. These models facilitate the authentication mechanism and provide clear mapping to HTTP requests and responses. The generated contracts of methods can be published in an extended version of the WADL language and also used for documentation, stub generation, testing and monitoring purposes.
A UML protocol state machine describes a behavioral interface for a class as a number of states and transitions between states triggered by method calls. In this paper, we present an approach to generate behavioral class interfaces in the form of class contracts from UML protocol state machines. The generated contracts can be used for documentation, test case generation, test case oracle, and as run-time assertions and thus help to test and validate the implementation of a class against its interface. We formalize protocol state machines with its structure and semantics for generating class contracts. The state invariants of the source and target states are considered along with the pre-and post-conditions of the transitions. Different types of transitions like simple, join, fork, high-level, and self transitions are supported, as well as non-deterministic behavior. The approach is supported by a tool to generate automatically the contracts from UML models.
We explore a dataset of app developer reasoning to better understand the reasons that may inadvertently promote or demote app developers' prioritization of security. We identify a number of reasons: caring vs. fear of users, the impact of norms, and notions of 'otherness' and 'self' in terms of belonging to groups. Based on our preliminary findings, we propose an interdisciplinary research agenda to explore the impact of social identity (a psychological theory) on developers' security rationales, and how this could be leveraged to guide developers towards making more secure choices.
CCS CONCEPTS• Security and privacy → Social aspects of security and privacy.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.