A Survey on Developer-Centred Security

Tahaei, Mohammad; Vaniea, Kami

doi:10.1109/eurospw.2019.00021

Cited by 64 publications

(71 citation statements)

References 65 publications

(93 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A systematic literature review of developer-centred security shows that few papers study the intersection of developers and privacy, and further research is needed in this area [70]. Our work contributes to this research area by studying SO privacyrelated questions using both automatic (LDA), and manual (qualitative coding) approaches.…”

Section: Our Contributionmentioning

confidence: 99%

Understanding Privacy-Related Questions on Stack Overflow

Tahaei

Vaniea

Saphra

2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

Self Cite

View full text Add to dashboard Cite

We analyse Stack Overflow (SO) to understand challenges and confusions developers face while dealing with privacy-related topics. We apply topic modelling techniques to 1,733 privacyrelated questions to identify topics and then qualitatively analyse a random sample of 315 privacy-related questions. Identified topics include privacy policies, privacy concerns, access control, and version changes. Results show that developers do ask SO for support on privacy-related issues. We also find that platforms such as Apple and Google are defining privacy requirements for developers by specifying what "sensitive" information is and what types of information developers need to communicate to users (e.g. privacy policies). We also examine the accepted answers in our sample and find that 28% of them link to official documentation and more than half are answered by SO users without references to any external resources.

show abstract

Section: Our Contributionmentioning

confidence: 99%

Understanding Privacy-Related Questions on Stack Overflow

Tahaei

Vaniea

Saphra

2020

Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

Self Cite

View full text Add to dashboard Cite

show abstract

“…Their lab study with 54 Android developers shows that developers who use Stack Over ow are more likely to write functionally correct code, but less likely to come up with a secure solution. In order to better understand the context in which developers produce security-relevant code, Tahaei and Vaniea [44] survey 49 research papers at the intersection between usable security and software development. They provide an overview of existing works on developer-centered security and show that security is often being ignored because it is considered a secondary requirement.…”

Section: Related Workmentioning

confidence: 99%

An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

Chapuis¹,

Omolola²,

Cherubini³

et al. 2020

Proceedings of the Web Conference 2020

View full text Add to dashboard Cite

Web developers can (and do) include subresources such as scripts, stylesheets and images in their webpages. Such subresources might be stored on content delivery networks (CDNs). This practice creates security and privacy risks, should a subresource be corrupted. The subresource integrity (SRI) recommendation, released in mid-2016 by the W3C, enables developers to include digests in their webpages in order for web browsers to verify the integrity of subresources before loading them. In this paper, we conduct the rst large-scale longitudinal study of the use of SRI on the Web by analyzing massive crawls (≈3B URLs) of the Web over the last 3.5 years. Our results show that the adoption of SRI is modest (≈3.40%), but grows at an increasing rate and is highly in uenced by the practices of popular library developers (e.g., Bootstrap) and CDN operators (e.g., jsDelivr). We complement our analysis about SRI with a survey of web developers (=227): It shows that a substantial proportion of developers know SRI and understand its basic functioning, but most of them ignore important aspects of the recommendation. The results of the survey also show that the integration of SRI by developers is mostly manual-hence not scalable and error prone. This calls for a better integration of SRI in build tools. CCS CONCEPTS • Security and privacy → Web protocol security; Hash functions and message authentication codes.

show abstract

“…With less focus on providing extensive (security) documentation typical for agile, ineffective knowledge sharing between security officers and agile team members is especially problematic. From [23] (A more general survey, but many papers surveyed were "Agile")…”

Section: Address Common Coding Vulnerabilities In Software-development Processes As Followsmentioning

confidence: 99%

Cybersecurity Education and Formal Methods

Davenport

Crick

2021

Communications in Computer and Information Science

View full text Add to dashboard Cite

Formal methods have been largely thought of in the context of safety-critical systems, where they have achieved major acceptance. Tens of millions of people trust their lives every day to such systems, based on formal proofs rather than "we haven't found a bug" (yet!); but why is "we haven't found a bug" an acceptable basis for systems trusted with hundreds of millions of people's personal data? This paper looks at some of these issues in cybersecurity, primarily focused on the UK as a case study, and the extent to which formal methods, ranging from "fully verified" to better tool support, could help. More importantly, recent policy reports and curricula initiatives appear to recommended formal methods in the limited context of "safety critical applications"; we suggest this is too limited in scope and ambition. Not only are formal methods neded in cybersecurity, the repeated weaknesses of the cybersecurity industry provide a powerful motivation for formal methods.

show abstract

A Survey on Developer-Centred Security

Cited by 64 publications

References 65 publications

Understanding Privacy-Related Questions on Stack Overflow

Understanding Privacy-Related Questions on Stack Overflow

An Empirical Study of the Use of Integrity Verification Mechanisms for Web Subresources

Cybersecurity Education and Formal Methods

Contact Info

Product

Resources

About