CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs

Hazhirpasand, Mohammadreza; Ghafari, Mohammad; Nierstrasz, Oscar

doi:10.1109/saner48275.2020.9054799

Cited by 4 publications

(2 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…(5) Why do some developers perform be er in using cryptography? (6) What is the performance of the static analysis tool in detecting crypto misuses? (7) What is the benchmark result of comparing several static analysis tools in detecting crypto uses of the dataset's projects?…”

Section: E State Of Crypto Usesmentioning

confidence: 99%

See 1 more Smart Citation

Java Cryptography Uses in the Wild

Hazhirpasand¹,

Ghafari²,

Nierstrasz³

2020

Preprint

Self Cite

View full text Add to dashboard Cite

Background] Previous research has shown that developers commonly misuse cryptography APIs. [Aim] We have conducted an exploratory study to nd out how crypto APIs are used in open-source Java projects, what types of misuses exist, and why developers make such mistakes. [Method] We used a static analysis tool to analyze hundreds of open-source Java projects that rely on Java Cryptography Architecture, and manually inspected half of the analysis results to assess the tool results. We also contacted the maintainers of these projects by creating an issue on the GitHub repository of each project, and discussed the misuses with developers. [Results] We learned that 85% of Cryptography APIs are misused, however, not every misuse has severe consequences. Developer feedback showed that security caveats in the documentation of crypto APIs are rare, developers may overlook misuses that originate in thirdparty code, and the context where a Crypto API is used should be taken into account. [Conclusion] We conclude that using Crypto APIs is still problematic for developers but blindly blaming them for such misuses may lead to erroneous conclusions.

show abstract

Section: E State Of Crypto Usesmentioning

confidence: 99%

“…An experiment with 53 developers shows that API-integrated security hints help 73% of developers to write more secure code [4]. In the same vein, researchers have provided developers with an interactive web platform to access correct uses of crypto APIs [6].…”

Section: Introductionmentioning

confidence: 99%