Developers Are Neither Enemies Nor Users: They Are Collaborators

Chowdhury, Partha Das; Hallett, Joseph; Patnaik, Nikhil; Tahaei, Mohammad; Rashid, Awais

doi:10.1109/secdev51306.2021.00023

Cited by 9 publications

(4 citation statements)

References 70 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although the CTF experiment was conducted on a different population of developers, who are possibly more enthusiastic about security, the attacks that were the least attempted would have required to intercept and modify the HTTP request. Future work could further investigate to what extent this awareness is lacking, and whether awarenessraising abstractions of APIs and security controls can be designed [15].…”

Section: Discussionmentioning

confidence: 99%

Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives

Şahin¹,

Unlu

Hebert³

et al. 2022

2022 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

Web applications are the public-facing components of information systems, which makes them an easy entry point for various types of attacks. While it is often the responsibility of web developers to implement the proper security controls, it remains a challenge for them to develop a good understanding of the whole attack surface.This paper aims to understand the developers' familiarity with a number of web attack and defense mechanisms. In particular, we conduct two different experiments: First, we employ a questionnaire to understand the perceived attack surface and the types of security controls that are often considered. Second, we design a Capture the Flag challenge that aims to push the participants to discover as many attack points as possible on a given web application. Among several other observations, we find that one third of developers are not aware of the client's ability to intercept and modify all parts of an HTTP request. Moreover, developers' attack awareness focus on a limited set of attacks (such as Crosssite scripting and SQL injection), overlooking a large part of the attack surface.

show abstract

Section: Discussionmentioning

confidence: 99%

Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives

Şahin¹,

Unlu

Hebert³

et al. 2022

2022 IEEE Security and Privacy Workshops (SPW)

View full text Add to dashboard Cite

show abstract

“…API documentation should be written in the most precise and simplest terms possible, making default behaviour (whether secure or insecure) explicit to ensure API users are not required to become experts before use [58]. Despite this, API developers assume user expertise [14], which is at odds with the finding that many developers use APIs for functionality over security [29], and APIs that do not reflect this behaviour, perhaps by requiring users to specify security settings, are more likely to be used insecurely. In the opposite direction, developers expect APIs to be secure by default [57], reflecting their lack of expertise in the API and their desire to get their software created with minimal effort.…”

Section: Api Usability and Securitymentioning

confidence: 99%

Software Vulnerabilities as Cognitive Blindspots; assessing the suitability of a dual processing theory of decision making for secure coding

Ivory,

Towse,

Sturdee

et al. 2024

Preprint

View full text Add to dashboard Cite

Security vulnerabilities are present in many software systems, putting those who entrust software with their data in harm’s way. Many vulnerabilities are avoidable since they are not new and are well-described. Despite this awareness, they remain widespread. One hypothesis for their persistence is that they represent software blindspots, problems that are implicit in the mental models of developers and thus escape attention (Brun et al., 2023; Oliveira et al. 2018). Our current understanding of how cognitive influences secure coding is limited, and we address this by extending the hypothesis by suggesting differences in decision making approaches alter the ability to detect vulnerabilities. Through an empirical study and power analysis, we show the potential value of dual processing theory, where individuals make decisions using one of two cognitive systems: a default system reliant on heuristics and intuitive mechanisms, and a more deliberate and computational interventionist system. This preregistered study replicates key predictions from previous blindspot research, extends the analysis towards cognition, and models effect sizes of variables that might impact software security. We complement this analysis with data simulations to expose the sampling scale of empirical studies that would be necessary for highly powered work in this domain.

show abstract

“…a) Fail Safe Defaults: There are notable recommendations like Green & Smith that suggest libraries should come with safe defaults [31]. Das Chowdhury et al reviewed 72 peer-reviewed DCS publications and report the challenges faced by application developers and the behavior they adopt to address the challenges [32]. Miscommunication is a major challenge that developers face which arises due to a lack of documentation on how to use a library.…”

Section: Implementations Of Saltzer and Schroeder Principles And Secu...mentioning

confidence: 99%

Better Call Saltzer \& Schroeder: A Retrospective Security Analysis of SolarWinds \& Log4j

Chowdhury¹,

Tahaei²,

Rashid³

2022

Preprint

View full text Add to dashboard Cite

Saltzer & Schroeder's principles aim to bring security to the design of computer systems. We investigate SolarWinds Orion update and Log4j to unpack the intersections where observance of these principles could have mitigated the embedded vulnerabilities. The common principles that were not observed include fail safe defaults, economy of mechanism, complete mediation and least privilege. Then we explore the literature on secure software development interventions for developers to identify usable analysis tools and frameworks that can contribute towards improved observance of these principles. We focus on a system wide view of access of codes, checking access paths and aiding application developers with safe libraries along with an appropriate security task list for functionalities.

show abstract

Developers Are Neither Enemies Nor Users: They Are Collaborators

Cited by 9 publications

References 70 publications

Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives

Measuring Developers’ Web Security Awareness from Attack and Defense Perspectives

Software Vulnerabilities as Cognitive Blindspots; assessing the suitability of a dual processing theory of decision making for secure coding

Better Call Saltzer \& Schroeder: A Retrospective Security Analysis of SolarWinds \& Log4j

Contact Info

Product

Resources

About