"If you want, I can store the encrypted password"

Naiakshina, Alena; Danilova, Anastasia; Gerlitz, Eva; Zezschwitz, Emanuel von; Smith, Matthew

doi:10.1145/3290605.3300370

Cited by 49 publications

(22 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Prior work shows that if developers are prompted, nudged, or asked explicitly about security, they are more likely to choose secure solutions over insecure solutions [50,[68][69][70]74]. SATs have the potential to promote more secure coding by proactively identifying issues at early stages of development along with identifying the problematic line(s) and providing specific guidance on how to correct them.…”

Section: Discussion and Future Workmentioning

confidence: 99%

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei

Vaniea

Beznosov

et al. 2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

Static analysis tools (SATs) have the potential to assist developers in finding and fixing vulnerabilities in the early stages of software development, requiring them to be able to understand and act on tools' notifications. To understand how helpful such SAT guidance is to developers, we ran an online experiment (N=132) where participants were shown four vulnerable code samples (SQL injection, hard-coded credentials, encryption, and logging sensitive data) along with SAT guidance, and asked to indicate the appropriate fix. Participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Seeing SAT notifications also led to more detailed open-ended answers and slightly improved code correction answers. Still, most SAT (SpotBugs 67%, SonarQube 86%) and Control (96%) participants answered at least one code-correction question incorrectly. Prior software development experience, perceived vulnerability severity, and answer confidence all positively impacted answer accuracy. CCS CONCEPTS• Human-centered computing → Empirical studies in HCI; • Security and privacy → Usability in security and privacy; Software and application security.

show abstract

Section: Discussion and Future Workmentioning

confidence: 99%

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Tahaei

Vaniea

Beznosov

et al. 2021

Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems

View full text Add to dashboard Cite

show abstract

“…Related challenges faced by both users and developers or other specialists are found widely across the cybersecurity field, including passwords (e.g., Naiakshina et al, 2019) and encrypted email (Whitten & Tygar, 1999). The field of usable security seeks a fit between the security task and the humans expected to interact with it (Sasse et al, 2001).…”

Section: Human Factors and Social Sciencesmentioning

confidence: 99%

Cybersecurity

Veale¹,

Brown²

2020

Internet Policy Review

View full text Add to dashboard Cite

Cybersecurity covers the broad range of technical and social issues that must be considered to protect networked information systems. The importance of the concept has increased as so many government, business, and day-to-day activities globally have moved online. It has been increasingly referred to in both academic and mainstream publications since 2003, in fields including software engineering, international relations, crisis management and public safety, slowly overtaking more technical terms such as computer/system/data security (popular in the 1970s/ 1980s) and information security (popular from the mid 1990s). But its strong association with national security and defence agencies, and disconnection from social science notions such as place, have led to concerns of inappropriate cyber securitisation of government programmes. Issue 4This article belongs to Concepts of the digital society, a special section of Internet Policy Review guest-edited by Christian Katzenbach and Thomas Christian Bächle.

show abstract

“…Quantitative Study. The recruitment of a reasonable number of professional software developers for quantitative research studies is challenging [5,9,49,52]. Thus, we used multiple channels for recruitment.…”

Section: Recruitmentmentioning

confidence: 99%

“…Software developers can also encounter security warnings while programming and, just like end users, can become frustrated by these messages. Examples of severe security issues in software development are the use of deprecated security parameters or functions for end user password storage in a database endangering a large amount of sensitive user data [4,[52][53][54] or the misuse of TLS enabling man-in-the middle attacks [32]. Consequently, improving security warnings for developers is a desirable research goal [43].…”

Section: Introductionmentioning

confidence: 99%

One size does not fit all

Danilova

Naiakshina

Smith

2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

Self Cite

View full text Add to dashboard Cite

A wide range of tools exist to assist developers in creating secure software. Many of these tools, such as static analysis engines or security checkers included in compilers, use warnings to communicate security issues to developers. The effectiveness of these tools relies on developers heeding these warnings, and there are many ways in which these warnings could be displayed. Johnson et al. [46] conducted qualitative research and found that warning presentation and integration are main issues. We built on Johnson et al.'s work and examined what developers want from security warnings, including what form they should take and how they should integrate into their workflow and work context. To this end, we conducted a Grounded Theory study with 14 professional software developers and 12 computer science students as well as a focus group with 7 academic researchers to gather qualitative insights. To back up the theory developed from the qualitative research, we ran a quantitative survey with 50 professional software developers. Our results show that there is significant heterogeneity amongst developers and that no one warning type is preferred over all others. The context in which the warnings are shown is also highly relevant, indicating that it is likely to be beneficial if IDEs and other development tools become more flexible in their warning interactions with developers. Based on our findings, we provide concrete recommendations for both future research as well as how IDEs and other security tools can improve their interaction with developers. CCS CONCEPTS • Human-centered computing → Empirical studies in HCI; • Security and privacy → Usability in security and privacy.

show abstract

"If you want, I can store the encrypted password"

Cited by 49 publications

References 25 publications

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Cybersecurity

One size does not fit all

Contact Info

Product

Resources

About