Vulnerabilities as Blind Spots in Developer's Heuristic-Based Decision-Making Processes

Cappos, Justin; Zhuang, Yanyan; Oliveira, Daniela; Rosenthal, Marissa; Yeh, Kuo-Chuan

doi:10.1145/2683467.2683472

Cited by 13 publications

(17 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To this end, [17] outlined an agenda towards understanding developer's attitude, available security development tools, and proposing design suggestions to support developers in building secure applications. There was frequently cited research on developer's lack of security education [18] and security thinking during writing code [19], which was perceived as the reason for different software vulnerabilities. The assumption was that if developers have learned about security, they could better avoid vulnerabilities [20].…”

Section: User Studies Of Security Practicesmentioning

confidence: 99%

Exploring Security Practices of Smart Contract Developers

Sharma¹,

Zhou²,

Miller³

et al. 2022

Preprint

View full text Add to dashboard Cite

Smart contracts are self-executing programs that run on blockchains (e.g., Ethereum). 680 million US dollars worth of digital assets controlled by smart contracts have been hacked or stolen due to various security vulnerabilities in 2021. Although security is a fundamental concern for smart contracts, it is unclear how smart contract developers approach security. To help fill this research gap, we conducted an exploratory qualitative study consisting of a semi-structured interview and a code review task with 29 smart contract developers with diverse backgrounds, including 10 early stage (less than one year of experience) and 19 experienced (2-5 years of experience) smart contract developers. Our findings show a wide range of smart contract security perceptions and practices including various tools and resources they used. Our early stage developer participants had a much lower success rate (15%) of identifying security vulnerabilities in the code review task than their experienced counterparts (55%). Our hierarchical task analysis of their code reviews implies that just by accessing standard documentation, reference implementations and security tools is not sufficient. Many developers checked those materials or used a security tool but still failed to identify the security issues. In addition, several participants pointed out shortcomings of current smart contract security tooling such as its usability. We discuss how future education and tools could better support developers in ensuring smart contract security.

show abstract

Section: User Studies Of Security Practicesmentioning

confidence: 99%

Exploring Security Practices of Smart Contract Developers

Sharma¹,

Zhou²,

Miller³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Cappos et al [28] proposed that software vulnerabilities are a blindspot in developers' heuristic-based decision making mental models. Oliveira et al [65] further showed that security is not a priority in the developers' mindsets while coding; however, that developers do adopt a security mindset once primed about the topic.…”

Section: Related Workmentioning

confidence: 99%

“…Mapping requirements to proper API usage protocols, understanding API side effects, and even deciding between differing expert opinions on API use all pose challenges [44], [74], [75]. Developers misunderstanding APIs is frequently the cause of security vulnerabilities [28], [33], [73].…”

Section: Introductionmentioning

confidence: 99%

“…The question arises of why, if certain APIs are known to cause vulnerabilities, do developers continue to misuse them. Developers often blindly trust APIs, which can lead to blindspots, misconceptions, misunderstandings, or oversights in how APIs are expected to be used [28]. Developers can even feel that they're outsourcing the responsibility for ensuring security when using APIs, not feeling themselves responsible for ensuring the API does the right thing with respect to security [65].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Blindspots in Python and Java APIs Result in Vulnerable Code

Brun¹,

Lin²,

Somerville³

et al. 2021

Preprint

View full text Add to dashboard Cite

Blindspots in APIs can cause software engineers to introduce vulnerabilities, but such blindspots are, unfortunately, common. We study the effect APIs with blindspots have on developers in two languages by replicating an 109-developer, 24-Java-API controlled experiment. Our replication applies to Python and involves 129 new developers and 22 new APIs. We find that using APIs with blindspots statistically significantly reduces the developers' ability to correctly reason about the APIs in both languages, but that the effect is more pronounced for Python. Interestingly, for Java, the effect increased with complexity of the code relying on the API, whereas for Python, the opposite was true. This suggests that Python developers are less likely to notice potential for vulnerabilities in complex code than in simple code, whereas Java developers are more likely to recognize the extra complexity and apply more care, but are more careless with simple code. Whether the developers considered API uses to be more difficult, less clear, and less familiar did not have an effect on their ability to correctly reason about them. Developers with better long-term memory recall were more likely to correctly reason about APIs with blindspots, but short-term memory, processing speed, episodic memory, and memory span had no effect. Surprisingly, professional experience and expertice did not improve the developers' ability to reason about APIs with blindspots across both languages, with long-term professionals with many years of experience making mistakes as often as relative novices. Finally, personality traits did not significantly affect the Python developers' ability to reason about APIs with blindspots, but less extraverted and more open developers were better at reasoning about Java APIs with blindspots. Overall, our findings suggest that blindspots in APIs are a serious problem across languages, and that experience and education alone do not overcome that problem, suggesting that tools are needed to help developers recognize blindspots in APIs as they write code that uses those APIs.

show abstract

“…From a security-by-design point of view, one may search for known types of vulnerabilities, but it is hard to find the unknown ones, those that transcend existing (cultural) classification systems [4,6,34]. In such a context, complete design-time security may be impossible due to the limitations of human perception and imagination.…”

Section: Advantages Of the Paradigmmentioning

confidence: 99%

Cyber Security as Social Experiment

Pieters

Hadžiosmanović

Dechesne³

2014

Proceedings of the 2014 New Security Paradigms Workshop

View full text Add to dashboard Cite

Lessons from previous experiences are often overlooked when deploying security-sensitive technology in the real world. At the same time, security assessments often suffer from a lack of real-world data. This appears similar to general problems in technology assessment, where knowledge about (side-)effects of a new technology often only appears when it is too late. In this context, the paradigm of new technologies as social experiments was proposed, to achieve more conscious and gradual deployment of new technologies, without losing the ability to steer the developments or make changes in designs. In this paper, we propose to apply the paradigm of new technologies as social experiments to security-sensitive technologies. This new paradigm achieves (i) inherent attention for the ethics of deploying securitysensitive systems in the real world, and (ii) more systematic extraction of real-world security data and feedback into decision making processes.

show abstract

Vulnerabilities as Blind Spots in Developer's Heuristic-Based Decision-Making Processes

Cited by 13 publications

References 37 publications

Exploring Security Practices of Smart Contract Developers

Exploring Security Practices of Smart Contract Developers

Blindspots in Python and Java APIs Result in Vulnerable Code

Cyber Security as Social Experiment

Contact Info

Product

Resources

About