A Generic Cognitive Dimensions Questionnaire to Evaluate the Usability of Security APIs

Wijayarathna, Chamila; Arachchilage, Nalin Asanka Gamagedara; Slay, Jill

doi:10.1007/978-3-319-58460-7_11

Cited by 16 publications

(25 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Conducting a user study is a widely known method for identifying usability issues of APIs [14,15,21]. In a user study based usability evaluation, evaluators will recruit programmers and ask them to complete some tasks that will require them to use the API under evaluation.…”

Section: Methodsmentioning

confidence: 99%

“…The cognitive dimensions framework presents a set of dimensions that describe aspects of a tool or an API that impact its usability [14,31]. We used the version of cognitive dimensions framework proposed by Wijayarathna, Arachchilage and Slay [14] in this study, which consists of 15 cognitive dimensions. This framework is embedded to the usability evaluation process through the cognitive dimensions questionnaire [14,31].…”

Section: Methodsmentioning

confidence: 99%

“…The relationship between the usability of security APIs (APIs that provide security related functionalities) and security of end user applications that use those security APIs has become a topic of high interest among researchers recently [14,15,16,17,18,19]. There have been several studies that discuss and investigate this relationship [9,15,16,19,20].…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Fighting Against XSS Attacks. A Usability Evaluation of OWASP ESAPI Output Encoding

Wijayarathna¹,

Arachchilage²

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

Self Cite

View full text Add to dashboard Cite

Cross Site Scripting (XSS) is one of the most critical vulnerabilities exist in web applications. XSS can be prevented by encoding untrusted data that are loaded into browser content of web applications. Security Application Programming Interfaces (APIs) such as OWASP ESAPI provide output encoding functionalities for programmers to use to protect their applications from XSS attacks. However, XSS still being ranked as one of the most critical vulnerabilities in web applications suggests that programmers are not effectively using those APIs to encode untrusted data. Therefore, we conducted an experimental study with 10 programmers where they attempted to fix XSS vulnerabilities of a web application using the output encoding functionality of OWASP ESAPI. Results revealed 3 types of mistakes that programmers made which resulted in them failing to fix the application by removing XSS vulnerabilities. We also identified 16 usability issues of OWASP ESAPI. We identified that some of these usability issues as the reason for mistakes that programmers made. Based on these results, we provided suggestions on how the usability of output encoding APIs should be improved to give a better experience to programmers.

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Methodsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Fighting Against XSS Attacks. A Usability Evaluation of OWASP ESAPI Output Encoding

Wijayarathna¹,

Arachchilage²

2019

Proceedings of the Annual Hawaii International Conference on System Sciences

Self Cite

View full text Add to dashboard Cite

show abstract

“…Therefore, we recommend to use a predefined generic questionnaire based on the CDF to collect feedback about the usability of the evaluated API from participants who complete the task/tasks using the API. However, the questionnaire used by Clarke [11] can not be used to evaluate the usability of security APIs, because there are more usability aspects that needs to be considered when evaluating security APIs that are not included in the Clarke's framework and questionnaire [3]- [5]. Wijayarathna et al [3] proposed an enhanced version of the Clarke's framework and questionnaire by including security API related usability aspects proposed by Green and Smith [5], and Gorski and Iacono [4] to use in the usability evaluations of security APIs.…”

Section: Step 3 : Collecting Feedback From the Participantsmentioning

confidence: 99%

“…Since most of the programmers who are involved in the software development process are not experts of cyber security and related aspects [2], they use Application Programming Interfaces (APIs) that provide security related functionalities to embed security functionalities to applications they develop [2]. These APIs that provide security related functionalities are known as security APIs [3], [4]. When security APIs that programmers use are not usable, it is difficult for programmers to learn and use APIs and hence, leads them to make mistakes that would result in introducing security vulnerabilities to applications they develop [4], [7], [30].…”

Section: Introductionmentioning

confidence: 99%

A methodology to Evaluate the Usability of Security APIs

Wijayarathna

Arachchilage

2018

2018 IEEE International Conference on Information and Automation for Sustainability (ICIAfS)

Self Cite

View full text Add to dashboard Cite

Increasing number of cyber-attacks demotivate people to use Information and Communication Technology (ICT) for industrial as well as day to day work. A main reason for the increasing number of cyber-attacks is mistakes that programmers make while developing software applications that are caused by usability issues exist in security Application Programming Interfaces (APIs). These mistakes make software vulnerable to cyber-attacks. In this paper, we attempt to take a step closer to solve this problem by proposing a methodology to evaluate the usability and identify usability issues exist in security APIs. By conducting a review of previous research, we identified 5 usability evaluation methodologies that have been proposed to evaluate the usability of general APIs and characteristics of those methodologies that would affect when using these methodologies to evaluate security APIs. Based on the findings, we propose a methodology to evaluate the usability of security APIs.

show abstract