“Do this! Do that!, and Nothing will Happen” Do Specifications Lead to Securely Stored Passwords?

Hallett, Joseph; Patnaik, Nikhil; Shreeve, Ben; Rashid, Awais

doi:10.1109/icse43902.2021.00053

Cited by 17 publications

(19 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Developers with adequate experience and support are able to detect improper inputs with proper priming [63]. The importance of priming has also been observed in [29], [41]. The empirical studies report that developers with education performs better be it for secure uses of APIs or to detect insecure uses through the interventions [15], [48], [73].…”

Section: B Effect Of Tropes On Interventionsmentioning

confidence: 95%

“…The security is easy trope arises from a belief that developers are aware of the extent to which their code is insecure. Two studies found that developers are overconfident in the security of their code [29], [41]. Oltrogge et al found that app generators routinely generated insecure apps [1].…”

Section: A Tropesmentioning

confidence: 99%

“…Developers are not all the same: in particular solo developers have different levels of expertise and mental models [11], [41] than those who work in large corporate teams. The expectation that solo developers are experts and fully understand the need for penetration testing, threat modeling, and identify correct security parameters may be misplaced; no matter what education or assurance mechanisms are available to them.…”

Section: B Effect Of Tropes On Interventionsmentioning

confidence: 99%

See 2 more Smart Citations

Developers Are Neither Enemies Nor Users: They Are Collaborators

Chowdhury

Hallett

Patnaik

et al. 2021

2021 IEEE Secure Development Conference (SecDev)

Self Cite

View full text Add to dashboard Cite

Developers struggle to program securely. Prior works have reviewed the methods used to run user-studies with developers, systematized the ancestry of security API usability recommendations, and proposed research agendas to help understand developers' knowledge, attitudes towards security and priorities. In contrast we study the research to date and abstract out categories of challenges, behaviors and interventions from the results of developer-centered studies. We analyze the abstractions and identify five misplaced beliefs or tropes about developers embedded in the core design of APIs and tools. These tropes hamper the effectiveness of interventions to help developers program securely. Increased collaboration between developers, security experts and API designers to help developers understand the security assumptions of APIs alongside creating new useful abstractions-derived from such collaborations-will lead to systems with better security.

show abstract

Section: B Effect Of Tropes On Interventionsmentioning

confidence: 95%

Section: A Tropesmentioning

confidence: 99%

Section: B Effect Of Tropes On Interventionsmentioning

confidence: 99%

See 1 more Smart Citation

Developers Are Neither Enemies Nor Users: They Are Collaborators

Chowdhury

Hallett

Patnaik

et al. 2021

2021 IEEE Secure Development Conference (SecDev)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Weak password checks is one of the top OWASP vulnerabilities and, despite implementing secure password storage, information of users with weak passwords can be hacked easily via sophisticated technologies. Developers' security engagement when working with passwords is often assessed in terms of how developers store passwords, for example in the work of Naiakshina et al [22] and Hallet et al [14]. Implementation of strong password checks is also a recommended OWASP practice which is often overlooked.…”

Section: Issues With Security Knowledgementioning

confidence: 99%

Influences of developers' perspectives on their engagement with security in code

Rauf

López

Sharp

et al. 2022

Proceedings of the 15th International Conference on Cooperative and Human Aspects of Software Engineering

Self Cite

View full text Add to dashboard Cite

Background: Recent studies show that secure coding is about not only technical requirements but also developers' behaviour.Objective: To understand the influence of socio-technical contexts on how developers attend to and engage with security in code, software engineering researchers collaborated with social psychologists on a psychologically-informed study.Method: In a preregistered, between-group, controlled experiment, 124 developers from multiple freelance communities, were primed toward one of three identities, following which they completed code review tasks with open-ended responses. Qualitative analysis of the rich data focused on the attitudes and reasoning that shaped their identification of security issues within code.Results: Overall, attention to code security was intermittent and heterogeneous in focus. Although social identity priming did not significantly change the code review, qualitative analysis revealed that developers varied in how they noticed issues in code, how they addressed them, and how they justified their choices.Conclusion: We found that many developers do think about security -but differently from one another. Hence, effective interventions to promote secure coding must be appropriate to the individual development context. Data is uploaded at: https://osf.io/3jvrk/files/ CCS Concepts• Security and privacy → Social aspects of security and privacy.

show abstract

“…They found that short term memory, memory span and episodic memory had no effect on solving the puzzles. Other works that touch on psychology in security include Hallett et al (2021) [12], where boosting security awareness through requiring planning promoted a small effect on security, and Shreeve et al (2020) [19] who identified decision making processes related to cybersecurity.…”

Section: Phase Twomentioning

confidence: 99%

The Soft Skills of Software Learning Development: the Psychological Dimensions of Computing and Security Behaviours

Ivory

2022

Preprint

View full text Add to dashboard Cite

When writing software code, developers typically prioritise functionality over security, either consciously or unconsciously through biases and heuristics. This is often attributed to tangible pressures such as client requirements, but little is understood about the psychological dimensions affecting security behaviours. There is an increasing demand for understanding how psychological skills affect secure software development and to understand how these skills themselves are developed during the learning process.This doctoral research explores this research space, with aims to identify important workplace-based skills for software developers; to identify and empirically investigate the soft skills behind these workplace skills in order to understand how soft skills can influence security behaviours; and, to identify ways to introduce and teach soft skills to computer science students to prepare the future generation of software developers.The motivations behind this research are presented alongside the work plan. Three distinct phases are introduced, along with planned analyses. Phase one is currently in the data collection stage, with the second phase in planning. Prior relevant work is highlighted, and the paper concludes with a presentation of preliminary results and the planned next steps. CCS CONCEPTS• Security and privacy → Human and societal aspects of security and privacy; • Software and its engineering; • Humancentered computing → Human computer interaction (HCI);

show abstract

“Do this! Do that!, and Nothing will Happen” Do Specifications Lead to Securely Stored Passwords?

Cited by 17 publications

References 41 publications

Developers Are Neither Enemies Nor Users: They Are Collaborators

Developers Are Neither Enemies Nor Users: They Are Collaborators

Influences of developers' perspectives on their engagement with security in code

The Soft Skills of Software Learning Development: the Psychological Dimensions of Computing and Security Behaviours

Contact Info

Product

Resources

About