I Do and I Understand. Not Yet True for Security APIs. So Sad

Iacono, Luigi Lo; Gorski, Peter Leo

doi:10.14722/eurousec.2017.23015

Cited by 23 publications

(10 citation statements)

References 19 publications

(25 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…SecAPIs broadly fall into two categories, security primitives which required security knowledge to understand and security controls which were found to be a more appropriate abstraction level for developers. Unlike other APIs, SecAPIs do not well support learning-by-doing [70].…”

Section: F Application Programming Interfaces (Apis)mentioning

confidence: 99%

A Survey on Developer-Centred Security

Tahaei

Vaniea

2019

2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

Software developers are key players in the security ecosystem as they produce code that runs on millions of devices. Yet we continue to see insecure code being developed and deployed on a regular basis despite the existence of support infrastructures, tools, and research into common errors. This work provides a systematised overview of the relatively new field of Developer-Centred Security which aims to understand the context in which developers produce security-relevant code as well as provide tools and processes that that better support both developers and secure code production. We report here on a systematic literature review of 49 publications on security studies with software developer participants. We provide an overview of both the types of methodologies currently being used as well as the current research in the area. Finally, we also provide recommendations for future work in Developer-Centred Security.

show abstract

Section: F Application Programming Interfaces (Apis)mentioning

confidence: 99%

A Survey on Developer-Centred Security

Tahaei

Vaniea

2019

2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

show abstract

“…Although their focus is on cryptographic APIs, most of their suggested principles apply equally well to other security APIs. Lo Iacono and Gorski (2017) in [28] note that most of the research investigating the APIs' usability of security is related to cryptography. They point out that security APIs include more than cryptographic APIs.…”

Section: Related Workmentioning

confidence: 99%

Bitcoin’s APIs in Open-Source Projects: Security Usability Evaluation

Tschannen

Ahmed

2020

Electronics

View full text Add to dashboard Cite

Given the current state of software development, it does not seem that we are nowhere near vulnerability-free software applications, due to many reasons, and software developers are one of them. Insecure coding practices, the complexity of the task in hand, and usability issues, amongst other reasons, make it hard on software developers to maintain secure code. When it comes to cryptographic currencies, the need for assuring security is inevitable. For example, Bitcoin is a peer-to-peer software system that is primarily used as digital money. There exist many software libraries supporting various programming languages that allow access to the Bitcoin system via an Application Programming Interface (API). APIs that are inappropriately used would lead to security vulnerabilities, which are hard to discover, resulting in many zero-day exploits. Making APIs usable is, therefore, an essential aspect related to the quality and robustness of the software. This paper surveys the general academic literature concerning API usability and usable security. Furthermore, it evaluates the API usability of Libbitcoin, a well-known C++ implementation of the Bitcoin system, and assesses how the findings of this evaluation could affect the applications that use Libbitcoin. For that purpose, the paper proposes two static analysis tools to further investigate the use of Libbitcoin APIs in open-source projects from a security usability perspective. The findings of this research have improved Libbitcoin in many places, as will be shown in this paper.

show abstract

“…The participants were not primed to expect security tasks, but before accepting them, we made sure that they knew what TLS certificates were. We decided not to limit our sample to security professionals, as it turns out that the majority of developers work with security features from time to time [30]. The whole experiment took about 30 to 40 minutes per participant (pre-task questionnaire, task, post-task interview).…”

Section: Pilot Testing Recruitment and Study Setupmentioning

confidence: 99%

Will You Trust This TLS Certificate?

2020

View full text Add to dashboard Cite

Flawed TLS certificates are not uncommon on the Internet. While they signal a potential issue, in most cases they have benign causes (e.g., misconfiguration or even deliberate deployment). This adds fuzziness to the decision on whether to trust a connection or not. Little is known about perceptions of flawed certificates by IT professionals, even though their decisions impact high numbers of end users. Moreover, it is unclear how much the content of error messages and documentation influences these perceptions. To shed light on these issues, we observed 75 attendees of an industrial IT conference investigating different certificate validation errors. We also analyzed the influence of reworded error messages and redesigned documentation. We find that people working in IT have very nuanced opinions, with trust decisions being far from binary. The self-signed and the name-constrained certificates seem to be over-trusted (the latter also being poorly understood). We show that even small changes in existing error messages can positively influence resource use, comprehension, and trust assessment. At the end of the article, we summarize lessons learned from conducting usable security studies with IT professionals.

show abstract

I Do and I Understand. Not Yet True for Security APIs. So Sad

Cited by 23 publications

References 19 publications

A Survey on Developer-Centred Security

A Survey on Developer-Centred Security

Bitcoin’s APIs in Open-Source Projects: Security Usability Evaluation

Will You Trust This TLS Certificate?

Contact Info

Product

Resources

About