Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs

“…One possible explanation of the lack of impact from notifications is that notification elements like presentation, phrasing, organisation, and structure are not well aligned with developer needs. Prior work on the usability of developer-aimed security communications has similarly observed that participants do not find all the information presented in notifications equally useful [39,88]. The results are similar to our observations that participants did not find links to external resources and meta data such as rank and category as useful as sample code (Section 4.3).…”

“…Gorski et al applied Bauer's guidelines to a cryptography API design that included multiple elements such as risk description, secure and insecure actions with examples, and background information. They found that having the API provide a warning with security advice improves code security without changing the perceived usability of the API [40]. In a follow-up participatory design study with developers, researchers highlighted five key elements (message classification, title message, code location, link to detailed external resources, and colour) that participants considered helpful in cryptography API warnings [39].…”

“…They found that having the API provide a warning with security advice improves code security without changing the perceived usability of the API [40]. In a follow-up participatory design study with developers, researchers highlighted five key elements (message classification, title message, code location, link to detailed external resources, and colour) that participants considered helpful in cryptography API warnings [39]. On a positive note, simple changes to API messaging have been show to be helpful.…”

“…We made a list of code samples with vulnerabilities from three resources: (1) OWASP's 2017 top ten web application security risks [77], (2) common weakness enumeration (CWE) 2019 top 25 most dangerous software errors [24], and (3) prior research in usable security studies with developers [1,4,28,40,57,66,71,79]. All code samples were in Java which was selected because it was a popular programming language in several platforms such as GitHub [37], Stack Overflow [76], and other programming languages indexing services [20,23,51].…”

“…where the code encrypts plain text [1,40,57,66,71] using a key and a cipher with RC2 method. RC2 is an obsolete algorithm that can be broken [55].…”

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

“…One possible explanation of the lack of impact from notifications is that notification elements like presentation, phrasing, organisation, and structure are not well aligned with developer needs. Prior work on the usability of developer-aimed security communications has similarly observed that participants do not find all the information presented in notifications equally useful [39,88]. The results are similar to our observations that participants did not find links to external resources and meta data such as rank and category as useful as sample code (Section 4.3).…”

“…Gorski et al applied Bauer's guidelines to a cryptography API design that included multiple elements such as risk description, secure and insecure actions with examples, and background information. They found that having the API provide a warning with security advice improves code security without changing the perceived usability of the API [40]. In a follow-up participatory design study with developers, researchers highlighted five key elements (message classification, title message, code location, link to detailed external resources, and colour) that participants considered helpful in cryptography API warnings [39].…”

“…They found that having the API provide a warning with security advice improves code security without changing the perceived usability of the API [40]. In a follow-up participatory design study with developers, researchers highlighted five key elements (message classification, title message, code location, link to detailed external resources, and colour) that participants considered helpful in cryptography API warnings [39]. On a positive note, simple changes to API messaging have been show to be helpful.…”

“…We made a list of code samples with vulnerabilities from three resources: (1) OWASP's 2017 top ten web application security risks [77], (2) common weakness enumeration (CWE) 2019 top 25 most dangerous software errors [24], and (3) prior research in usable security studies with developers [1,4,28,40,57,66,71,79]. All code samples were in Java which was selected because it was a popular programming language in several platforms such as GitHub [37], Stack Overflow [76], and other programming languages indexing services [20,23,51].…”

“…where the code encrypts plain text [1,40,57,66,71] using a key and a cipher with RC2 method. RC2 is an obsolete algorithm that can be broken [55].…”

Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them

Lessons Learned and Suitability of Focus Groups in Security Information Workers Research

FluentCrypto: Cryptography in Easy Mode