You Get Where You're Looking for: The Impact of Information Sources on Code Security

Acar, Yasemin; Backes, Michael; Fahl, Sascha; Kim, Doowon; Mazurek, Michelle L.; Stransky, Christian

doi:10.1109/sp.2016.25

Cited by 213 publications

(203 citation statements)

References 33 publications

Supporting

Mentioning

197

Contrasting

Unclassified

Order By: Relevance

“…They concluded that crypto APIs are generally perceived to be too low-level, and developers prefer more task-based solutions [7]. Acar et al manually analyzed the security properties of Stack Overflow posts, which their participants used to resolve pre-defined challenges, and they automatically analyzed 200,000 randomly sampled apps from the Google Play market [10]. They observed that real-world Android developers use Stack Overflow and are unwilling to use official Android API documentation.…”

Section: Related Workmentioning

confidence: 99%

The Impact of Developer Experience in Using Java Cryptography

Hazhirpasand

Ghafari

Krüger

et al. 2019

2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

View full text Add to dashboard Cite

Background: Previous research has shown that crypto APIs are hard for developers to understand and difficult for them to use. They consequently rely on unvalidated boilerplate code from online resources where security vulnerabilities are common.Aims and method: We analyzed 2,324 open-source Java projects that rely on Java Cryptography Architecture (JCA) to understand how crypto APIs are used in practice, and what factors account for the performance of developers in using these APIs.Results: We found that, in general, the experience of developers in using JCA does not correlate with their performance. In particular, none of the factors such as the number or frequency of committed lines of code, the number of JCA APIs developers use, or the number of projects they are involved in correlate with developer performance in this domain.Conclusions: We call for qualitative studies to shed light on the reasons underlying the success of developers who are expert in using cryptography. Also, detailed investigation at API level is necessary to further clarify a developer obstacles in this domain.

show abstract

Section: Related Workmentioning

confidence: 99%

The Impact of Developer Experience in Using Java Cryptography

Hazhirpasand

Ghafari

Krüger

et al. 2019

2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

View full text Add to dashboard Cite

show abstract

“…Only six guides referenced external information sources; a lack of such citations potentially undermines a reader's confidence in the guide's accuracy and inhibits further reading and learning. Overall, these results provide evidence of an important guidance gap noted in our prior work [4]: official documents and corporate guidelines do not provide the same level of detail and focus on utility as, for example, Q&A sites.…”

Section: Resultsmentioning

confidence: 60%

“…Our prior work found that "official" guidance (from Google and from books) could promote stronger security outcomes than community-based guidance from Stack Overflow [4]. The results of this survey, however, underscore another conclusion from that work: these "official" documents may not necessarily provide the content and format that developers want or need in practice.…”

Section: Resultsmentioning

confidence: 68%

“…A survey by many of the current authors concluded the same, and also determined experimentally the surprising result that programmers using digital books achieved better security than those using web search [4]. Nadi et al found that Java developers perceived cryptography APIs as too low-level and preferred more task-based solutions in documentations [5].…”

Section: Introductionmentioning

confidence: 90%

“…2 Oftentimes, the developer's search will lead to a code snippet on Stack Overflow, and the developer can be tempted to copy and paste the snippet into their own code. This behaviour has been shown to often lead to operational but insecure code, widespread across hundreds of thousands of apps [4], [6], [7], [8], [9], [10]. As Stack Overflow's effect on code security has been investigated in depth, we focus our analysis elsewhere.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Developers Need Support, Too: A Survey of Security Advice for Software Developers

Acar¹,

Stransky²,

Wermke³

et al. 2017

2017 IEEE Cybersecurity Development (SecDev)

Self Cite

View full text Add to dashboard Cite

Abstract-Increasingly developers are becoming aware of the importance of software security, as frequent high-profile security incidents emphasize the need for secure code. Faced with this new problem, most developers will use their normal approach: web search. But are the resulting web resources useful and effective at promoting security in practice? Recent research has identified security problems arising from Q&A resources that help with specific secure-programming problems, but the web also contains many general resources that discuss security and secure programming more broadly, and to our knowledge few if any of these have been empirically evaluated. The continuing prevalence of security bugs suggests that this guidance ecosystem is not currently working well enough: either effective guidance is not available, or it is not reaching the developers who need it. This paper takes a first step toward understanding and improving this guidance ecosystem by identifying and analyzing 19 general advice resources. The results identify important gaps in the current ecosystem and provide a basis for future work evaluating existing resources and developing new ones to fill these gaps.

show abstract

Are the smart contracts on Q&A site reliable?

Zhou,

Wang,

Liu

et al. 2024

Softw Pract Exp

View full text Add to dashboard Cite

Ethereum, as a leading blockchain platform, has attracted a significant number of practitioners. These practitioners require a platform for communication and collaborative problem‐solving, which led to Ethereum Stack Exchange (ESE), a Q&A site dedicated to Ethereum‐related issues. While the Q&A site facilitates communication among practitioners, it also introduces new challenges. Practitioners adopt code snippets from Q&A sites to address problems encountered. However, the quality of code snippets on ESE remains largely unexplored. Vulnerabilities and gas‐inefficient patterns in ESE may spread to the code in Ethereum and threaten its regular operation. In this article, we conduct an empirical study investigating the distribution of vulnerabilities and gas‐inefficient patterns in ESE. Further, we analyze the potential impact of vulnerabilities and gas‐inefficient patterns from ESE on Ethereum. However, we encounter a problem during the vulnerability and gas‐inefficient pattern detection. Established smart contract analysis tools in the mainstream realm necessitate complete source code files for thorough analysis, while codes on ESE are often incomplete code snippets. To address this, we introduce the AST‐based code clone detection technique to construct detectable files corresponding to code snippets. This enables us to detect vulnerabilities and gas‐inefficient patterns in code snippets. In the end, our findings demonstrate that 11.18% of the contract‐level code snippets and 4.06% of function‐level code snippets in ESE have vulnerabilities. And 27.21% of contract‐level code snippets and 17.89% of function‐level code snippets contain gas‐inefficient patterns. The additional consumption caused by the gas‐inefficient pattern in ESE is approximately $1,695,002. Based on these findings, we provide recommendations for both ESE and its users, aiming to foster collaborative efforts and create a more reliable Q&A site for practitioners.

show abstract

You Get Where You're Looking for: The Impact of Information Sources on Code Security

Cited by 213 publications

References 33 publications

The Impact of Developer Experience in Using Java Cryptography

The Impact of Developer Experience in Using Java Cryptography

Developers Need Support, Too: A Survey of Security Advice for Software Developers

Are the smart contracts on Q&A site reliable?

Contact Info

Product

Resources

About