The developer is the enemy

We argue that application developers, while often viewed as allies in the effort to create software with fewer security vulnerabilities, are not reliable allies. They have varying skill sets which often do not include security. Moreover, we argue that it is inefficient and unrealistic to expect to be able to successfully teach all of the world's population of software developers to be security experts. We suggest more efficient and effective alternatives, focusing on those developers who produce core functionality used by other developers (e.g. those who develop popular APIs -- Application Programming Interfaces). We discuss the benefits of designing APIs which can be easily used in a secure fashion to encourage security. We also introduce two straw-man proposals which integrate security into the work- ow of an application developer. Data tagging and unsuppressible warnings provide the basis for further work where the most natural use (path of least resistance) results in secure code. We believe there are benefits to co-opting developers into programming securely.

[1]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[2]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[3]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[4]  Neil Daswani,et al.  Foundations of Security - What Every Programmer Needs to Know , 2007 .

[5]  Alain J. Mayer,et al.  Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies , 1998, USENIX Security Symposium.

[6]  Jenny Preece,et al.  A Guide to Usability: Human Factors in Computing , 1993 .

[7]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[8]  Jon A. Solworth Robustly secure computer systems: a new security paradigm of system discontinuity , 2008, NSPW '07.

[9]  Clay Spinuzzi,et al.  Building More Usable APIs , 1998, IEEE Softw..

[10]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[11]  Brian A. Wichmann,et al.  Rationale for the design of the Ada programming language , 1979, SIGP.

[12]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[13]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[14]  Shambhu J. Upadhyaya,et al.  Position: the user is the enemy , 2008, NSPW '07.

[15]  Mark Handley,et al.  The final nail in WEP's coffin , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[16]  John K. Ousterhout,et al.  Scripting: Higher-Level Programming for the 21st Century , 1998, Computer.

[17]  Rob Miller,et al.  Facemail: showing faces of recipients to prevent misdirected email , 2007, SOUPS '07.

[18]  Chris I. Dalton,et al.  Dynamic label binding at run-time , 2003, NSPW '03.

[19]  Andrew Warfield,et al.  Practical taint-based protection using demand emulation , 2006, EuroSys.

[20]  Konstantin Beznosov,et al.  Security for the Rest of Us: An Industry Perspective on the Secure-Software Challenge , 2008, IEEE Software.

[21]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[22]  Hongjun Wu The Misuse of RC4 in Microsoft Word and Excel , 2005, IACR Cryptol. ePrint Arch..

[23]  Charlie Lai Java Insecurity: Accounting for Subtleties That Can Compromise Code , 2008, IEEE Software.

[24]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[25]  Xiaotie Deng,et al.  The methodology and an application to fight against Unicode attacks , 2006, SOUPS '06.

[26]  JaatunMartin Gilje,et al.  Agile Software Development , 2002, Comput. Sci. Educ..

[27]  Edward W. Felten,et al.  Password management strategies for online accounts , 2006, SOUPS '06.

[28]  E AndersonThomas,et al.  Efficient software-based fault isolation , 1993 .

[29]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[30]  Yogesh L. Simmhan,et al.  A survey of data provenance in e-science , 2005, SGMD.

[31]  Tal Garfinkel,et al.  Understanding data lifetime via whole system simulation , 2004 .

[32]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[33]  M. Angela Sasse,et al.  Bringing security home: a process for developing secure and usable systems , 2003, NSPW '03.

[34]  Michael Howard,et al.  Inside the Windows Security Push , 2003, IEEE Secur. Priv..

[35]  Jasna Kuljis,et al.  Aligning usability and security: a usability study of Polaris , 2006, SOUPS '06.

[36]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[37]  Tobias Straub,et al.  Usability challenges of PKI , 2006 .

[38]  Mike Bond,et al.  API-Level Attacks on Embedded Systems , 2001, Computer.

[39]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.