Developers Are Neither Enemies Nor Users: They Are Collaborators

Developers struggle to program securely. Prior works have reviewed the methods used to run user-studies with developers, systematized the ancestry of security API usability recommendations, and proposed research agendas to help understand developers’ knowledge, attitudes towards security and priorities. In contrast we study the research to date and abstract out categories of challenges, behaviors and interventions from the results of developer-centered studies. We analyze the abstractions and identify five misplaced beliefs or tropes about developers embedded in the core design of APIs and tools. These tropes hamper the effectiveness of interventions to help developers program securely. Increased collaboration between developers, security experts and API designers to help developers understand the security assumptions of APIs alongside creating new useful abstractions—derived from such collaborations—will lead to systems with better security.

[1]  Erik Derr,et al.  Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android , 2017, CCS.

[2]  Heather Richter Lipford,et al.  Comparing Educational Approaches to Secure programming: Tool vs. TA , 2017, SOUPS.

[3]  Dirk van der Linden,et al.  Industry Responses to the European Directive on Security of Network and Information Systems (NIS): Understanding policy implementation practices across critical infrastructures , 2020, SOUPS @ USENIX Security Symposium.

[4]  Maria Wolters,et al.  "I Don't Know Too Much About It": On the Security Mindsets of Computer Science Students , 2019, STAST.

[5]  Dirk van der Linden,et al.  Data, Data, Everywhere: Quantifying Software Developers' Privacy Attitudes , 2019, STAST.

[6]  Emerson R. Murphy-Hill,et al.  Social influences on secure development tool adoption: why security tools spread , 2014, CSCW.

[7]  Emerson Murphy-Hill,et al.  How Developers Diagnose Potential Security Vulnerabilities with a Static Analysis Tool , 2019, IEEE Transactions on Software Engineering.

[8]  Kami Vaniea,et al.  Deciding on Personalized Ads: Nudging Developers About User Privacy , 2021, SOUPS @ USENIX Security Symposium.

[9]  Michelle L. Mazurek,et al.  Security Developer Studies with GitHub Users: Exploring a Convenience Sample , 2017, SOUPS.

[10]  Emerson R. Murphy-Hill,et al.  Questions developers ask while diagnosing potential security vulnerabilities with static analysis , 2015, ESEC/SIGSOFT FSE.

[11]  Claes Wohlin,et al.  Guidelines for snowballing in systematic literature studies and a replication in software engineering , 2014, EASE '14.

[12]  Na Meng,et al.  Secure Coding Practices in Java: Challenges and Vulnerabilities , 2017, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[13]  Nalin Asanka Gamagedara Arachchilage,et al.  Understanding user privacy expectations: A software developer's perspective , 2018, Telematics Informatics.

[14]  Christopher B. Mayhorn,et al.  Quantifying developers' adoption of security tools , 2015, ESEC/SIGSOFT FSE.

[15]  Wouter Joosen,et al.  Does organizing security patterns focus architectural choices? , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[16]  Emerson R. Murphy-Hill,et al.  Why Can't Johnny Fix Vulnerabilities: A Usability Evaluation of Static Analysis Tools for Security , 2020, SOUPS @ USENIX Security Symposium.

[17]  Dirk van der Linden,et al.  The Impact of Surface Features on Choice of (in)Secure Answers by Stackoverflow Readers , 2020, IEEE Transactions on Software Engineering.

[18]  Lynne Blair,et al.  A Passion for Security: Intervening to Help Software Developers , 2021, 2021 IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP).

[19]  James Noble,et al.  Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for Developers , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP).

[20]  Jose M. Such,et al.  Information assurance techniques: Perceived cost effectiveness , 2016, Comput. Secur..

[21]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[22]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[23]  Katharina Kinder-Kurlanda,et al.  Can Security Become a Routine?: A Study of Organizational Change in an Agile Software Development Group , 2017, CSCW.

[24]  Jun Zhu,et al.  Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course , 2015, SIGCSE.

[25]  Bill Chu,et al.  Supporting secure programming in web applications through interactive static analysis , 2013, Journal of advanced research.

[26]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[27]  Michelle L. Mazurek,et al.  You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users , 2016, 2016 IEEE Cybersecurity Development (SecDev).

[28]  Lorrie Faith Cranor,et al.  The Privacy and Security Behaviors of Smartphone App Developers , 2014 .

[29]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[30]  Robert Biddle,et al.  Cesar: Visual representation of source code vulnerabilities , 2016, 2016 IEEE Symposium on Visualization for Cyber Security (VizSec).

[31]  Alberto Bacchelli,et al.  Why Don’t Developers Detect Improper Input Validation? '; DROP TABLE Papers; -- , 2021, 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE).

[32]  Jing Xie,et al.  Evaluating interactive support for secure programming , 2012, CHI.

[33]  Mary Frances Theofanos,et al.  "We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products , 2018, SOUPS @ USENIX Security Symposium.

[34]  Mira Mezini,et al.  "Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs? , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[35]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[36]  Debi Ashenden,et al.  Putting the Sec in DevSecOps: Using Social Practice Theory to Improve Secure Software Development , 2020, NSPW.

[37]  Stefan Wagner,et al.  How Usable Are Rust Cryptography APIs? , 2018, 2018 IEEE International Conference on Software Quality, Reliability and Security (QRS).

[38]  Dirk van der Linden,et al.  Schrödinger's Security: Opening the Box on App Developers' Security Rationale , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[39]  Matthew Smith,et al.  Deception Task Design in Developer Password Studies: Exploring a Student Sample , 2018, SOUPS @ USENIX Security Symposium.

[40]  Eran Toch,et al.  Privacy by designers: software developers’ privacy mindset , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[41]  Matthew Smith,et al.  "If you want, I can store the encrypted password": A Password-Storage Field Study with Freelance Developers , 2019, CHI.

[42]  Michael Backes,et al.  A Stitch in Time: Supporting Android Developers in WritingSecure Code , 2017, CCS.

[43]  Sonia Chiasson,et al.  Security in the Software Development Lifecycle , 2018, SOUPS @ USENIX Security Symposium.

[44]  Nikhil Patnaik,et al.  Usability Smells: An Analysis of Developers' Struggle With Crypto Libraries , 2019, SOUPS @ USENIX Security Symposium.

[45]  Akira Yamada,et al.  Self-Confidence Trumps Knowledge: A Cross-Cultural Study of Security Behavior , 2017, CHI.

[46]  Awais Rashid,et al.  Don't forget your classics: Systematizing 45 years of Ancestry for Security API Usability Recommendations , 2021, ArXiv.

[47]  Matthew Green,et al.  Developers are Not the Enemy!: The Need for Usable Security APIs , 2016, IEEE Security & Privacy.

[48]  Kami Vaniea,et al.  Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them , 2021, CHI.

[49]  Kami Vaniea,et al.  A Survey on Developer-Centred Security , 2019, 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[50]  Paul C. van Oorschot,et al.  The developer is the enemy , 2009, NSPW '08.

[51]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[52]  Kami Vaniea,et al.  Tales of Software Updates: The process of updating software , 2016, CHI.

[53]  Dirk van der Linden,et al.  Security but not for security's sake: The impact of social considerations on app developers' choices , 2020, ICSE.

[54]  Christian Bird,et al.  What developers want and need from program analysis: An empirical study , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[55]  Emerson R. Murphy-Hill,et al.  A study of interactive code annotation for access control vulnerabilities , 2015, 2015 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC).

[56]  Laurie Williams,et al.  Software Security in DevOps: Synthesizing Practitioners’ Perceptions and Practices , 2016, 2016 IEEE/ACM International Workshop on Continuous Software Evolution and Delivery (CSED).

[57]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[58]  Kai Rannenberg,et al.  Explaining the Technology Use Behavior of Privacy-Enhancing Technologies: The Case of Tor and JonDonym , 2020, Proc. Priv. Enhancing Technol..

[59]  Erik Derr,et al.  The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[60]  Jun Zhu,et al.  Interactive support for secure programming education , 2013, SIGCSE '13.

[61]  Na Meng,et al.  Tutorial: Principles and Practices of Secure Crypto Coding in Java , 2018, 2018 IEEE Cybersecurity Development (SecDev).

[62]  Darko Marinov,et al.  Trade-offs in continuous integration: assurance, security, and flexibility , 2017, ESEC/SIGSOFT FSE.

[63]  Awais Rashid,et al.  Developer-Centred Security , 2021 .

[64]  Yuriy Brun,et al.  API Blindspots: Why Experienced Developers Write Vulnerable Code , 2018, SOUPS @ USENIX Security Symposium.

[65]  James Noble,et al.  How to Improve the Security Skills of Mobile App Developers? Comparing and Contrasting Expert Views , 2016, WSIW@SOUPS.

[66]  Bill Chu,et al.  Security During Application Development: an Application Security Expert Perspective , 2018, CHI.

[67]  G. Loewenstein,et al.  Secrets and Likes: The Drive for Privacy and the Difficulty of Achieving It in the Digital Age , 2020, Journal of Consumer Psychology.

[68]  Emerson R. Murphy-Hill,et al.  What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool , 2016, WSIW@SOUPS.

[69]  Nalin Asanka Gamagedara Arachchilage,et al.  Why developers cannot embed privacy into software systems?: An empirical investigation , 2018, EASE.

[70]  Janne Lindqvist,et al.  Should I Protect You? Understanding Developers' Behavior to Privacy-Preserving APIs , 2014 .

[71]  William Pugh,et al.  A report on a survey and study of static analysis users , 2008, DEFECTS '08.

[72]  Luigi Lo Iacono,et al.  I Do and I Understand. Not Yet True for Security APIs. So Sad , 2017 .

[73]  Michael Hicks,et al.  Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It , 2020, USENIX Security Symposium.

[74]  Yanyan Zhuang,et al.  It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots , 2014, ACSAC.

[75]  Daniel M. Germán,et al.  The GNOME project: a case study of open source, global software development , 2003, Softw. Process. Improv. Pract..

[76]  W. T. Coombs,et al.  Organizational Crisis Communication: Suboptimal Crisis Response Selection Decisions and Behavioral Economics , 2020, Communication Theory.

[77]  Matthew Smith,et al.  Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study , 2017, CCS.

[78]  Laurie A. Williams,et al.  Engineering Security Vulnerability Prevention, Detection, and Response , 2018, IEEE Software.

[79]  Martin P. Robillard,et al.  A field study of API learning obstacles , 2011, Empirical Software Engineering.

[80]  Tamara Denning,et al.  IDE Plugins for Detecting Input-Validation Vulnerabilities , 2017, 2017 IEEE Security and Privacy Workshops (SPW).

[81]  Awais Rashid,et al.  “Do this! Do that!, and Nothing will Happen” Do Specifications Lead to Securely Stored Passwords? , 2021, 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE).

[82]  David A. Wagner,et al.  An Empirical Study on the Effectiveness of Security Code Review , 2013, ESSoS.