I Do and I Understand. Not Yet True for Security APIs. So Sad

Usable security puts the users into the center of cyber security developments. Software developers are a very specific user group in this respect, since their points of contact with security are application programming interfaces (APIs). In contrast to APIs providing functionalities of other domains than security, security APIs are not approachable by habitual means. Learning by doing exploration exercises is not well supported. Reasons for this range from missing documentation, tutorials and examples to lacking tools and impenetrable APIs, that makes this complex matter accessible. In this paper we study what abstraction level of security APIs is more suitable to meet common developers’ needs and expectations. For this purpose, we firstly define the term security API. Following this definition, we introduce a classification of security APIs according to their abstraction level. We then adopted this classification in two studies. In one we gathered the current coverage of the distinct classes by the standard set of security functionality provided by popular software development kits. The other study has been an online questionnaire in which we asked 55 software developers about their experiences and opinion in respect of integrating security mechanisms into their coding projects. Our findings emphasize that the right abstraction level of a security API is one important aspect to consider in usable security API design that has not been addressed much so far.

[1]  Michael Backes,et al.  You Get Where You're Looking for: The Impact of Information Sources on Code Security , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[2]  Shane Markstrum,et al.  Evaluation and usability of programming languages and tools (PLATEAU) , 2012, SPLASH.

[3]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[4]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[5]  Luigi Lo Iacono,et al.  Service Security Revisited , 2014, 2014 IEEE International Conference on Services Computing.

[6]  Cesare Pautasso,et al.  Restful web services vs. "big"' web services: making the right architectural decision , 2008, WWW.

[7]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[8]  Mike Bond Understanding security APIs , 2004 .

[9]  Eduardo B. Fernandez,et al.  Security patterns in practice : designing secure architectures using software patterns , 2013 .

[10]  Matthew Green,et al.  Developers are Not the Enemy!: The Need for Usable Security APIs , 2016, IEEE Security & Privacy.

[11]  M. Angela Sasse,et al.  What Usable Security Really Means: Trusting and Engaging Users , 2014, HCI.

[12]  Jasna Kuljis,et al.  Aligning usability and security: a usability study of Polaris , 2006, SOUPS '06.

[13]  Ma Sasse,et al.  The Security-Usability Tradeoff Myth , 2016, IEEE S&P 2016.

[14]  Michelle L. Mazurek,et al.  You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users , 2016, 2016 IEEE Cybersecurity Development (SecDev).

[15]  Mira Mezini,et al.  "Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs? , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[16]  Graham Steel,et al.  An Introduction to Security API Analysis , 2011, FOSAD.

[17]  Brad A. Myers,et al.  Mapping the Space of API Design Decisions , 2007 .

[18]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[19]  Jakob Nielsen,et al.  Heuristic evaluation of user interfaces , 1990, CHI '90.

[20]  Sven Türpe Idea: Usable Platforms for Secure Programming - Mining Unix for Insight and Guidelines , 2016, ESSoS.

[21]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[22]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[23]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[24]  Martin P. Robillard,et al.  What Makes APIs Hard to Learn? Answers from Developers , 2009, IEEE Software.

[25]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[26]  Mourad Debbabi,et al.  Security Design Patterns: Survey and Evaluation , 2006, 2006 Canadian Conference on Electrical and Computer Engineering.

[27]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[28]  Luigi Lo Iacono,et al.  Towards the Usability Evaluation of Security APIs , 2016, HAISA.

[29]  Jeffrey Stylos,et al.  Usability Implications of Requiring Parameters in Objects' Constructors , 2007, 29th International Conference on Software Engineering (ICSE'07).