More Web Proxy on the site http://driver.im/

research-article

Developer-centered security and the symmetry of ignorance

Authors:

Olgierd Pieczul,

Mary Ellen ZurkoAuthors Info & Claims

NSPW '17: Proceedings of the 2017 New Security Paradigms Workshop

Pages 46 - 56

https://doi.org/10.1145/3171533.3171539

Published: 01 October 2017 Publication History

Abstract

In contemporary software development anybody can become a developer, sharing, building and interacting with software components and services in a virtual free for all. In this environment, it is not feasible to expect these developers to be expert in every security detail of the software they use, and we discuss how difficult it can be to build secure software. In this respect, the practical challenges of the emerging paradigm of developer-centered security are explored, where developers would be required to consider security from the perspective of those other developers who use their software. We question whether current user-centered security techniques are adequate for this task and suggest that new thinking will be required. Two directions---symmetry of ignorance and security archaeology-are offered as a new way to consider this challenge.

References

[1]

Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2017. Comparing the Usability of Cryptographic APIs. In IEEE Symposium on Security and Privacy.

[2]

Y. Acar, M. Backes, S. Fahl, D. Kim, M. L. Mazurek, and C. Stransky. 2016. You Get Where You're Looking for: The Impact of Information Sources on Code Security. In 2016 IEEE Symposium on Security and Privacy (SP). 289--305.

[3]

Yasemin Acar, Sascha Fahl, and Michelle L. Mazurek. 2016. You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users. In Cybersecurity Development (SecDev).

[4]

Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Alexander Forbes Weir, Michelle Mazurek, and Sascha Fahl. 2017. Developers Need Support, Too: A Survey of Security Advice for Software Developers. IEEE, 22--26.

[5]

B. Alpern and F.B. Schneider. 1987. Recognizing Safety and Liveness. Distributed Computing 2 (1987), 117--126.

Digital Library

[6]

Adam Baldwin. 2015. A Malicious Module on npm. blog, https://blog.liftsecurity.io/2015/01/27/a-malicious-module-on-npm. (2015).

[7]

Rebecca Balebako and Lorrie Cranor. 2014. Improving app privacy: Nudging app developers to protect user privacy. IEEE Security & Privacy 12, 4 (2014), 55--58.

[8]

Frederick P. Jr. Brooks. 1975. The Mythical Man-Month. Addison-Wesley, Reading, Mass.

Digital Library

[9]

Justin Cappos, Yanyan Zhuang, Daniela Oliveira, Marissa Rosenthal, and Kuo-Chuan Yeh. 2014. Vulnerabilities As Blind Spots in Developer's Heuristic-Based Decision-Making Processes. In Proceedings of the 2014 New Security Paradigms Workshop (NSPW '14). ACM, New York, NY, USA, 53--62.

Digital Library

[10]

Lorrie Faith Cranor. 2008. A Framework for Reasoning About the Human in the Loop., Article 1 (2008), 15 pages.

[11]

Serge Egelman and Eyal Peer. 2015. The Myth of the Average User: Improving Privacy and Security Systems Through Individualization. In Proceedings of the 2015 New Security Paradigms Workshop (NSPW '15). ACM, New York, NY, USA, 16--28.

Digital Library

[12]

C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen. 1999. SPKI Certificate Theory. RFC 2693 (Experimental). (Sept. 1999).

Digital Library

[13]

Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. 2012. Why Eve and Mallory Love Android: An Analysis of Android SSL (in)Security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS '12). ACM, New York, NY, USA, 50--61.

Digital Library

[14]

Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, and Matthew Smith. 2013. Rethinking SSL Development in an Appified World. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS '13). ACM, New York, NY, USA, 49--60.

Digital Library

[15]

Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012. Android Permissions: User Attention, Comprehension, and Behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS '12). ACM, New York, NY, USA, Article 3, 14 pages.

Digital Library

[16]

Laura Fichtner, Wolter Pieters, and André Teixeira. 2016. Cybersecurity As a Politikum: Implications of Security Discourses for Infrastructures. In Proceedings of the 2016 New Security Paradigms Workshop (NSPW '16). ACM, New York, NY, USA, 36--48.

Digital Library

[17]

Barbara Filkins. 2016. IT Security Spending Trends. Technical Report. SANS Institute.

[18]

G. Fischer, D. Fogli, and A. Piccinno. 2017. Revisiting and Broadening the Meta-Design Framework for End-User Development. In New Perspectives in End User Development. Kluwer Publishers, Dordrecht, The Netherlands.

[19]

Gerhard Fischer and Thomas Herrmann. 2011. Socio-Technical Systems: AMeta-Design Perspective. International Journal of Sociotechnology and Knowledge Development (IJSKD) 3, 1 (2011), 1--33.

[20]

Ivan Flechais, M. Angela Sasse, and Stephen M. V. Hailes. 2003. Bringing Security Home: A Process for Developing Secure and Usable Systems. In Proceedings of the 2003 Workshop on New Security Paradigms (NSPW '03). ACM, New York, NY, USA, 49--57.

Digital Library

[21]

Simon N. Foley. 2013. Noninterference Analysis of Delegation Subterfuge in Distributed Authorization Systems. In Trust Management VII - 7th IFIP WG 11.11 International Conference, IFIPTM 2013, Malaga, Spain, June 3-7, 2013. Proceedings. 193--207.

[22]

M. Green and M. Smith. 2016. Developers are Not the Enemy!: The Need for Usable Security APIs. IEEE Security Privacy 14, 5 (Sept 2016), 40--46.

Digital Library

[23]

Peter Gutmann. 2014. Engineering Security.

[24]

Almut Herzog and Nahid Shahmehri. 2007. User Help Techniques for Usable Security. In Proceedings of the 2007 Symposium on Computer Human Interaction for the Management of Information Technology (CHIMIT '07). ACM, New York, NY, USA, Article 11.

Digital Library

[25]

H. M. Hinton. 1997. Under-specification, Composition and Emergent Properties. In Proceedings of the 1997 Workshop on New Security Paradigms (NSPW '97). ACM, New York, NY, USA, 83--93.

Digital Library

[26]

H. M. Hinton. 1998. Composing partially-specified systems. In Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186). 27--37.

[27]

Erkki Huhtamo and Jussi Parikka. 2011. Media archaeology: Approaches, applications, and implications. Univ of California Press.

Digital Library

[28]

Luigi Lo Iacono and Peter Leo Gorski. 2017. I Do and I Understand. Not Yet True for Security APIs. So Sad. In 2nd European Workshop on Usable Security, EuroUSEC 2017.

[29]

M.A. Jackson. 1989. Getting It Wrong: A Cautionary Tale. In JSP & JSD: The Jackson Approach to Software Development, John Cameron (Ed.). IEEE CS Press.

[30]

Daniel E. Geer Jr. 2012. Power. Law. IEEE Security & Privacy 10 (2012), 94--95.

Digital Library

[31]

Tobias Lauinger, Abdelberi Chaabane, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA.

[32]

Heather Richter Lipford and Mary Ellen Zurko. 2012. Someone to Watch over Me. In Proceedings of the 2012 New Security Paradigms Workshop (NSPW '12). ACM, New York, NY, USA, 67--76.

Digital Library

[33]

Kevin Montrose. 2016. Introducing Stack Overflow Documentation Beta. StackOverflow blog, https://stackoverflow.blog/2016/07/21/introducing-stack-overflow-documentation-beta/. (2016).

[34]

B. A. Myers, A.J. Ko, T. D. LaToza, and Y. Yoon. 2016. Programmers Are Users Too: Human-Centered Methods for Improving Programming Tools. Computer 49, 7 (July 2016), 44--52.

Digital Library

[35]

Brad A. Myers and Jeffrey Stylos. 2016. Improving API Usability. Commun. ACM 59, 6 (May 2016), 62--69.

Digital Library

[36]

Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden. 2016. Jumping Through Hoops: Why Do Java Developers Struggle with Cryptography APIs?. In Proceedings of the 38th International Conference on Software Engineering (ICSE '16). ACM, New York, NY, USA, 935--946.

Digital Library

[37]

D. Oliveira, M. Rosenthal, N. Morin, K-C Yeh, J. Cappos, and Y. Zhuang. 2014. It's the Psychology Stupid: How Heuristics Explain Software Vulnerabilities and How Priming Can Illuminate Developer's Blind Spots. In Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC '14). ACM, New York, NY, USA, 296--305.

Digital Library

[38]

Olgierd Pieczul and Simon N. Foley. 2015. The Dark Side of the Code. In Security Protocols XXIII: 23rd International Workshop, Cambridge, UK, March 31-April 2, 2015, Revised Selected Papers, Bruce Christianson, Petr Švenda, Vashek Matyáš, James Malcolm, Frank Stajano, and Jonathan Anderson (Eds.). Springer International Publishing, Cham, 1--11.

Digital Library

[39]

Olgierd Pieczul and Simon N. Foley. 2017. The Evolution of a Security Control. In Security Protocols XXIV: 24th International Workshop, Brno, Czech Republic, April 7-8, 2016, Revised Selected Papers, Jonathan Anderson, Vashek Matyáš, Bruce Christianson, and Frank Stajano (Eds.). Springer International Publishing, Cham, 67--84.

[40]

Rob Reeder, E. Cram Kowalczyk, and Adam Shostack. 2011. Helping engineers design NEAT security warnings. In Proceedings of the Symposium On Usable Privacy and Security (SOUPS), Pittsburgh, PA.

[41]

Ninlabs research. 2013. API Documentation. online. (2013). http://blog.ninlabs.com/2013/03/api-documentation/.

[42]

H Rittel. 1984. Developments in Design Methodology. John Wiley & Sons, New York, Chapter Second Generation Design Methods, 317--327.

[43]

Fred B. Schneider. 2000. Enforceable Security Policies. ACM Trans. Inf. Syst. Secur. 3, 1 (Feb. 2000), 30--50.

Digital Library

[44]

Bruce Schneier. 2016. Stop Trying to Fix the User. IEEE Security and Privacy 14, 5 (Sept. 2016), 96--96.

Digital Library

[45]

Charlotte Seager. 2015. Will learning to code help you get a job? Guardian Careers. (2015).

[46]

A. Shostack. 2008. Experiences threat modeling at Microsoft. In Workshop on Modeling Security (ModSec).

[47]

Adam Shostack. 2010. Engineers are People Too. Proceedings of the Symposium On Usable Privacy and Security (SOUPS), keynote. (2010).

[48]

Adam Shostack. 2014. Elevation of Privilege: Drawing Developers into Threat Modeling. In 2014 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE 14). USENIX Association, San Diego, CA.

[49]

Sathya Chandran Sundaramurthy, John McHugh, Xinming Ou, Michael Wesch, Alexandru G. Bardas, and S. Raj Rajagopalan. 2016. Turning Contradictions into Innovations or: How We Learned to Stop Whining and Improve Security Operations. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 237--251.

[50]

Tyler W. Thomas, Heather Lipford, Bill Chu, Justin Smith, and Emerson Murphy-Hill. 2016. What Questions Remain? An Examination of How Developers Understand an Interactive Static Analysis Tool. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO.

[51]

Nikolai Philipp Tschacher. 2016. Typosquatting in Programming Language Package Managers. Master's thesis. University of Hamburg.

[52]

Sven Türpe. 2012. Point-and-shoot Security Design: Can We Build Better Tools for Developers?. In Proceedings of the 2012 New Security Paradigms Workshop (NSPW '12). ACM, New York, NY, USA, 27--42.

Digital Library

[53]

Sven Türpe, Laura Kocksch, and Andreas Poller. 2016. Penetration Tests a Turning Point in Security Practices? Organizational Challenges and Implications in a Software Development Team. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO.

[54]

C. Weir, A. Rashid, and J. Noble. 2017. I'd Like to Have an Argument, Please: Using Dialectic for Effective App Security. In 2nd European Workshop on Usable Security, EuroUSEC 2017.

[55]

Erik Wittern, Philippe Suter, and Shriram Rajagopalan. 2016. A Look at the Dynamics of the JavaScript Package Ecosystem. In Proceedings of the 13th International Conference on Mining Software Repositories (MSR '16). ACM, New York, NY, USA, 351--361.

Digital Library

[56]

Glenn Wurster and P. C. van Oorschot. 2008. The Developer is the Enemy. In Proceedings of the 2008 New Security Paradigms Workshop (NSPW '08). ACM, New York, NY, USA, 89--97.

Digital Library

[57]

Jing Xie, Heather Lipford, and Bei-Tseng Chu. 2012. Evaluating Interactive Support for Secure Programming. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '12). ACM, New York, NY, USA, 2707--2716.

Digital Library

[58]

Koen Yskout, Riccardo Scandariato, and Wouter Joosen. 2015. Do Security Patterns Really Help Designers?. In Proceedings of the 37th International Conference on Software Engineering - Volume 1 (ICSE '15). IEEE Press, Piscataway, NJ, USA, 292--302.

Digital Library

[59]

Mary Ellen Zurko. 2005. Security and Usability. O'Reilly, Chapter IBM Lotus Notes/Domino: Embedding Security in Collaborative Applications.

[60]

Mary Ellen Zurko and Richard T. Simon. 1996. User-centered Security. In Proceedings of the 1996 Workshop on New Security Paradigms (NSPW '96). ACM, New York, NY, USA, 27--33.

Digital Library

Cited By

Karanassios CHadan HZhang-Kennedy LAssal H(2024)Towards Security-Focused Developer PersonasProceedings of the 13th Nordic Conference on Human-Computer Interaction10.1145/3679318.3685406(1-18)Online publication date: 13-Oct-2024
https://dl.acm.org/doi/10.1145/3679318.3685406
Lewis JFulton K(2024)NERDS: A Non-invasive Environment for Remote Developer StudiesProceedings of the 17th Cyber Security Experimentation and Test Workshop10.1145/3675741.3675750(74-82)Online publication date: 13-Aug-2024
https://dl.acm.org/doi/10.1145/3675741.3675750
Sharma TZhou ZMiller AWang YCalandrino JTroncoso C(2023)A mixed-methods study of security practices of smart contract developersProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620380(2545-2562)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620380
Show More Cited By

Index Terms

Developer-centered security and the symmetry of ignorance
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy
  2. Software and application security
    1. Software security engineering

Recommendations

Security Policies and the Software Developer

A wide range of legal and regulatory issues surround Web software development, including the need to protect consumer information. A good set of security policies will limit company exposure. Understanding and implementing good policies is therefore as ...
Rethinking the security of IoT from the perspective of developer customized device-cloud interaction
SAC '22: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing

IoT cloud involved communication is widely deployed due to its various services. While IoT clouds provide many strong security mechanisms, lots of IoT devices are still configured with vulnerable interaction procedures with clouds. In this paper, we ...
How can the developer benefit from security modeling?
ARES '07: Proceedings of the The Second International Conference on Availability, Reliability and Security

Security has become a necessary part of nearly every software development project, as the overall risk from malicious users is constantly increasing, due to increased consequences of failure, security threats and exposure to threats. There are few ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

NSPW '17: Proceedings of the 2017 New Security Paradigms Workshop

October 2017

138 pages

ISBN:9781450363846

DOI:10.1145/3171533

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

NSF: National Science Foundation
ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

NSPW '17

NSPW '17: 2017 New Security Paradigms Workshop

October 1 - 4, 2017

CA, Santa Cruz, USA

Acceptance Rates

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
492
Total Downloads

Downloads (Last 12 months)49
Downloads (Last 6 weeks)5

Reflects downloads up to 10 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Karanassios CHadan HZhang-Kennedy LAssal H(2024)Towards Security-Focused Developer PersonasProceedings of the 13th Nordic Conference on Human-Computer Interaction10.1145/3679318.3685406(1-18)Online publication date: 13-Oct-2024
https://dl.acm.org/doi/10.1145/3679318.3685406
Lewis JFulton K(2024)NERDS: A Non-invasive Environment for Remote Developer StudiesProceedings of the 17th Cyber Security Experimentation and Test Workshop10.1145/3675741.3675750(74-82)Online publication date: 13-Aug-2024
https://dl.acm.org/doi/10.1145/3675741.3675750
Sharma TZhou ZMiller AWang YCalandrino JTroncoso C(2023)A mixed-methods study of security practices of smart contract developersProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620380(2545-2562)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620380
Klemmer JGutfleisch MStransky CAcar YSasse MFahl SMeng WJensen CCremers CKirda E(2023)"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure AuthenticationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623072(2740-2754)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623072
Ryan IRoedig UStol K(2023)Measuring Secure Coding Practice and Culture: A Finger Pointing at the Moon is not the Moon2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)10.1109/ICSE48619.2023.00140(1622-1634)Online publication date: May-2023
https://doi.org/10.1109/ICSE48619.2023.00140
Tam CBalau MOliveira T(2023)What Influences People’s Adoption of Cognitive Cybersecurity?International Journal of Human–Computer Interaction10.1080/10447318.2023.227941140:23(8295-8312)Online publication date: 12-Nov-2023
https://doi.org/10.1080/10447318.2023.2279411
Slesinger IColes-Kemp LPanteli NHansen R(2022)Designing Through The Stack: The Case for a Participatory Digital Security By DesignProceedings of the 2022 New Security Paradigms Workshop10.1145/3584318.3584322(45-59)Online publication date: 24-Oct-2022
https://dl.acm.org/doi/10.1145/3584318.3584322
Gutfleisch MKlemmer JBusch NAcar YSasse MFahl S(2022)How Does Usable Security (Not) End Up in Software Products? Results From a Qualitative Interview Study2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833756(893-910)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833756
Tomlinson AParkin SShaikh S(2022)Drivers and barriers for secure hardware adoption across ecosystem stakeholdersJournal of Cybersecurity10.1093/cybsec/tyac0098:1Online publication date: 5-Aug-2022
https://doi.org/10.1093/cybsec/tyac009
Mokhberi ABeznosov K(2021)SoK: Human, Organizational, and Technological Dimensions of Developers’ Challenges in Engineering Secure SoftwareProceedings of the 2021 European Symposium on Usable Security10.1145/3481357.3481522(59-75)Online publication date: 11-Oct-2021
https://dl.acm.org/doi/10.1145/3481357.3481522
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents