Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse

Authors: 

Peter Leo Gorski and Luigi Lo Iacono, Cologne University of Applied Sciences; Dominik Wermke and Christian Stransky, Leibniz University Hannover; Sebastian Möller, Technical University Berlin; Yasemin Acar, Leibniz University Hannover; Sascha Fahl, Ruhr-University Bochum

Abstract: 

Cryptographic API misuse is responsible for a large number of software vulnerabilities. In many cases developers are overburdened by the complex set of programming choices and their security implications. Past studies have identified significant challenges when using cryptographic APIs that lack a certain set of usability features (e.g. easy-to-use documentation or meaningful warning and error messages) leading to an especially high likelihood of writing functionally correct but insecure code.

To support software developers in writing more secure code, this work investigates a novel approach aimed at these hard-to-use cryptographic APIs. In a controlled online experiment with 53 participants, we study the effectiveness of API-integrated security advice which informs about an API misuse and places secure programming hints as guidance close to the developer. This allows us to address insecure cryptographic choices including encryption algorithms, key sizes, modes of operation and hashing algorithms with helpful documentation in the guise of warnings. Whenever possible, the security advice proposes code changes to fix the responsible security issues. We find that our approach significantly improves code security. 73% of the participants who received the security advice fixed their insecure code.

We evaluate the opportunities and challenges of adopting API-integrated security advice and illustrate the potential to reduce the negative implications of cryptographic API misuse and help developers write more secure code.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {219441,
author = {Peter Leo Gorski and Luigi Lo Iacono and Dominik Wermke and Christian Stransky and Sebastian M{\"o}ller and Yasemin Acar and Sascha Fahl},
title = {Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic {API} Misuse},
booktitle = {Fourteenth Symposium on Usable Privacy and Security ({SOUPS} 2018)},
year = {2018},
isbn = {978-1-931971-45-4},
address = {Baltimore, MD},
pages = {265--281},
url = {https://www.usenix.org/conference/soups2018/presentation/gorski},
publisher = {{USENIX} Association},
}