Developers, security & privacy

Paper session

会議の名前
CHI 2020
Understanding Privacy-Related Questions on Stack Overflow
要旨

We analyse Stack Overflow (SO) to understand challenges and confusions developers face while dealing with privacy-related topics. We apply topic modelling techniques to 1,733 privacy-related questions to identify topics and then qualitatively analyse a random sample of 315 privacy-related questions. Identified topics include privacy policies, privacy concerns, access control, and version changes. Results show that developers do ask SO for support on privacy-related issues. We also find that platforms such as Apple and Google are defining privacy requirements for developers by specifying what "sensitive" information is and what types of information developers need to communicate to users (e.g. privacy policies). We also examine the accepted answers in our sample and find that 28% of them link to official documentation and more than half are answered by SO users without references to any external resources.

キーワード
Software Developers
Usable Privacy
Stack Overflow
著者
Mohammad Tahaei
University of Edinburgh, Edinburgh, United Kingdom
Kami Vaniea
University of Edinburgh, Edinburgh, United Kingdom
Naomi Saphra
University of Edinburgh, Edinburgh, United Kingdom
DOI

10.1145/3313831.3376768

論文URL

https://doi.org/10.1145/3313831.3376768

On Conducting Security Developer Studies with CS Students: Examining a Password-Storage Study with CS Students, Freelancers, and Company Developers
要旨

Ecological validity is a major concern in usable security studies with developers. Many studies are conducted with computer science (CS) students out of convenience, since recruiting professional software developers in sufficient numbers is very challenging. In a password-storage study, Naiakshina et al. (CHI'19) showed that CS students behave similarly to freelance developers recruited online. While this is a promising result for conducting developer studies with students, an open question remains: Do professional developers employed in companies behave similarly as well?To provide more insight into the ecological validity of recruiting students for security developer studies, we replicated the study of Naiakshina et al. with developers from diverse companies in Germany. We found that developers employed in companies performed better than students and freelancers in a direct comparison.However, treatment effects were found to be significant in all groups; the treatment effects on CS students also held for company developers.

キーワード
Security Developer Study
Developer Password Study
Usable Security and Privacy
Student Developer
著者
Alena Naiakshina
University of Bonn, Bonn, Germany
Anastasia Danilova
University of Bonn, Bonn, Germany
Eva Gerlitz
Fraunhofer FKIE, Bonn, Germany
Matthew Smith
University of Bonn & Fraunhofer FKIE, Bonn, Germany
DOI

10.1145/3313831.3376791

論文URL

https://doi.org/10.1145/3313831.3376791

Building and Validating a Scale for Secure Software Development Self-Efficacy
要旨

Security is an essential component of the software development lifecycle. Researchers and practitioners have developed educational interventions, guidelines, security analysis tools, and new APIs aimed at improving security. However, measuring any resulting improvement in secure development skill is challenging. As a proxy for skill, we propose to measure self-efficacy, which has been shown to correlate with skill in other contexts. Here, we present a validated scale measuring secure software-development self-efficacy (SSD-SES). We first reviewed popular secure-development frameworks and surveyed 22 secure-development experts to identify 58 unique tasks. Next, we asked 311 developers — over multiple rounds — to rate their skill at each task. We iteratively updated our questions to ensure they were easily understandable, showed adequate variance between participants, and demonstrated reliability. Our final 15-item scale contains two sub-scales measuring belief in ability to perform vulnerability identification and mitigation as well as security communications tasks.

キーワード
Secure Development
Scale Development
著者
Daniel Votipka
University of Maryland, College Park, MD, USA
Desiree Abrokwa
University of Maryland, College Park, MD, USA
Michelle L. Mazurek
University of Maryland, College Park, MD, USA
DOI

10.1145/3313831.3376754

論文URL

https://doi.org/10.1145/3313831.3376754

動画
Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs
要旨

The positive effect of security information communicated to developers through API warnings has been established. However, current prototypical designs are based on security warnings for end-users. To improve security feedback for developers, we conducted a participatory design study with 25 professional software developers in focus groups. We identify which security information is considered helpful in avoiding insecure cryptographic API use during development. Concerning console messages, participants suggested five core elements, namely message classification, title message, code location, link to detailed external resources, and color. Design guidelines for end-user warnings are only partially suitable in this context. Participants emphasized the importance of tailoring the detail and content of security information to the context. Console warnings call for concise communication; further information needs to be linked externally. Therefore, security feedback should transcend tools and should be adjustable by software developers across development tools, considering the work context and developer needs.

キーワード
security warning design
focus groups
participatory design
cryptographic APIs
developer console
software development
著者
Peter Leo Gorski
TH Köln/University of Applied Sciences, Cologne, Germany
Yasemin Acar
Leibniz University Hannover, Hannover, Germany
Luigi Lo Iacono
TH Köln/University of Applied Sciences, Köln, Germany
Sascha Fahl
Leibniz University Hannover, Hannover, Germany
DOI

10.1145/3313831.3376142

論文URL

https://doi.org/10.1145/3313831.3376142