TY - GEN
T1 - Jumping through hoops
T2 - 2016 IEEE/ACM 38th IEEE International Conference on Software Engineering, ICSE 2016
AU - Nadi, Sarah
AU - Kruger, Stefan
AU - Mezini, Mira
AU - Bodden, Eric
N1 - Publisher Copyright:
© 2016 ACM.
PY - 2016/5/14
Y1 - 2016/5/14
N2 - To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography algorithms have become increasingly advanced, many data breaches occur because developers do not correctly use the corresponding APIs. To guide future research into practical solutions to this problem, we perform an empirical investigation into the obstacles developers face while using the Java cryptography APIs, the tasks they use the APIs for, and the kind of (tool) support they desire. We triangulate data from four separate studies that include the analysis of 100 StackOverflow posts, 100 GitHub repositories, and survey input from 48 developers. We find that while developers find it difficult to use certain cryptographic algorithms correctly, they feel surprisingly confident in selecting the right cryptography concepts (e.g., encryption vs. signatures). We also find that the APIs are generally perceived to be too low-level and that developers prefer more task-based solutions.
AB - To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography algorithms have become increasingly advanced, many data breaches occur because developers do not correctly use the corresponding APIs. To guide future research into practical solutions to this problem, we perform an empirical investigation into the obstacles developers face while using the Java cryptography APIs, the tasks they use the APIs for, and the kind of (tool) support they desire. We triangulate data from four separate studies that include the analysis of 100 StackOverflow posts, 100 GitHub repositories, and survey input from 48 developers. We find that while developers find it difficult to use certain cryptographic algorithms correctly, they feel surprisingly confident in selecting the right cryptography concepts (e.g., encryption vs. signatures). We also find that the APIs are generally perceived to be too low-level and that developers prefer more task-based solutions.
KW - API misuse
KW - Cryptography
KW - Empirical software engineering
UR - http://www.scopus.com/inward/record.url?scp=84971384501&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84971384501&partnerID=8YFLogxK
U2 - 10.1145/2884781.2884790
DO - 10.1145/2884781.2884790
M3 - Conference contribution
AN - SCOPUS:84971384501
T3 - Proceedings - International Conference on Software Engineering
SP - 935
EP - 946
BT - Proceedings - 2016 IEEE/ACM 38th IEEE International Conference on Software Engineering Companion, ICSE 2016
PB - IEEE Computer Society
Y2 - 14 May 2016 through 22 May 2016
ER -