TY - GEN
T1 - Securing Your Crypto-API Usage Through Tool Support-A Usability Study
AU - Kruger, Stefan
AU - Reif, Michael
AU - Wickert, Anna Katharina
AU - Nadi, Sarah
AU - Ali, Karim
AU - Bodden, Eric
AU - Acar, Yasemin
AU - Mezini, Mira
AU - Fahl, Sascha
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Developing secure software is essential for protecting passwords and other sensitive data. Despite the abundance of cryptographic libraries available to developers, prior work has shown that developers often unknowingly misuse the provided Application Programming Interfaces (APIs), resulting in serious security vulnerabilities. Eclipse CogniCrypt is an IDE plugin that aims at helping developers use cryptographic APIs more easily and securely by providing three main functionalities: (1) it provides a use-case-oriented view of cryptographic APIs and guides the developer through their configuration, (2) it generates the code needed to accomplish the chosen use case based on the selected choices, and (3) it continuously analyzes the developer's code to ensure that no API misuses are introduced later. However, so far the effectiveness of CogniCrypt was never empirically evaluated. In this work, we fill this gap through a controlled experiment with 24 Java developers. We evaluate the tool's effectiveness in reducing API misuses and saving developer time. The results show that CogniCrypt significantly improves code security and also speeds up development for cryptography-related tasks. The feedback received during the study suggests that developers particularly appreciate CogniCrypt's code generation. Its static-Analysis is valued for keeping the code up-To-date. Yet, the further integration of generated code into a developer's project still presents a major challenge. Nonetheless, our results show that CogniCrypt effectively helps application developers produce more secure code.
AB - Developing secure software is essential for protecting passwords and other sensitive data. Despite the abundance of cryptographic libraries available to developers, prior work has shown that developers often unknowingly misuse the provided Application Programming Interfaces (APIs), resulting in serious security vulnerabilities. Eclipse CogniCrypt is an IDE plugin that aims at helping developers use cryptographic APIs more easily and securely by providing three main functionalities: (1) it provides a use-case-oriented view of cryptographic APIs and guides the developer through their configuration, (2) it generates the code needed to accomplish the chosen use case based on the selected choices, and (3) it continuously analyzes the developer's code to ensure that no API misuses are introduced later. However, so far the effectiveness of CogniCrypt was never empirically evaluated. In this work, we fill this gap through a controlled experiment with 24 Java developers. We evaluate the tool's effectiveness in reducing API misuses and saving developer time. The results show that CogniCrypt significantly improves code security and also speeds up development for cryptography-related tasks. The feedback received during the study suggests that developers particularly appreciate CogniCrypt's code generation. Its static-Analysis is valued for keeping the code up-To-date. Yet, the further integration of generated code into a developer's project still presents a major challenge. Nonetheless, our results show that CogniCrypt effectively helps application developers produce more secure code.
KW - cryptography
KW - security
KW - software engineering
UR - http://www.scopus.com/inward/record.url?scp=85179179685&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85179179685&partnerID=8YFLogxK
U2 - 10.1109/SecDev56634.2023.00015
DO - 10.1109/SecDev56634.2023.00015
M3 - Conference contribution
AN - SCOPUS:85179179685
T3 - Proceedings - 2023 IEEE Secure Development Conference, SecDev 2023
SP - 14
EP - 25
BT - Proceedings - 2023 IEEE Secure Development Conference, SecDev 2023
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2023 IEEE Secure Development Conference, SecDev 2023
Y2 - 18 October 2023 through 20 October 2023
ER -