Vulnerabilities as blind spots in developer's heuristic-based decision-making processes

Justin Cappos, Yanyan Zhuang, Daniela Oliveira, Marissa Rosenthal, Kuo Chuan Yeh

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    The security community spares no effort in emphasizing security awareness and the importance of building secure software. However, the number of new vulnerabilities found in today's systems is still increasing. Furthermore, old and well-studied vulnerability types such as buffer overflows and SQL injections, are still repeatedly reported in vulnerability databases. Historically, the common response has been to blame the developers for their lack of security education. This paper discusses a new hypothesis to explain this problem by introducing a new security paradigm where software vulnerabilities are viewed as developers' blind spots in their decision making. We argue that such a flawed mental process is heuristic-based, where humans solve problems without considering all the information available, just like taking shortcuts. This paper's thesis is that security thinking tends to be left out by developers during their programming, as vulnerabilities usually exist in corner cases with unusual information flows. Leveraging this paradigm, this paper introduces a novel methodology for capturing and understanding security-related blind spots in Application Programming Interfaces (APIs). Finally, it discusses how this methodology can be applied to the design and implementation of the next generation of automated diagnosis tools.

    Original languageEnglish (US)
    Title of host publicationNSPW 2014 - Proceedings of the 2014 New Security Pardigms Workshop
    PublisherAssociation for Computing Machinery
    Pages53-61
    Number of pages9
    ISBN (Electronic)9781450330626
    DOIs
    StatePublished - Sep 15 2014
    Event2014 New Security Pardigms Workshop, NSPW 2014 - Victoria, Canada
    Duration: Sep 15 2014Sep 18 2014

    Publication series

    NameACM International Conference Proceeding Series
    Volume15-18-September-2014

    Other

    Other2014 New Security Pardigms Workshop, NSPW 2014
    Country/TerritoryCanada
    CityVictoria
    Period9/15/149/18/14

    ASJC Scopus subject areas

    • Software
    • Human-Computer Interaction
    • Computer Vision and Pattern Recognition
    • Computer Networks and Communications

    Fingerprint

    Dive into the research topics of 'Vulnerabilities as blind spots in developer's heuristic-based decision-making processes'. Together they form a unique fingerprint.

    Cite this