TY - GEN
T1 - Vulnerabilities as blind spots in developer's heuristic-based decision-making processes
AU - Cappos, Justin
AU - Zhuang, Yanyan
AU - Oliveira, Daniela
AU - Rosenthal, Marissa
AU - Yeh, Kuo Chuan
N1 - Publisher Copyright:
Copyright 2014 ACM.
PY - 2014/9/15
Y1 - 2014/9/15
N2 - The security community spares no effort in emphasizing security awareness and the importance of building secure software. However, the number of new vulnerabilities found in today's systems is still increasing. Furthermore, old and well-studied vulnerability types such as buffer overflows and SQL injections, are still repeatedly reported in vulnerability databases. Historically, the common response has been to blame the developers for their lack of security education. This paper discusses a new hypothesis to explain this problem by introducing a new security paradigm where software vulnerabilities are viewed as developers' blind spots in their decision making. We argue that such a flawed mental process is heuristic-based, where humans solve problems without considering all the information available, just like taking shortcuts. This paper's thesis is that security thinking tends to be left out by developers during their programming, as vulnerabilities usually exist in corner cases with unusual information flows. Leveraging this paradigm, this paper introduces a novel methodology for capturing and understanding security-related blind spots in Application Programming Interfaces (APIs). Finally, it discusses how this methodology can be applied to the design and implementation of the next generation of automated diagnosis tools.
AB - The security community spares no effort in emphasizing security awareness and the importance of building secure software. However, the number of new vulnerabilities found in today's systems is still increasing. Furthermore, old and well-studied vulnerability types such as buffer overflows and SQL injections, are still repeatedly reported in vulnerability databases. Historically, the common response has been to blame the developers for their lack of security education. This paper discusses a new hypothesis to explain this problem by introducing a new security paradigm where software vulnerabilities are viewed as developers' blind spots in their decision making. We argue that such a flawed mental process is heuristic-based, where humans solve problems without considering all the information available, just like taking shortcuts. This paper's thesis is that security thinking tends to be left out by developers during their programming, as vulnerabilities usually exist in corner cases with unusual information flows. Leveraging this paradigm, this paper introduces a novel methodology for capturing and understanding security-related blind spots in Application Programming Interfaces (APIs). Finally, it discusses how this methodology can be applied to the design and implementation of the next generation of automated diagnosis tools.
UR - http://www.scopus.com/inward/record.url?scp=84984985662&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84984985662&partnerID=8YFLogxK
U2 - 10.1145/2683467.2683472
DO - 10.1145/2683467.2683472
M3 - Conference contribution
AN - SCOPUS:84984985662
T3 - ACM International Conference Proceeding Series
SP - 53
EP - 61
BT - NSPW 2014 - Proceedings of the 2014 New Security Pardigms Workshop
PB - Association for Computing Machinery
T2 - 2014 New Security Pardigms Workshop, NSPW 2014
Y2 - 15 September 2014 through 18 September 2014
ER -