TU Darmstadt / ULB / TUbiblio

Securing Your Crypto-API Usage Through Tool Support - A Usability Study

Krüger, Stefan ; Reif, Michael ; Wickert, Anna-Katharina ; Nadi, Sarah ; Ali, Karim ; Bodden, Eric ; Mezini, Mira ; Acar, Yasemin ; Fahl, Sascha (2023)
Securing Your Crypto-API Usage Through Tool Support - A Usability Study.
2023 IEEE Secure Development Conference. Atlanta, USA (18.10.2023 - 20.10.2023)
doi: 10.1109/SecDev56634.2023.00015
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

Developing secure software is essential for protecting passwords and other sensitive data. Despite the abundance of cryptographic libraries available to developers, prior work has shown that developers often unknowingly misuse the provided Application Programming Interfaces (APIs), resulting in serious security vulnerabilities. Eclipse CogniCrypt is an IDE plugin that aims at helping developers use cryptographic APIs more easily and securely by providing three main functionalities: (1) it provides a use-case-oriented view of cryptographic APIs and guides the developer through their configuration, (2) it generates the code needed to accomplish the chosen use case based on the selected choices, and (3) it continuously analyzes the developer’s code to ensure that no API misuses are introduced later. However, so far the effectiveness of CogniCrypt was never empirically evaluated. In this work, we fill this gap through a controlled experiment with 24 Java developers. We evaluate the tool’s effectiveness in reducing API misuses and saving developer time. The results show that CogniCrypt significantly improves code security and also speeds up development for cryptography-related tasks. The feedback received during the study suggests that developers particularly appreciate CogniCrypt’s code generation. Its static-analysis is valued for keeping the code up-to-date. Yet, the further integration of generated code into a developer’s project still presents a major challenge. Nonetheless, our results show that CogniCrypt effectively helps application developers produce more secure code.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2023
Autor(en): Krüger, Stefan ; Reif, Michael ; Wickert, Anna-Katharina ; Nadi, Sarah ; Ali, Karim ; Bodden, Eric ; Mezini, Mira ; Acar, Yasemin ; Fahl, Sascha
Art des Eintrags: Bibliographie
Titel: Securing Your Crypto-API Usage Through Tool Support - A Usability Study
Sprache: Englisch
Publikationsjahr: 8 November 2023
Verlag: IEEE
Buchtitel: Proceedings: 2023 IEEE Secure Development Conference
Veranstaltungstitel: 2023 IEEE Secure Development Conference
Veranstaltungsort: Atlanta, USA
Veranstaltungsdatum: 18.10.2023 - 20.10.2023
DOI: 10.1109/SecDev56634.2023.00015
Kurzbeschreibung (Abstract):

Developing secure software is essential for protecting passwords and other sensitive data. Despite the abundance of cryptographic libraries available to developers, prior work has shown that developers often unknowingly misuse the provided Application Programming Interfaces (APIs), resulting in serious security vulnerabilities. Eclipse CogniCrypt is an IDE plugin that aims at helping developers use cryptographic APIs more easily and securely by providing three main functionalities: (1) it provides a use-case-oriented view of cryptographic APIs and guides the developer through their configuration, (2) it generates the code needed to accomplish the chosen use case based on the selected choices, and (3) it continuously analyzes the developer’s code to ensure that no API misuses are introduced later. However, so far the effectiveness of CogniCrypt was never empirically evaluated. In this work, we fill this gap through a controlled experiment with 24 Java developers. We evaluate the tool’s effectiveness in reducing API misuses and saving developer time. The results show that CogniCrypt significantly improves code security and also speeds up development for cryptography-related tasks. The feedback received during the study suggests that developers particularly appreciate CogniCrypt’s code generation. Its static-analysis is valued for keeping the code up-to-date. Yet, the further integration of generated code into a developer’s project still presents a major challenge. Nonetheless, our results show that CogniCrypt effectively helps application developers produce more secure code.
Zusätzliche Informationen:

E1
Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Softwaretechnik
DFG-Sonderforschungsbereiche (inkl. Transregio)
DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche
DFG-Graduiertenkollegs
20 Fachbereich Informatik > EC SPRIDE
20 Fachbereich Informatik > EC SPRIDE > Secure Software Engineering
DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche > SFB 1119: CROSSING – Kryptographiebasierte Sicherheitslösungen als Grundlage für Vertrauen in heutigen und zukünftigen IT-Systemen
Hinterlegungsdatum: 27 Sep 2024 10:37
Letzte Änderung: 27 Sep 2024 10:37
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen
OAI 2.0-Basis-URL: https://tubiblio.ulb.tu-darmstadt.de/cgi/oai2 TUbiblio verwendet EPrints 3.
Drucken | Impressum | Datenschutzerklärung