TU Darmstadt / ULB / TUbiblio

Jumping through hoops: why do Java developers struggle with cryptography APIs?

Nadi, Sarah ; Krüger, Stefan ; Mezini, Mira ; Bodden, Eric (2016)
Jumping through hoops: why do Java developers struggle with cryptography APIs?
Austin, Texas
doi: 10.1145/2884781.2884790
Conference or Workshop Item, Bibliographie

Abstract

To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography algorithms have become increasingly advanced, many data breaches occur because developers do not correctly use the corresponding APIs. To guide future research into practical solutions to this problem, we perform an empirical investigation into the obstacles developers face while using the Java cryptography APIs, the tasks they use the APIs for, and the kind of (tool) support they desire. We triangulate data from four separate studies that include the analysis of 100 StackOverflow posts, 100 GitHub repositories, and survey input from 48 developers. We find that while developers find it difficult to use certain cryptographic algorithms correctly, they feel surprisingly confident in selecting the right cryptography concepts (e.g., encryption vs. signatures). We also find that the APIs are generally perceived to be too low-level and that developers prefer more task-based solutions.

Item Type: Conference or Workshop Item
Erschienen: 2016
Creators: Nadi, Sarah ; Krüger, Stefan ; Mezini, Mira ; Bodden, Eric
Type of entry: Bibliographie
Title: Jumping through hoops: why do Java developers struggle with cryptography APIs?
Language: German
Date: May 2016
Publisher: ACM
Issue Number: 38
Book Title: ICSE '16 Proceedings of the 38th International Conference on Software Engineering
Event Location: Austin, Texas
DOI: 10.1145/2884781.2884790
Abstract:

To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography algorithms have become increasingly advanced, many data breaches occur because developers do not correctly use the corresponding APIs. To guide future research into practical solutions to this problem, we perform an empirical investigation into the obstacles developers face while using the Java cryptography APIs, the tasks they use the APIs for, and the kind of (tool) support they desire. We triangulate data from four separate studies that include the analysis of 100 StackOverflow posts, 100 GitHub repositories, and survey input from 48 developers. We find that while developers find it difficult to use certain cryptographic algorithms correctly, they feel surprisingly confident in selecting the right cryptography concepts (e.g., encryption vs. signatures). We also find that the APIs are generally perceived to be too low-level and that developers prefer more task-based solutions.

Uncontrolled Keywords: Cryptography, API misuse, empirical software engineering
Identification Number: TUD-CS-2016-14768
Divisions: Profile Areas
Profile Areas > Cybersecurity (CYSEC)
Date Deposited: 14 Aug 2017 11:36
Last Modified: 03 Jun 2018 21:29
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details