It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots

@article{Oliveira2014ItsTP,
  title={It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots},
  author={Daniela Oliveira and Marissa Rosenthal and Nicole Morin and Kuo-Chuan Yeh and Justin Cappos and Yanyan Zhuang},
  journal={Proceedings of the 30th Annual Computer Security Applications Conference},
  year={2014}
}
Despite the security community's emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is increasing. In addition, vulnerabilities that have been studied for years are still commonly reported in vulnerability databases. This paper investigates a new hypothesis that software vulnerabilities are blind spots in developer's heuristic-based decision-making processes. Heuristics are simple computational models to solve problems without… Expand
'Think secure from the beginning': A Survey with Software Developers
TLDR
An online survey was conducted to explore the interplay between developers and software security processes, e.g., how developers influence and are influenced by these processes, including human behaviour and motivation. Expand
API Blindspots: Why Experienced Developers Write Vulnerable Code
TLDR
The presence of blindspots correlated negatively with the developers’ accuracy in answering implicit security questions and the developers' ability to identify potential security concerns in the code, and has the potential to advance API security in design, implementation, and testing of new APIs. Expand
Hackers vs. Testers: A Comparison of Software Vulnerability Discovery Processes
TLDR
A semi-structured interview study with both testers and hackers, focusing on how each group finds vulnerabilities, how they develop their skills, and the challenges they face, suggests that hackers and testers follow similar processes, but get different results due largely to differing experiences. Expand
A Human Error Based Approach to Understanding Programmer-Induced Software Vulnerabilities
TLDR
A classification for the most frequently observed human errors committed by the programmers (the commitment of a human error can lead to injection of one or more security defects/bugs) can be useful for software development organizations as they can train developers on the human errors so that developers can avoid committing the human mistakes themselves, thereby reducing the chances of vulnerability injection in their code. Expand
The Case for Adaptive Security Interventions
TLDR
This study considered the complexity of the security decision space of developers using theory from cognitive and social psychology to provide conceptual underpinnings for three categories of impediments to achieving security goals and suggests “adaptive security interventions” as a solution that responds to the changing security needs of individual developers. Expand
"I Don't Know Too Much About It": On the Security Mindsets of Computer Science Students
TLDR
Investigating the security and privacy perceptions, experiences, and practices of current Computer Science students at the graduate and undergraduate level using semi-structured interviews finds that the attitudes of students already match many of those that have been observed in professional level developers. Expand
The Human Dimension of Software Security and Factors Affecting Security Processes
TLDR
This thesis proposed a human-oriented model to describe how external software security motivations can be internalized, and highlighted the interplay between security knowledge, team collaboration, and internal motivations to security. Expand
Security Notifications in Static Analysis Tools: Developers’ Attitudes, Comprehension, and Ability to Act on Them
TLDR
An online experiment where participants were shown four vulnerable code samples along with SAT guidance, and asked to indicate the appropriate fix, found participants had a positive attitude towards both SAT notifications and particularly liked the example solutions and vulnerable code. Expand
Maybe Poor Johnny Really Cannot Encrypt: The Case for a Complexity Theory for Usable Security
TLDR
It is argued that the usable security discipline should scientifically understand upper bounds on the human capacity for executing cognitive tasks and for information processing in order to have realistic expectations about what people can or cannot attain when coping with security tasks. Expand
Code Reviewing as Methodology for Online Security Studies with Developers - A Case Study with Freelancers on Password Storage
TLDR
It is found that security prompting had a significant effect on the security awareness of participants in studies containing programming tasks, and code reviewing is discussed as a new methodology for future security research with developers. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 71 REFERENCES
A Trend Analysis of Vulnerabilities
Software vulnerabilities exist and will continue to do so. Every week, a new vulnerability gains popular attention, is discussed at length in mailing lists, and hopefully gets patched by the vendorExpand
Secure open source collaboration: an empirical study of linus' law
TLDR
This study examines the security of an open source project in the context of developer collaboration by analyzing version control logs and quantifying notions of Linus' Law as well as the "too many cooks in the kitchen" viewpoint into developer activity metrics. Expand
An Empirical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities
TLDR
An empirical study on applying data-mining techniques on NVD data with the objective of predicting the time to next vulnerability for a given software application, showing that the data in NVD generally have poor prediction capability. Expand
Holographic vulnerability studies: vulnerabilities as fractures in interpretation as information flows across abstraction boundaries
TLDR
Categorizing vulnerabilities based on this view, as opposed to the types of categories that have been used in past vulnerability studies, makes vulnerability types more easily generalizable and avoids problems where vulnerabilities could be put in multiple categories. Expand
Static detection of cross-site scripting vulnerabilities
  • Gary Wassermann, Z. Su
  • Computer Science
  • 2008 ACM/IEEE 30th International Conference on Software Engineering
  • 2008
TLDR
This paper presents a static analysis for finding XSS vulnerabilities that directly addresses weak or absent input validation, and implements the approach and provides an extensive evaluation that finds both known and unknown vulnerabilities in real-world web applications. Expand
Heuristics and Biases : Implications for Security
How can heuristics and biases improve the design of security technologies to leverage end-user behaviors? This position paper argues both for the importance of this question, and the specificExpand
Towards a Unifying Approach in Understanding Security Problems
  • P. Anbalagan, M. Vouk
  • Computer Science
  • 2009 20th International Symposium on Software Reliability Engineering
  • 2009
TLDR
This work presents an analysis and classification of 43,710 vulnerabilities from the Open Source National Vulnerability Database and vulnerabilities for two specific products - Bugzilla and FEDORA and investigates a unifying approach, to understand security as a component of reliability. Expand
A Comprehensive and Comparative Analysis of the Patching Behavior of Open Source and Closed Source Software Vendors
  • G. Schryen
  • Computer Science
  • 2009 Fifth International Conference on IT Security Incident Management and IT Forensics
  • 2009
TLDR
The results of the analysis suggest that it is not the particular software development style that determines patching behavior, but rather the policy of the particular Software Vendor, including operating systems, database systems, web browsers, email clients, and office systems. Expand
Prediction capabilities of vulnerability discovery models
TLDR
The results suggest that it may be possible to improve the prediction capability of VDMs by combining static and dynamic approaches, or by combing different models. Expand
Using semantic templates to study vulnerabilities recorded in large software repositories
TLDR
Findings are presented from a study of vulnerable software components using an ontology-guided analysis of vulnerabilities recorded in a software project's code repository and results from the study of vulnerabilities in the Apache web server are presented. Expand
...
1
2
3
4
5
...