API Blindspots: Why Experienced Developers Write Vulnerable Code
by Daniela S. Oliveira, Tian Lin, Muhammad Sajidur Rahman, Rad Akefirad, Donovan Ellis, Eliany Perez, Rahul Bobhate, Lois A. DeLong, Justin Cappos, Yuriy Brun, Natalie C. Ebner
Abstract:

Despite the best efforts of the security community, security vulnerabilities in software are still prevalent, with new vulnerabilities reported daily and older ones stubbornly repeating themselves. One potential source of these vulnerabilities is shortcomings in the used language and library APIs. Developers tend to trust APIs, but can misunderstand or misuse them, introducing vulnerabilities. We call the causes of such misuse blindspots. In this paper, we study API blindspots from the developers' perspective to: (1) determine the extent to which developers can detect API blindspots in code and (2) examine the extent to which developer characteristics (i.e., perception of code correctness, familiarity with code, confidence, professional experience, cognitive function, and personality) affect this capability. We conducted a study with 109 developers from four countries solving programming puzzles that involve Java APIs known to contain blindspots. We find that (1) The presence of blindspots correlated negatively with the developers' accuracy in answering implicit security questions and the developers' ability to identify potential security concerns in the code. This effect was more pronounced for I/O-related APIs and for puzzles with higher cyclomatic complexity. (2) Higher cognitive functioning and more programming experience did not predict better ability to detect API blindspots. (3) Developers exhibiting greater openness as a personality trait were more likely to detect API blindspots. This study has the potential to advance API security in (1) design, implementation, and testing of new APIs; (2) addressing blindspots in legacy APIs; (3) development of novel methods for developer recruitment and training based on cognitive and personality assessments; and (4) improvement of software development processes (e.g., establishment of security and functionality teams).

Citation:
Daniela S. Oliveira, Tian Lin, Muhammad Sajidur Rahman, Rad Akefirad, Donovan Ellis, Eliany Perez, Rahul Bobhate, Lois A. DeLong, Justin Cappos, Yuriy Brun, and Natalie C. Ebner, API Blindspots: Why Experienced Developers Write Vulnerable Code, in Proceedings of the USENIX Symposium on Usable Privacy and Security (SOUPS), 2018.
Bibtex:
@inproceedings{Oliveira18soups,
  author = {Daniela S. Oliveira and Tian Lin and Muhammad Sajidur Rahman and
  Rad Akefirad and Donovan Ellis and Eliany Perez and Rahul Bobhate and 
  Lois A. DeLong and Justin Cappos and Yuriy Brun and Natalie C. Ebner},
  title = {\href{http://people.cs.umass.edu/brun/pubs/pubs/Oliveira18soups.pdf}{API Blindspots: Why Experienced Developers Write Vulnerable Code}},
  booktitle = {Proceedings of the USENIX Symposium on Usable Privacy and Security (SOUPS)},
  venue = {SOUPS},
  address = {Baltimore, MD, USA},
  month = {August},
  date = {12--14},
  year = {2018},

  accept = {$\frac{28}{123} \approx 23\%$},

  abstract = {<p>Despite the best efforts of the security community, security
  vulnerabilities in software are still prevalent, with new vulnerabilities
  reported daily and older ones stubbornly repeating themselves. One
  potential source of these vulnerabilities is shortcomings in the used
  language and library APIs. Developers tend to trust APIs, but can
  misunderstand or misuse them, introducing vulnerabilities. We call the
  causes of such misuse blindspots. In this paper, we study API blindspots
  from the developers' perspective to: (1)~determine the extent to which
  developers can detect API blindspots in code and (2)~examine the extent to
  which developer characteristics (i.e., perception of code correctness,
  familiarity with code, confidence, professional experience, cognitive
  function, and personality) affect this capability. We conducted a study
  with 109 developers from four countries solving programming puzzles that
  involve Java APIs known to contain blindspots. We find that (1)~The
  presence of blindspots correlated negatively with the developers' accuracy
  in answering implicit security questions and the developers' ability to
  identify potential security concerns in the code. This effect was more
  pronounced for I/O-related APIs and for puzzles with higher cyclomatic
  complexity. (2)~Higher cognitive functioning and more programming
  experience did not predict better ability to detect API blindspots.
  (3)~Developers exhibiting greater openness as a personality trait were more
  likely to detect API blindspots. This study has the potential to advance
  API security in (1)~design, implementation, and testing of new APIs;
  (2)~addressing blindspots in legacy APIs; (3)~development of novel methods
  for developer recruitment and training based on cognitive and personality
  assessments; and (4)~improvement of software development processes (e.g.,
  establishment of security and functionality teams).</p>},
}