A Longitudinal and Retrospective Study on How Developers Misuse Cryptography in Online Communities
Abstract
Software developers participating in online communities benefit from quick solutions to technology specific issues and, eventually, get better in troubleshooting technology malfunctioning. In this work, we investigate whether developers who are part of online communities for cryptography programming are getting better in using cryptography with time. This is a crucial issue nowadays, when "real-world crypto" is becoming a topic of serious investigation, not only academically but in security management as a whole: cryptographic programming handled by non-specialists is an important and often invisible source of vulnerabilities [RWC ]. We performed a retrospective and longitudinal study, tracking developers' answers about cryptography programming in two online communities. We found that cryptography misuse is not only common in online communities, but also recurrent in developer's discussions, suggesting that developers can learn how to use crypto APIs without actually learning cryptography. In fact, we could not identify significant improvements in cryptography learning in many daily tasks such as avoiding obsolete cryptography. We conclude that the most active users of online communities for cryptography APIs are not learning the tricky details of applied cryptography, a quite worrisome state of affairs.References
Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M. L., and Stransky, C. (2016a). You Get Where You’re Looking For: The Impact Of Information Sources on Code Security. In Security and Privacy (SP), 2016 IEEE Symposium on, pages 289–305. IEEE.
Acar, Y., Fahl, S., and Mazurek, M. L. (2016b). You Are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users.
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J. A., Heninger, N., Springall, D., Thomé, E., Valenta, L., and Others (2015). Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 5–17. ACM.
Alashwali, E. S. (2013). Cryptographic vulnerabilities in real-life web servers. In Third International Conference on Communications and Information Technology (ICCIT), pages 6–11. Ieee.
BC. The Legion of the Bouncy Castle.
Bos, J. W., Halderman, J. A., Heninger, N., Moore, J., Naehrig, M., and Wustrow, E. (2014). Elliptic curve cryptography in practice. In Financial Cryptography and Data Security, pages 157–175. Springer.
Bourque, P. and Fairley, R., editors (2014). Guide to the Software Engineering Body of Knowledge (SWEBOK). IEEE Computer Society, version 3. edition.
Braga, A. and Dahab, R. (2015). Introdução à Criptografia para Programadores: Evitando Maus Usos da Criptografia em Sistemas de Software. In Caderno de minicursos do XV Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais — SBSeg 2015, pages 1–50.
Braga, A. and Dahab, R. (2016). Mining Cryptography Misuse in Online Forums. In 2nd International Workshop on Human and Social Aspect of Software Quality.
Chatzikonstantinou, A., Ntantogian, C., Xenakis, C., and Karopoulos, G. (2015). Evaluation of Cryptography Usage in Android Applications. 9th EAI International Conference on Bio-inspired Information and Communications Technologies.
Chess, B. andWest, J. (2007). Secure programming with static analysis.
CYBSI (2014). Avoiding The Top 10 Software Security Design Flaws.
Egele, M., Brumley, D., Fratantonio, Y., and Kruegel, C. (2013). An empirical study of cryptographic misuse in android applications. ACM SIGSAC conference on Computer & comm. security (CCS’13), pages 73–84.
Fahl, S., Harbach, M., and Muders, T. (2012). Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In ACM conference on Computer and communications security, pages 50–61.
Friedman, J., Hastie, T., and Tibshirani, R. (2009). The elements of statistical learning, volume 2. Springer-Verlag. GAD. Google Android Developers.
Georgiev, M., Iyengar, S., and Jana, S. (2012). The most dangerous code in the world: validating SSL certificates in non-browser software. In Proceedings of the 2012 ACM conference on Computer and communications security - CCS ’12, pages 38–49.
Howard, M. and LeBlanc, D. (2003). Writing secure code.
Howard, M., LeBlanc, D., and Viega, J. (2009). 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill Education.
Howard, M. and Lipner, S. (2006). The Security Development Lifecycle. Microsoft Press, Redmond,WA, USA.
Hutcheson, M. L. (2003). Software testing fundamentals: methods and metrics. JohnWiley & Sons.
Lazar, D., Chen, H.,Wang, X., and Zeldovich, N. (2014). Why Does Cryptographic Software Fail?: A Case Study and Open Problems. In 5th Asia-PacificWorkshop on Systems, APSys ’14, pages 7:1-7:7, New York, NY, USA. ACM.
Mart, V. G. and Hern, L. (2013). Implementing ECC with Java Standard Edition 7. International Journal of Computer Science and Artificial Intelligence, 3(4):134–142.
Murthy, M. R. (2015). Introduction to Data Mining and Soft Computing Techniques. Laxmi Publications.
Nadi, S., Krüger, S., Mezini, M., and Bodden, E. (2016). “Jumping Through Hoops”: Why do Java Developers StruggleWith Cryptography APIs? The 38th International Conference on Software Engineering.
OJC. Oracle Java Cryptography.
OpenSSL. OpenSSL Cryptography and SSL/TLS toolkit.
Oracle. Java Cryptography Architecture (JCA) Reference Guide.
OWASP. Cryptographic Storage Cheat Sheet.
Pandian, C. R. (2003). Software metrics: A guide to planning, analysis, and application. CRC Press.
RWC. RealWorld Crypto Symposium.
Safecode (2011). Fundamental Practices for Secure Software Development.
Shostack, A. (2014). Threat modeling: Designing for security. JohnWiley & Sons.
Shuai, S., Guowei, D., Tao, G., Tianchang, Y., and Chenjie, S. (2014). Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications. In IEEE 12th International Conference on Dependable, Autonomic and Secure Computing (DASC), pages 75–80.
Viega, J. and McGraw, G. (2001). Building Secure Software: How to Avoid Security Problems the Right Way. Wang,W. and Godfrey, M.W. (2013). Detecting API Usage Obstacles : A Study of iOS and Android Developer Questions. pages 61–64.
Wang, W., Malik, H., and Godfrey, M. W. (2015). Recommending posts concerning api issues in developer q&a sites. In Proceedings of the 12th Working Conference on Mining Software Repositories, pages 224–234. IEEE Press.
Acar, Y., Fahl, S., and Mazurek, M. L. (2016b). You Are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users.
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J. A., Heninger, N., Springall, D., Thomé, E., Valenta, L., and Others (2015). Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 5–17. ACM.
Alashwali, E. S. (2013). Cryptographic vulnerabilities in real-life web servers. In Third International Conference on Communications and Information Technology (ICCIT), pages 6–11. Ieee.
BC. The Legion of the Bouncy Castle.
Bos, J. W., Halderman, J. A., Heninger, N., Moore, J., Naehrig, M., and Wustrow, E. (2014). Elliptic curve cryptography in practice. In Financial Cryptography and Data Security, pages 157–175. Springer.
Bourque, P. and Fairley, R., editors (2014). Guide to the Software Engineering Body of Knowledge (SWEBOK). IEEE Computer Society, version 3. edition.
Braga, A. and Dahab, R. (2015). Introdução à Criptografia para Programadores: Evitando Maus Usos da Criptografia em Sistemas de Software. In Caderno de minicursos do XV Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais — SBSeg 2015, pages 1–50.
Braga, A. and Dahab, R. (2016). Mining Cryptography Misuse in Online Forums. In 2nd International Workshop on Human and Social Aspect of Software Quality.
Chatzikonstantinou, A., Ntantogian, C., Xenakis, C., and Karopoulos, G. (2015). Evaluation of Cryptography Usage in Android Applications. 9th EAI International Conference on Bio-inspired Information and Communications Technologies.
Chess, B. andWest, J. (2007). Secure programming with static analysis.
CYBSI (2014). Avoiding The Top 10 Software Security Design Flaws.
Egele, M., Brumley, D., Fratantonio, Y., and Kruegel, C. (2013). An empirical study of cryptographic misuse in android applications. ACM SIGSAC conference on Computer & comm. security (CCS’13), pages 73–84.
Fahl, S., Harbach, M., and Muders, T. (2012). Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In ACM conference on Computer and communications security, pages 50–61.
Friedman, J., Hastie, T., and Tibshirani, R. (2009). The elements of statistical learning, volume 2. Springer-Verlag. GAD. Google Android Developers.
Georgiev, M., Iyengar, S., and Jana, S. (2012). The most dangerous code in the world: validating SSL certificates in non-browser software. In Proceedings of the 2012 ACM conference on Computer and communications security - CCS ’12, pages 38–49.
Howard, M. and LeBlanc, D. (2003). Writing secure code.
Howard, M., LeBlanc, D., and Viega, J. (2009). 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill Education.
Howard, M. and Lipner, S. (2006). The Security Development Lifecycle. Microsoft Press, Redmond,WA, USA.
Hutcheson, M. L. (2003). Software testing fundamentals: methods and metrics. JohnWiley & Sons.
Lazar, D., Chen, H.,Wang, X., and Zeldovich, N. (2014). Why Does Cryptographic Software Fail?: A Case Study and Open Problems. In 5th Asia-PacificWorkshop on Systems, APSys ’14, pages 7:1-7:7, New York, NY, USA. ACM.
Mart, V. G. and Hern, L. (2013). Implementing ECC with Java Standard Edition 7. International Journal of Computer Science and Artificial Intelligence, 3(4):134–142.
Murthy, M. R. (2015). Introduction to Data Mining and Soft Computing Techniques. Laxmi Publications.
Nadi, S., Krüger, S., Mezini, M., and Bodden, E. (2016). “Jumping Through Hoops”: Why do Java Developers StruggleWith Cryptography APIs? The 38th International Conference on Software Engineering.
OJC. Oracle Java Cryptography.
OpenSSL. OpenSSL Cryptography and SSL/TLS toolkit.
Oracle. Java Cryptography Architecture (JCA) Reference Guide.
OWASP. Cryptographic Storage Cheat Sheet.
Pandian, C. R. (2003). Software metrics: A guide to planning, analysis, and application. CRC Press.
RWC. RealWorld Crypto Symposium.
Safecode (2011). Fundamental Practices for Secure Software Development.
Shostack, A. (2014). Threat modeling: Designing for security. JohnWiley & Sons.
Shuai, S., Guowei, D., Tao, G., Tianchang, Y., and Chenjie, S. (2014). Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications. In IEEE 12th International Conference on Dependable, Autonomic and Secure Computing (DASC), pages 75–80.
Viega, J. and McGraw, G. (2001). Building Secure Software: How to Avoid Security Problems the Right Way. Wang,W. and Godfrey, M.W. (2013). Detecting API Usage Obstacles : A Study of iOS and Android Developer Questions. pages 61–64.
Wang, W., Malik, H., and Godfrey, M. W. (2015). Recommending posts concerning api issues in developer q&a sites. In Proceedings of the 12th Working Conference on Mining Software Repositories, pages 224–234. IEEE Press.
Published
2017-11-06
How to Cite
BRAGA, Alexandre; DAHAB, Ricardo.
A Longitudinal and Retrospective Study on How Developers Misuse Cryptography in Online Communities. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 28-41.
DOI: https://doi.org/10.5753/sbseg.2017.19488.
