Developer Crowdsourcing: Capturing, Understanding, and Addressing Security-related Blind Spots in APIs

Principal Investigator: Daniela Oliveira

Sponsor: NSF

Start Date: September 1, 2015

End Date: August 31, 2020

Amount: $454,969


Despite an emphasis the security community places on the importance of producing secure software, the number of new security vulnerabilities in software increases every year. This research is based on the assumption that software vulnerabilities are caused by misunderstandings, or lack of knowledge, called blind spots, which the developers experience while they are building systems. When building systems, developers often focus more on functional requirements than on non-functional ones, such as security. Thus, they can make design decisions that prioritize functionality without noticing the security vulnerabilities these decisions create. Today, developers often have no access to effective software tools that highlight these vulnerabilities during development. This research identifies common developer blind spots with the goal of building and evaluating practical software tools that help prevent blind spots during development and detect vulnerabilities in deployed software.

To capture developers’ reasoning when faced with blind spots, and to identify common blind spot characteristics, this research converts several identified blind spots into programming puzzles, and conducts a user study with developers solving these puzzles. Statistical analysis of the developers’ answers identifies common characteristics among blind spots, and the observations of developers’ behaviors guide the creation of tools to automatically detect blind spots and to warn developers about them as developers experience them. The tools have two complementary goals: (1) prevent blind spots from occurring by cueing developers on-the-spot about potential blind spots as they write code, and (2) identify software vulnerabilities in existing applications by detecting code that may have been written as a result of a blind spot. This research evaluates these newly developed tools in the context of a user study with developers, producing the following outcomes: (1) understanding of blind spots in application programming interfaces (APIs), and of developers’ attentional and decision processes when writing code using APIs, (2) understanding of how to notify, without habituation and annoyance, developers on-the-spot about blind spots so that relevant security information is used by developers while writing code, (3) creation of open-source, publicly available developer tools that notify developers about blind spots and facilitate detection of vulnerabilities caused by blind spots, and (4) development of guidelines for better API design to minimize blind spots by considering developers’ attentional and decision processes. This research addresses an important gap in secure software development by incorporating the human factor of the development process. This is particularly crucial given our society’s increasing dependence on software applications.

More Information: