research-article

Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs

Authors:

Peter Leo Gorski,

Luigi Lo Iacono,

Sascha FahlAuthors Info & Claims

CHI '20: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

Pages 1 - 13

https://doi.org/10.1145/3313831.3376142

Published: 23 April 2020 Publication History

Abstract

The positive effect of security information communicated to developers through API warnings has been established. However, current prototypical designs are based on security warnings for end-users. To improve security feedback for developers, we conducted a participatory design study with 25 professional software developers in focus groups. We identify which security information is considered helpful in avoiding insecure cryptographic API use during development. Concerning console messages, participants suggested five core elements, namely message classification, title message, code location, link to detailed external resources, and color. Design guidelines for end-user warnings are only partially suitable in this context. Participants emphasized the importance of tailoring the detail and content of security information to the context. Console warnings call for concise communication; further information needs to be linked externally. Therefore, security feedback should transcend tools and should be adjustable by software developers across development tools, considering the work context and developer needs.

References

[1]

Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2017. Comparing the Usability of Cryptographic APIs. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, San Jose, CA, USA, 154--171.

[2]

Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2016a. You Get Where You're Looking for: The Impact of Information Sources on Code Security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, San Jose, CA, USA, 289--305.

[3]

Yasemin Acar, Sascha Fahl, and Michelle L. Mazurek. 2016b. You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users. In 2016 IEEE Cybersecurity Development (SecDev). IEEE, Boston, MA, USA, 3--8.

[4]

Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L. Mazurek, and Sascha Fahl. 2017. Security Developer Studies with GitHub Users: Exploring a Convenience Sample. In Thirteenth Symposium on Usable Privacy and Security (SOUPS). USENIX Association, Santa Clara, CA, USA, 81--95. https://www.usenix.org/conference/soups2017/ technical-sessions/presentation/acar

[5]

Joao Eduardo M. Araujo, Silvio Souza, and Marco Tulio Valente. 2011. Study on the relevance of the warnings reported by Java bug-finding tools. IET Software 5, 4 (August 2011), 366--374.

[6]

ATLAS.ti. 2019. ATLAS.ti 8 Mac User Manual, updated for program version 8.4. [Online]. Available: https://downloads.atlasti.com/docs/manual/ manual_a8_mac_en.pdf. (2019). Last accessed 8 January 2020.

[7]

Dejan Baca. 2010. Identifying Security Relevant Warnings from Static Code Analysis Tools through Code Tainting. In 2010 International Conference on Availability, Reliability and Security (ARES). IEEE, Krakow, Poland, 386--390.

[8]

Wei Bai, Omer Akgul, and Michelle L. Mazurek. 2019. A Qualitative Investigation of Insecure Code Propagation from Online Forums. In 2019 IEEE Cybersecurity Development (SecDev). IEEE, Tysons Corner, VA, USA, 34--48.

[9]

Titus Barik, Denae Ford, Emerson Murphy-Hill, and Chris Parnin. 2018. How Should Compilers Explain Problems to Developers?. In 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE). ACM, NY, NY, USA, 633--643.

Digital Library

[10]

Titus Barik, Justin Smith, Kevin Lubick, Elisabeth Holmes, Jing Feng, Emerson Murphy-Hill, and Chris Parnin. 2017. Do Developers Read Compiler Error Messages?. In 39th IEEE/ACM International Conference on Software Engineering (ICSE). IEEE, Buenos Aires, Argentina, 575--585.

Digital Library

[11]

Lujo Bauer, Cristian Bravo-Lillo, Lorrie Cranor, and Elli Fragkaki. 2013. Warning Design Guidelines. Technical Report Carnegie Mellon University-CyLab-13-002. CyLab, Carnegie Mellon University. http://www.cylab.cmu.edu/ research/techreports/2013/tr_cylab13002.html

[12]

Brett A. Becker. 2016. An Effective Approach to Enhancing Compiler Error Messages. In 47th ACM Technical Symposium on Computing Science Education (SIGCSE). ACM, Memphis, Tennessee, USA, 126--131.

Digital Library

[13]

Joshua Bloch. 2008. Effective Java (second ed.). Addison-Wesley, Upper Saddle River, NJ.

Digital Library

[14]

Maria Christakis and Christian Bird. 2016. What Developers Want and Need from Program Analysis: An Empirical Study. In 31st IEEE/ACM International Conference on Automated Software Engineering (ASE). ACM, NY, NY, USA, 332--343.

Digital Library

[15]

Arnal Dayaratna. 2018. IDC's Worldwide Developer Census, 2018: Part-Time Developers Lead the Expansion of the Global Developer Population. [Online]. Available: https://www.idc.com/getdoc.jsp?containerId= US44363318. (October 2018). Last accessed 8 January 2020.

[16]

Peter Leo Gorski and Luigi Lo Iacono. 2016. Towards the Usability Evaluation of Security APIs. In 10th International Symposium on Human Aspects of Information Security and Assurance (HAISA). CSCAN, Frankfurt, Germany, 252--265. https://www.cscan.org/?page=openaccess&eid=17&id=287

[17]

Peter Leo Gorski, Luigi Lo Iacono, Dominik Wermke, Christian Stransky, Sebastian Möller, Yasemin Acar, and Sascha Fahl. 2018. Developers Deserve Security Warnings, Too: On the Effect of Integrated Security Advice on Cryptographic API Misuse. In Fourteenth Symposium on Usable Privacy and Security (SOUPS). USENIX Association, Baltimore, MD, USA, 265--281. https://www.usenix.org/conference/soups2018/ presentation/gorski

[18]

Matthew Green and Matthew Smith. 2016. Developers are Not the Enemy!: The Need for Usable Security APIs. IEEE Security & Privacy 14, 5 (Sept 2016), 40--46.

Digital Library

[19]

Randy Hodson. 1999. Analyzing documentary accounts. Number 128 in Quantitative Applications in the Social Sciences. SAGE Publications, Inc? Thousand Oaks, California.

[20]

Luigi Lo Iacono and Peter Leo Gorski. 2017. I Do and I Understand. Not Yet True for Security APIs. So Sad. In Second European Workshop on Usable Security (EuroUSEC). Internet Society, Paris, France, 1--11. https://www.ndss-symposium.org/wp-content/uploads/ 2018/03/eurousec2017_15_LoIacono_paper.pdf

[21]

Jenkins. 2020. Jenkins User Documentation. [Online]. Available: https://jenkins.io/doc/. (2020). Last accessed 8 January 2020.

[22]

Brittany Johnson, Yoonki Song, Emerson Murphy-Hill, and Robert Bowdidge. 2013. Why Don't Software Developers Use Static Analysis Tools to Find Bugs?. In 35th International Conference on Software Engineering (ICSE). IEEE, San Francisco, CA, USA, 672--681.

[23]

Amy J. Ko and Brad A. Myers. 2003. Development and evaluation of a model of programming errors. In IEEE Symposium on Human Centric Computing Languages and Environments (HCC). IEEE, Auckland, New Zealand, 7--14.

[24]

Amy J. Ko and Brad A. Myers. 2004. Designing the Whyline: A Debugging Interface for Asking Questions About Program Behavior. In SIGCHI Conference on Human Factors in Computing Systems (CHI). ACM, Vienna, Austria, 151--158.

Digital Library

[25]

Amy J. Ko and Brad A. Myers. 2005. A Framework and Methodology for Studying the Causes of Software Errors in Programming Systems. Journal of Visual Languages & Computing 16, 1--2 (Feb. 2005), 41--84.

Digital Library

[26]

Amy J. Ko, Brad A. Myers, and Duen Horng Chau. 2006. A Linguistic Analysis of How People Describe Software Problems. In Visual Languages and Human-Centric Computing (VLHCC). IEEE, Brighton, UK, 127--134.

Digital Library

[27]

Richard. A. Krueger and Mary Anne Casey. 2015. Focus Groups: A Practical Guide for Applied Research, 5th Edition. SAGE Publications, Inc? Thousand Oaks, California.

[28]

Stefan Krüger, Sarah Nadi, Michael Reif, Karim Ali, Mira Mezini, Eric Bodden, Florian Göpfert, Felix Günther, Christian Weinert, Daniel Demmler, and Ram Kamath. 2017. CogniCrypt: Supporting Developers in Using Cryptography. In 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, Urbana-Champaign, IL, USA, 931--936.

[29]

Brad A. Myers and Amy J. Ko. 2003. Studying Development and Debugging to Help Create a Better Programming Environment. In Workshop on Perspectives in End User Development, ACM Conference on Human Factors in Computing Systems. ACM, Fort Lauderdale, FL, USA, 65--68.

[30]

Brad A. Myers and Jeffrey Stylos. 2016. Improving API Usability. Commun. ACM 59, 6 (May 2016), 62--69.

Digital Library

[31]

Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden. 2016. "Jumping Through Hoops": Why do Java Developers Struggle With Cryptography APIs?. In 38th International Conference on Software Engineering (ICSE). ACM, Austin, Texas, 935--946.

Digital Library

[32]

Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, and Matthew Smith. 2017. Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study. In 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, Dallas, Texas, USA, 311--328.

Digital Library

[33]

Duc Cuong Nguyen, Dominik Wermke, Yasemin Acar, Michael Backes, Charles Weir, and Sascha Fahl. 2017. A Stitch in Time: Supporting Android Developers in Writing Secure Code. In 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, Dallas, TX, USA, 1065--1077.

Digital Library

[34]

Daniela Seabra Oliveira, Tian Lin, Muhammad Sajidur Rahman, Rad Akefirad, Donovan Ellis, Eliany Perez, Rahul Bobhate, Lois A. DeLong, Justin Cappos, and Yuriy Brun. 2018. API Blindspots: Why Experienced Developers Write Vulnerable Code. In Fourteenth Symposium on Usable Privacy and Security (SOUPS). USENIX Association, Baltimore, MD, USA, 315--328. https://www.usenix.org/conference/soups2018/ presentation/oliveira

[35]

Justin Smith, Brittany Johnson, Emerson Murphy-Hill, Bill Chu, and Heather Richter Lipford. 2015. Questions Developers Ask While Diagnosing Potential Security Vulnerabilities with Static Analysis. In 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE). ACM, Bergamo, Italy, 248--259.

Digital Library

[36]

Stack Overflow. 2019. Developer Survey Results 2019. [Online]. Available: https://insights.stackoverflow.com/survey/2019#developerprofile-demographics-gender-minorities-by-country. (2019). Last accessed 8 January 2020.

[37]

Jeffrey Stylos and Brad Myers. 2007. Mapping the Space of API Design Decisions. In IEEE Symposium on Visual Languages and Human-Centric Computing, 2007 (VL/HCC). IEEE, Coeur d'Alene, ID, USA, 50--60.

Digital Library

[38]

The European Parliament and the Council of the European Union. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union, L119/1. [Online]. Available: http://data.europa.eu/eli/reg/2016/679/oj. (2016). Last accessed 8 January 2020.

[39]

Tyler Thomas, Bill Chu, Heather Lipford, Justin Smith, and Emerson Murphy-Hill. 2015. A study of interactive code annotation for access control vulnerabilities. In 2015 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC). IEEE, Atlanta, GA, USA, 73--77.

[40]

V. Javier Traver. 2010. On Compiler Error Messages: What They Say and What They Mean. Advances in Human-Computer Interaction 2010, Article 3 (Jan. 2010), 26 pages.

[41]

Michael Whitney, Heather Lipford-Richter, Bill Chu, and Jun Zhu. 2015. Embedding Secure Coding Instruction into the IDE: A Field Study in an Advanced CS Course. In 46th ACM Technical Symposium on Computer Science Education (SIGCSE). ACM, Kansas City, Missouri, USA, 60--65.

Digital Library

Cited By

Latappy CDegueule TFalleri JRobbes RBlanc XTeyton CBaysal OLinares-Vasquez MMoran KSteinmacher I(2024)What the Fix? A Study of ASATs Rule DocumentationProceedings of the 32nd IEEE/ACM International Conference on Program Comprehension10.1145/3643916.3644404(246-257)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643916.3644404
Markert PLassak LGolla MDürmuth M(2024)Understanding Users' Interaction with Login NotificationsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642823(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642823
Shrestha AFlood ASohrawardi SWright MAl-Ameen M(2024)A First Look into Targeted Clickbait and its Countermeasures: The Power of StorytellingProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642301(1-23)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642301
Show More Cited By

Index Terms

Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy
  2. Software and application security
    1. Software security engineering

Recommendations

The role of design fiction in participatory design processes
NordiCHI '18: Proceedings of the 10th Nordic Conference on Human-Computer Interaction

Participatory design is in essence very malleable as any design technique could lend itself to it, as long as users and stakeholders are involved. Design fictions however, have more often been used as either a vehicle for critical designs, or as a sheer ...
Persona Design in Participatory Agile Software Development
HCI International 2020 – Late Breaking Papers: Universal Access and Inclusive Design
Abstract
Personas are a popular method of user centered design (UCD) in technical product development and have become indispensable in software development. In agile software development, which is nowadays predominantly used in modern projects, personas do ...
Participatory IT design and participatory development: a comparative review
PDC '08: Proceedings of the Tenth Anniversary Conference on Participatory Design 2008

This paper examines literature in the twin domains of participatory interactive systems design and participatory approaches to international development. As interactive systems are increasingly promoted as a possible means of achieving international ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '20: Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems

April 2020

10688 pages

ISBN:9781450367080

DOI:10.1145/3313831

General Chairs:
Regina Bernhaupt
Eindhoven University of Technology, Netherlands
,
Florian 'Floyd' Mueller
Monash University, Australia
,
David Verweij
Newcastle University, UK
,
Josh Andres
RMIT, Australia
,
Program Chairs:
Joanna McGrenere
University of British Columbia, Canada
,
Andy Cockburn
University of Canterbury, New Zealand
,
Ignacio Avellino
University of Maryland Baltimore County, USA
,
Alix Goguey
Grenoble Alpes University, France
,
Pernille Bjørn
University of Copenhagen, Denmark
,
Shengdong (Shen) Zhao
National University of Singapore, Singapore
,
Briane Paul Samson
Future University Hakodate, Japan & De La Salle University, Philippines
,
Rafal Kocielnik
University of Washington, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 April 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

German Federal Ministry of Education and Research

Conference

CHI '20

Sponsor:

SIGCHI

CHI '20: CHI Conference on Human Factors in Computing Systems

April 25 - 30, 2020

HI, Honolulu, USA

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
1,218
Total Downloads

Downloads (Last 12 months)147
Downloads (Last 6 weeks)17

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Latappy CDegueule TFalleri JRobbes RBlanc XTeyton CBaysal OLinares-Vasquez MMoran KSteinmacher I(2024)What the Fix? A Study of ASATs Rule DocumentationProceedings of the 32nd IEEE/ACM International Conference on Program Comprehension10.1145/3643916.3644404(246-257)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643916.3644404
Markert PLassak LGolla MDürmuth M(2024)Understanding Users' Interaction with Login NotificationsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642823(1-17)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642823
Shrestha AFlood ASohrawardi SWright MAl-Ameen M(2024)A First Look into Targeted Clickbait and its Countermeasures: The Power of StorytellingProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642301(1-23)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642301
Ami AMoran KPoshyvanyk DNadkarni A(2024)"False negative - that one is going to kill you": Understanding Industry Perspectives of Static Analysis based Security Testing2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00019(3979-3997)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00019
Ortloff ATiefenau CSmith MKelley PKapadia A(2023)SoKProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632205(341-359)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632205
Li ZVu SDragoni NDoherty K(2023)Accomplishing More With Less: The Practice of Cybersecure Health Technology Design Among Danish StartupsExtended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544549.3585597(1-8)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544549.3585597
Cheng LChouldechova A(2023)Overcoming Algorithm Aversion: A Comparison between Process and Outcome ControlProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581253(1-27)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581253
Plöger SMeier MSmith M(2023)A Usability Evaluation of AFL and libFuzzer with CS StudentsProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581178(1-18)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581178
Ashenden DOllis GReid I(2022)Dancing, not Wrestling: Moving from Compliance to Concordance for Secure Software DevelopmentProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3561145(1-9)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3561145
Haney JJacobs JBarrientos FFurman S(2022)Lessons Learned and Suitability of Focus Groups in Security Information Workers ResearchHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-05563-8_10(135-153)Online publication date: 26-Jun-2022
https://dl.acm.org/doi/10.1007/978-3-031-05563-8_10
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents