The Experts below are selected from a list of 1797 Experts worldwide ranked by ideXlab platform
Matthew Smith - One of the best experts on this subject based on the ideXlab platform.
-
on conducting security developer studies with cs students examining a Password Storage study with cs students freelancers and company developers
Human Factors in Computing Systems, 2020Co-Authors: Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Matthew SmithAbstract:Ecological validity is a major concern in usable security studies with developers. Many studies are conducted with computer science (CS) students out of convenience, since recruiting professional software developers in sufficient numbers is very challenging. In a Password-Storage study, Naiakshina et al. (CHI'19) showed that CS students behave similarly to freelance developers recruited online. While this is a promising result for conducting developer studies with students, an open question remains: Do professional developers employed in companies behave similarly as well? To provide more insight into the ecological validity of recruiting students for security developer studies, we replicated the study of Naiakshina et al. with developers from diverse companies in Germany. We found that developers employed in companies performed better than students and freelancers in a direct comparison. However, treatment effects were found to be significant in all groups; the treatment effects on CS students also held for company developers.
-
if you want i can store the encrypted Password a Password Storage field study with freelance developers
Human Factors in Computing Systems, 2019Co-Authors: Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel Von Zezschwitz, Matthew SmithAbstract:In 2017 and 2018, Naiakshina et al. (CCS'17, SOUPS'18) studied in a lab setting whether computer science students need to be told to write code that stores Passwords securely. The authors' results showed that, without explicit prompting, none of the students implemented secure Password Storage. When asked about this oversight, a common answer was that they would have implemented secure Storage - if they were creating code for a company. To shed light on this possible confusion, we conducted a mixed-methods field study with developers. We hired freelance developers online and gave them a similar Password Storage task followed by a questionnaire to gain additional insights into their work. From our research, we offer two contributions. First of all, we reveal that, similar to the students, freelancers do not store Passwords securely unless prompted, they have misconceptions about secure Password Storage, and they use outdated methods. Secondly, we discuss the methodological implications of using freelancers and students in developer studies.
-
why do developers get Password Storage wrong a qualitative usability study
arXiv: Cryptography and Security, 2017Co-Authors: Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, Matthew SmithAbstract:Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with Passwords! Developers who are tasked with writing the code by which Passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad Password can have dire consequences, the consequences of a developer who forgets to hash and salt a Password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with Password Storage and to inform research into aiding developers in the creation of secure Password systems.
Alena Naiakshina - One of the best experts on this subject based on the ideXlab platform.
-
on conducting security developer studies with cs students examining a Password Storage study with cs students freelancers and company developers
Human Factors in Computing Systems, 2020Co-Authors: Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Matthew SmithAbstract:Ecological validity is a major concern in usable security studies with developers. Many studies are conducted with computer science (CS) students out of convenience, since recruiting professional software developers in sufficient numbers is very challenging. In a Password-Storage study, Naiakshina et al. (CHI'19) showed that CS students behave similarly to freelance developers recruited online. While this is a promising result for conducting developer studies with students, an open question remains: Do professional developers employed in companies behave similarly as well? To provide more insight into the ecological validity of recruiting students for security developer studies, we replicated the study of Naiakshina et al. with developers from diverse companies in Germany. We found that developers employed in companies performed better than students and freelancers in a direct comparison. However, treatment effects were found to be significant in all groups; the treatment effects on CS students also held for company developers.
-
if you want i can store the encrypted Password a Password Storage field study with freelance developers
Human Factors in Computing Systems, 2019Co-Authors: Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel Von Zezschwitz, Matthew SmithAbstract:In 2017 and 2018, Naiakshina et al. (CCS'17, SOUPS'18) studied in a lab setting whether computer science students need to be told to write code that stores Passwords securely. The authors' results showed that, without explicit prompting, none of the students implemented secure Password Storage. When asked about this oversight, a common answer was that they would have implemented secure Storage - if they were creating code for a company. To shed light on this possible confusion, we conducted a mixed-methods field study with developers. We hired freelance developers online and gave them a similar Password Storage task followed by a questionnaire to gain additional insights into their work. From our research, we offer two contributions. First of all, we reveal that, similar to the students, freelancers do not store Passwords securely unless prompted, they have misconceptions about secure Password Storage, and they use outdated methods. Secondly, we discuss the methodological implications of using freelancers and students in developer studies.
-
why do developers get Password Storage wrong a qualitative usability study
arXiv: Cryptography and Security, 2017Co-Authors: Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, Matthew SmithAbstract:Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with Passwords! Developers who are tasked with writing the code by which Passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad Password can have dire consequences, the consequences of a developer who forgets to hash and salt a Password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with Password Storage and to inform research into aiding developers in the creation of secure Password systems.
Anastasia Danilova - One of the best experts on this subject based on the ideXlab platform.
-
on conducting security developer studies with cs students examining a Password Storage study with cs students freelancers and company developers
Human Factors in Computing Systems, 2020Co-Authors: Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Matthew SmithAbstract:Ecological validity is a major concern in usable security studies with developers. Many studies are conducted with computer science (CS) students out of convenience, since recruiting professional software developers in sufficient numbers is very challenging. In a Password-Storage study, Naiakshina et al. (CHI'19) showed that CS students behave similarly to freelance developers recruited online. While this is a promising result for conducting developer studies with students, an open question remains: Do professional developers employed in companies behave similarly as well? To provide more insight into the ecological validity of recruiting students for security developer studies, we replicated the study of Naiakshina et al. with developers from diverse companies in Germany. We found that developers employed in companies performed better than students and freelancers in a direct comparison. However, treatment effects were found to be significant in all groups; the treatment effects on CS students also held for company developers.
-
if you want i can store the encrypted Password a Password Storage field study with freelance developers
Human Factors in Computing Systems, 2019Co-Authors: Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel Von Zezschwitz, Matthew SmithAbstract:In 2017 and 2018, Naiakshina et al. (CCS'17, SOUPS'18) studied in a lab setting whether computer science students need to be told to write code that stores Passwords securely. The authors' results showed that, without explicit prompting, none of the students implemented secure Password Storage. When asked about this oversight, a common answer was that they would have implemented secure Storage - if they were creating code for a company. To shed light on this possible confusion, we conducted a mixed-methods field study with developers. We hired freelance developers online and gave them a similar Password Storage task followed by a questionnaire to gain additional insights into their work. From our research, we offer two contributions. First of all, we reveal that, similar to the students, freelancers do not store Passwords securely unless prompted, they have misconceptions about secure Password Storage, and they use outdated methods. Secondly, we discuss the methodological implications of using freelancers and students in developer studies.
-
why do developers get Password Storage wrong a qualitative usability study
arXiv: Cryptography and Security, 2017Co-Authors: Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, Matthew SmithAbstract:Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with Passwords! Developers who are tasked with writing the code by which Passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad Password can have dire consequences, the consequences of a developer who forgets to hash and salt a Password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with Password Storage and to inform research into aiding developers in the creation of secure Password systems.
Arachchilage Nag - One of the best experts on this subject based on the ideXlab platform.
-
ACM International Conference Proceeding Series
'Association for Computing Machinery (ACM)', 2018Co-Authors: Wijayarathna C, Arachchilage NagAbstract:© 2018 Association for Computing Machinery. Lack of usability of security Application Programming Interfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that provide cryptographic functionalities such as Password hashing are sometimes too complex for programmers to learn and use. To improve the usability of these APIs to make them easy to learn and use, it is important to identify the usability issues exist on those APIs that make those harder to learn and use. In this work, we evaluated the usability of SCrypt Password hashing functionality of Bouncycastle API to identify usability issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure Password Storage solution using Bouncycastle API. From data we collected, we identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. Results of our study provided useful insights about how security/cryptographic APIs should be designed, developed and improved to provide a better experience for programmers who use them. Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them
-
ACM International Conference Proceeding Series
'Association for Computing Machinery (ACM)', 2018Co-Authors: Wijayarathna C, Arachchilage NagAbstract:Lack of usability of security Application Programming Interfaces (APIs) is one of the main reasons for mistakes that programmers make that result in security vulnerabilities in software applications they develop. Especially, APIs that provide cryptographic functionalities such as Password hashing are sometimes too complex for programmers to learn and use. To improve the usability of these APIs to make them easy to learn and use, it is important to identify the usability issues exist on those APIs that make those harder to learn and use. In this work, we evaluated the usability of SCrypt Password hashing functionality of Bouncycastle API to identify usability issues in it that persuade programmers to make mistakes while developing applications that would result in security vulnerabilities. We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure Password Storage solution using Bouncycastle API. From data we collected, we identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. Results of our study provided useful insights about how security/cryptographic APIs should be designed, developed and improved to provide a better experience for programmers who use them. Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them
Eva Gerlitz - One of the best experts on this subject based on the ideXlab platform.
-
on conducting security developer studies with cs students examining a Password Storage study with cs students freelancers and company developers
Human Factors in Computing Systems, 2020Co-Authors: Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Matthew SmithAbstract:Ecological validity is a major concern in usable security studies with developers. Many studies are conducted with computer science (CS) students out of convenience, since recruiting professional software developers in sufficient numbers is very challenging. In a Password-Storage study, Naiakshina et al. (CHI'19) showed that CS students behave similarly to freelance developers recruited online. While this is a promising result for conducting developer studies with students, an open question remains: Do professional developers employed in companies behave similarly as well? To provide more insight into the ecological validity of recruiting students for security developer studies, we replicated the study of Naiakshina et al. with developers from diverse companies in Germany. We found that developers employed in companies performed better than students and freelancers in a direct comparison. However, treatment effects were found to be significant in all groups; the treatment effects on CS students also held for company developers.
-
if you want i can store the encrypted Password a Password Storage field study with freelance developers
Human Factors in Computing Systems, 2019Co-Authors: Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel Von Zezschwitz, Matthew SmithAbstract:In 2017 and 2018, Naiakshina et al. (CCS'17, SOUPS'18) studied in a lab setting whether computer science students need to be told to write code that stores Passwords securely. The authors' results showed that, without explicit prompting, none of the students implemented secure Password Storage. When asked about this oversight, a common answer was that they would have implemented secure Storage - if they were creating code for a company. To shed light on this possible confusion, we conducted a mixed-methods field study with developers. We hired freelance developers online and gave them a similar Password Storage task followed by a questionnaire to gain additional insights into their work. From our research, we offer two contributions. First of all, we reveal that, similar to the students, freelancers do not store Passwords securely unless prompted, they have misconceptions about secure Password Storage, and they use outdated methods. Secondly, we discuss the methodological implications of using freelancers and students in developer studies.
