"Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs?

2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE) Pub Date : 2016-05-14 DOI:10.1145/2884781.2884790

Sarah Nadi, Stefan Krüger, M. Mezini, E. Bodden

{"title":"\"Jumping Through Hoops\": Why do Java Developers Struggle with Cryptography APIs?","authors":"Sarah Nadi, Stefan Krüger, M. Mezini, E. Bodden","doi":"10.1145/2884781.2884790","DOIUrl":null,"url":null,"abstract":"To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography algorithms have become increasingly advanced, many data breaches occur because developers do not correctly use the corresponding APIs. To guide future research into practical solutions to this problem, we perform an empirical investigation into the obstacles developers face while using the Java cryptography APIs, the tasks they use the APIs for, and the kind of (tool) support they desire. We triangulate data from four separate studies that include the analysis of 100 StackOverflow posts, 100 GitHub repositories, and survey input from 48 developers. We find that while developers find it difficult to use certain cryptographic algorithms correctly, they feel surprisingly confident in selecting the right cryptography concepts (e.g., encryption vs. signatures). We also find that the APIs are generally perceived to be too low-level and that developers prefer more task-based solutions.","PeriodicalId":6485,"journal":{"name":"2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE)","volume":"1 1","pages":"935-946"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"214","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2884781.2884790","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 214

Abstract

To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography algorithms have become increasingly advanced, many data breaches occur because developers do not correctly use the corresponding APIs. To guide future research into practical solutions to this problem, we perform an empirical investigation into the obstacles developers face while using the Java cryptography APIs, the tasks they use the APIs for, and the kind of (tool) support they desire. We triangulate data from four separate studies that include the analysis of 100 StackOverflow posts, 100 GitHub repositories, and survey input from 48 developers. We find that while developers find it difficult to use certain cryptographic algorithms correctly, they feel surprisingly confident in selecting the right cryptography concepts (e.g., encryption vs. signatures). We also find that the APIs are generally perceived to be too low-level and that developers prefer more task-based solutions.

查看原文本刊更多论文

“跳过重重障碍”:为什么Java开发人员在加密api上苦苦挣扎?

为了保护当前应用程序处理的敏感数据，开发人员，无论是否安全专家，都必须依赖加密技术。虽然加密算法变得越来越先进，但由于开发人员没有正确使用相应的api，导致了许多数据泄露。为了指导对该问题的实际解决方案的未来研究，我们对开发人员在使用Java加密api时面临的障碍、他们使用api的任务以及他们希望的(工具)支持类型进行了实证调查。我们对四项独立研究的数据进行了三角测量，其中包括对100个StackOverflow帖子、100个GitHub存储库的分析，以及对48个开发人员的调查。我们发现，虽然开发人员发现很难正确使用某些加密算法，但他们在选择正确的加密概念(例如，加密与签名)方面却感到非常自信。我们还发现，api通常被认为过于低级，开发人员更喜欢基于任务的解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE)

自引率

0.00%

发文量