{"title":"在线社区中开发者滥用密码学的纵向和回顾性研究","authors":"A. Braga, R. Dahab","doi":"10.5753/sbseg.2017.19488","DOIUrl":null,"url":null,"abstract":"Software developers participating in online communities benefit from quick solutions to technology specific issues and, eventually, get better in troubleshooting technology malfunctioning. In this work, we investigate whether developers who are part of online communities for cryptography programming are getting better in using cryptography with time. This is a crucial issue nowadays, when \"real-world crypto\" is becoming a topic of serious investigation, not only academically but in security management as a whole: cryptographic programming handled by non-specialists is an important and often invisible source of vulnerabilities [RWC ]. We performed a retrospective and longitudinal study, tracking developers' answers about cryptography programming in two online communities. We found that cryptography misuse is not only common in online communities, but also recurrent in developer's discussions, suggesting that developers can learn how to use crypto APIs without actually learning cryptography. In fact, we could not identify significant improvements in cryptography learning in many daily tasks such as avoiding obsolete cryptography. We conclude that the most active users of online communities for cryptography APIs are not learning the tricky details of applied cryptography, a quite worrisome state of affairs.","PeriodicalId":322419,"journal":{"name":"Anais do XVII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2017)","volume":"91 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"A Longitudinal and Retrospective Study on How Developers Misuse Cryptography in Online Communities\",\"authors\":\"A. Braga, R. Dahab\",\"doi\":\"10.5753/sbseg.2017.19488\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Software developers participating in online communities benefit from quick solutions to technology specific issues and, eventually, get better in troubleshooting technology malfunctioning. In this work, we investigate whether developers who are part of online communities for cryptography programming are getting better in using cryptography with time. This is a crucial issue nowadays, when \\\"real-world crypto\\\" is becoming a topic of serious investigation, not only academically but in security management as a whole: cryptographic programming handled by non-specialists is an important and often invisible source of vulnerabilities [RWC ]. We performed a retrospective and longitudinal study, tracking developers' answers about cryptography programming in two online communities. We found that cryptography misuse is not only common in online communities, but also recurrent in developer's discussions, suggesting that developers can learn how to use crypto APIs without actually learning cryptography. In fact, we could not identify significant improvements in cryptography learning in many daily tasks such as avoiding obsolete cryptography. We conclude that the most active users of online communities for cryptography APIs are not learning the tricky details of applied cryptography, a quite worrisome state of affairs.\",\"PeriodicalId\":322419,\"journal\":{\"name\":\"Anais do XVII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2017)\",\"volume\":\"91 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-11-06\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Anais do XVII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2017)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.5753/sbseg.2017.19488\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Anais do XVII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2017)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.5753/sbseg.2017.19488","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Longitudinal and Retrospective Study on How Developers Misuse Cryptography in Online Communities
Software developers participating in online communities benefit from quick solutions to technology specific issues and, eventually, get better in troubleshooting technology malfunctioning. In this work, we investigate whether developers who are part of online communities for cryptography programming are getting better in using cryptography with time. This is a crucial issue nowadays, when "real-world crypto" is becoming a topic of serious investigation, not only academically but in security management as a whole: cryptographic programming handled by non-specialists is an important and often invisible source of vulnerabilities [RWC ]. We performed a retrospective and longitudinal study, tracking developers' answers about cryptography programming in two online communities. We found that cryptography misuse is not only common in online communities, but also recurrent in developer's discussions, suggesting that developers can learn how to use crypto APIs without actually learning cryptography. In fact, we could not identify significant improvements in cryptography learning in many daily tasks such as avoiding obsolete cryptography. We conclude that the most active users of online communities for cryptography APIs are not learning the tricky details of applied cryptography, a quite worrisome state of affairs.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
