SlideShare uma empresa Scribd logo

Why Java Developers Struggle With Cryptography APIs?

S
sarah_nadi

This is an empirical investigation into the reasons why many developers misuse the Java cryptography APIs. Such API misuses can lead to non-intentional security vulnerabilities. We triangulate data from three different sources of information: StackOverflow, GitHub, and developer surveys.

Tecnologia
1 de 61
Baixar para ler offline
“Jumping Through Hoops” Why do Java Developers Struggle With Cryptography APIs? Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden sarahnadi.org@sarahnadi ICSE ’16 — May 20th, 2016
Sarah Nadi An Application Developer’s World 2 Application
Sarah Nadi User accounts Payment info. An Application Developer’s World 2 Application Sensitive user documents
Sarah Nadi User accounts Payment info. How to encrypt data? Encryption vs Hashing? Encryption mode? Salted hashing? How to securely connect to a server? An Application Developer’s World 2 Application Sensitive user documents
Sarah Nadi Application Developers in The Wild 3 83% of 269 Vulnerabilities are due to misuse of crypto libraries [Lazar et al., APSys ’14] Even Amazon & Paypal misuse SSL certificate validation [Georgiev et al., CCS ‘12] 88% of ~12,000 Android apps misuse crypto APIs [Egele et al., CCS ‘13]
Sarah Nadi 4 So what exactly is a misuse?
Sarah Nadi Example of an API Misuse 5 Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg);
Sarah Nadi Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg); Example of an API Misuse 6 “Algorithm/Mode/Padding”
Sarah Nadi Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg); Example of an API Misuse 6 “Algorithm/Mode/Padding” In some API implementations, default mode for AES is Electronic Codebook (ECB) — which is insecure
Sarah Nadi Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg); [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation] Example of an API Misuse 6 “Algorithm/Mode/Padding” In some API implementations, default mode for AES is Electronic Codebook (ECB) — which is insecure
Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs?
Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs? What obstacles do developers face?
Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs? What are the common cryptography tasks developers perform? What obstacles do developers face?
Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs? What are the common cryptography tasks developers perform? What tools/methods would help developers use cryptography more effectively? What obstacles do developers face?
Sarah Nadi Empirical Investigation Study 1 Study 2 Study 4Study 3 8
Sarah Nadi Study 1 (S1) Design 9 … <java> <cryptography> (Sorted by view count & score) Goal: Find obstacles
Sarah Nadi Study 1 (S1) Design 9 … <java> <cryptography> top 100 (Sorted by view count & score) Goal: Find obstacles
Sarah Nadi Study 1 (S1) Design 9 … <java> <cryptography> top 100 Question topic? Likely obstacle? (Sorted by view count & score) Goal: Find obstacles
Sarah Nadi Study 2 (S2) Design 10 javax.crypto Goal: Find tasks
Sarah Nadi Study 2 (S2) Design 10 random 100 repos javax.crypto Goal: Find tasks
Sarah Nadi Study 2 (S2) Design 10 random 100 repos What crypto task is performed? javax.crypto Goal: Find tasks
Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Goal: Find obstacles, tasks, & suggestions
Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Goal: Find obstacles, tasks, & suggestions
Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Goal: Find obstacles, tasks, & suggestions
Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Goal: Find obstacles, tasks, & suggestions
Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Frequently-used Crypto APIs/libraries & ease of use Goal: Find obstacles, tasks, & suggestions
Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Frequently-used Crypto APIs/libraries & ease of use Obstacles (free-text + rated) Goal: Find obstacles, tasks, & suggestions
Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Frequently-used Crypto APIs/libraries & ease of use Obstacles (free-text + rated) Goal: Find obstacles, tasks, & suggestions
Sarah Nadi Survey Process & Participant Recruitment 12 Study 4 Study 3
Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Study 4 Study 3
Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Study 4 11 participants Study 3
Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Study 4 11 participants Study 3 Refine
Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Snowball sampling Emailed related committers + Study 4 11 participants Study 3 Refine
Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Snowball sampling Emailed related committers 37 participants+ Study 4 11 participants Study 3 Refine
Sarah Nadi Findings 13 TASKS OBSTACLES DESIRED SUPPORT
Sarah Nadi What Obstacles do Developers Face? 14
Sarah Nadi What Obstacles do Developers Face? 15 Obstacle % Posts API use 57% Domain knowledge 15% Provider & Setup 15% Library Identification 7% Domain knowledge + API use 6%
Sarah Nadi What Obstacles do Developers Face? 15 S3 participants mention: poor documentation, bad API design,and missing cryptography knowledge Obstacle % Posts API use 57% Domain knowledge 15% Provider & Setup 15% Library Identification 7% Domain knowledge + API use 6%
Sarah Nadi What Obstacles do Developers Face? 15 S3 participants mention: poor documentation, bad API design,and missing cryptography knowledge 65% of S4 Participants find the APIs hard to use Obstacle % Posts API use 57% Domain knowledge 15% Provider & Setup 15% Library Identification 7% Domain knowledge + API use 6%
Sarah Nadi Obstacle Category 1: Domain Knowledge 16 11% 24% 38% 27% Frequently Occasionally Rarely Never Don't know Identify correct cryptography algorithm 14% 41% 43% 3% Frequently Occasionally Rarely Never Don't know Identify relevant cryptography concepts
Sarah Nadi Obstacle Category 1: Domain Knowledge 17 11% 24% 38% 27% Frequently Occasionally Rarely Never Don't know Identify correct cryptography algorithm 14% 41% 43% 3% Frequently Occasionally Rarely Never Don't know Identify relevant cryptography concepts Developers may not always know the correct cryptography algorithm to use
Sarah Nadi Obstacle Category 2: Setting Up 18 27% 32% 27% 11% 3% Frequently Occasionally Rarely Never Don't know Identify relevant Java API 22% 41% 30% 5% 3% Frequently Occasionally Rarely Never Don't know Select provider 22% 27% 32% 16% 3% Frequently Occasionally Rarely Never Don't know Setup environment
Sarah Nadi Obstacle Category 2: Setting Up 19 27% 32% 27% 11% 3% Frequently Occasionally Rarely Never Don't know Identify relevant Java API 22% 41% 30% 5% 3% Frequently Occasionally Rarely Never Don't know Select provider 22% 27% 32% 16% 3% Frequently Occasionally Rarely Never Don't know Setup environment Finding the right API/library to use & setting it up is often an obstacle in itself
Sarah Nadi 19% 54% 22% 5% Frequently Occasionally Rarely Never Don't know 32% 43% 19% 5% Frequently Occasionally Rarely Never Don't know 35% 46% 11% 8% Frequently Occasionally Rarely Never Don't know Obstacle Category 3: API Use 20 Identify sequence of method calls Identify parameters Understand API error messages
Sarah Nadi 19% 54% 22% 5% Frequently Occasionally Rarely Never Don't know 32% 43% 19% 5% Frequently Occasionally Rarely Never Don't know 35% 46% 11% 8% Frequently Occasionally Rarely Never Don't know Obstacle Category 3: API Use 21 Identify sequence of method calls Identify parameters Understand API error messages The most frequently faced obstacle is identifying the sequence of API method calls
Sarah Nadi Common Cryptography Tasks 22
Sarah Nadi Common Cryptography Tasks 23 10% of analyzed GitHub repos Top task by 64% of S3 participants Avg. Rank of 3.95 by 28 S4 participants 6% of analyzed GitHub repos Top task by 34% of S3 participants Avg. Rank 2.22, 35 S4 participants 64% of analyzed GitHub repos 37% of analyzed StackOverflow posts Avg. rank 5.03, 25 S4 participants User Authentication Secure Communication Symmetric Encryption
Sarah Nadi What do Developers Want? 24
Sarah Nadi What do Developers Want? 25 Better Documentation “Better documentation with examples and deeper layers of documentations with theoretical knowledge” (S4-P23) “better examples” (S4-P2) “More/better example code, access to API source code and high quality JavaDoc with cross references” (S4-P12) “A real documentation would be very helpful. Some kind of best practice methodology for a crypto API usage could also help” (S4-P18)
Sarah Nadi What do Developers Want? 26 Higher Abstraction Level “Make [the] API simpler, e.g., have a class with the name AES or RSA[;] getInstance(‘whatever’) is bad API design” (S4-P36) “[I want something that] just takes input […]. Short and sweet” (S3-P3) “Higher level task oriented APIs for things like public key crypto, key exchanges, ..” (S4-P27) “High level APIs [that] can't be used incorrectly..” (S4-P8) “A library providing simple API calls (one or two methods and simple parameters) for different use cases.” (S4-P7) “Standardized task-based API” (S4-P1) “…Providing higher-level APIs, .. would go along way to making sure developers don't do something dumb.” (S4-P27)
Sarah Nadi What do Developers Want? 27 “Test tooling that understands encryption and verifies if encryption is used where it should be. Source scanners that identify configuration mistakes, weak algorithms etc.” (S4-P17) Tool Assistance “Some kind of testing tool…” (S4-P13) “Special CryptoDebugger” (S4-P11) “Templates for common used patterns” (S4-P7) “IDE Plugin generating code pattern for specific use cases” (S4-P6)
Sarah Nadi 28 Better Documentation Higher Abstraction Level Tool Assistance
Sarah Nadi 29 Better Documentation Higher Abstraction Level Tool Assistance How Can We Move Forward?
Sarah Nadi The Ideal Tool Assistance 30 COMMON TASKS TO SUPPORT STEPS TO SUPPORT
Sarah Nadi The Ideal Tool Assistance 30 COMMON TASKS TO SUPPORT STEPS TO SUPPORT
Sarah Nadi The Ideal Tool Assistance 30 COMMON TASKS TO SUPPORT STEPS TO SUPPORT
Sarah Nadi The Ideal Tool Assistance 30 BlockCipher AES keySize (128, 192, 256) mode (ECB, CBC, …) padding (PKCS5Padding, NoPadding) DES COMMON TASKS TO SUPPORT STEPS TO SUPPORT
Sarah Nadi The Ideal Tool Assistance 30 BlockCipher AES keySize (128, 192, 256) mode (ECB, CBC, …) padding (PKCS5Padding, NoPadding) DES COMMON TASKS TO SUPPORT STEPS TO SUPPORT KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256); SecretKey secretKey = keyGen.generateKey(); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7PADDING"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg);
Sarah Nadi The Ideal Tool Assistance 30 BlockCipher AES keySize (128, 192, 256) mode (ECB, CBC, …) padding (PKCS5Padding, NoPadding) DES COMMON TASKS TO SUPPORT STEPS TO SUPPORT KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256); SecretKey secretKey = keyGen.generateKey(); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7PADDING"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg);
Sarah Nadi “The ability to just perform some simple cryptographic tasks in Java without jumping through hoops would be brilliant…” (S4-P10) 31
“Jumping Through Hoops” Why do Java Developers Struggle With Cryptography APIs? Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden sarahnadi.org@sarahnadi

Recomendados

Password strength svm
Password strength svmPassword strength svm
Password strength svmSunil Rm
 
Machine learning meetup
Machine learning meetupMachine learning meetup
Machine learning meetupQuantUniversity
 
Capstone Project.pptx
Capstone Project.pptxCapstone Project.pptx
Capstone Project.pptxsurendrapushpupadhya
 
Rapidminer
RapidminerRapidminer
RapidminerGernot Schulmeister
 
Bank churn with Data Science
Bank churn with Data ScienceBank churn with Data Science
Bank churn with Data ScienceCarolyn Knight
 
CV Otilia Drugu
CV Otilia DruguCV Otilia Drugu
CV Otilia DruguOdelia Drugu
 
Cultura ciudadana 2 historieta
Cultura ciudadana 2 historietaCultura ciudadana 2 historieta
Cultura ciudadana 2 historietaCeci Garcia
 
SE Linux
SE LinuxSE Linux
SE Linuxprimeteacher32
 

Recomendados

Password strength svm
Password strength svmPassword strength svm
Password strength svmSunil Rm
 
Machine learning meetup
Machine learning meetupMachine learning meetup
Machine learning meetupQuantUniversity
 
Capstone Project.pptx
Capstone Project.pptxCapstone Project.pptx
Capstone Project.pptxsurendrapushpupadhya
 
Rapidminer
RapidminerRapidminer
RapidminerGernot Schulmeister
 
Bank churn with Data Science
Bank churn with Data ScienceBank churn with Data Science
Bank churn with Data ScienceCarolyn Knight
 
CV Otilia Drugu
CV Otilia DruguCV Otilia Drugu
CV Otilia DruguOdelia Drugu
 
Cultura ciudadana 2 historieta
Cultura ciudadana 2 historietaCultura ciudadana 2 historieta
Cultura ciudadana 2 historietaCeci Garcia
 
SE Linux
SE LinuxSE Linux
SE Linuxprimeteacher32
 
IC Photo Book 2015
IC Photo Book 2015IC Photo Book 2015
IC Photo Book 2015Cynthia Conat
 
топ10 (підсумковий проект)
топ10 (підсумковий проект)топ10 (підсумковий проект)
топ10 (підсумковий проект)Наталія Горя
 
Intro to Jeroo Python
Intro to Jeroo PythonIntro to Jeroo Python
Intro to Jeroo Pythonprimeteacher32
 
вставка фігур в презентацію
вставка фігур в презентаціювставка фігур в презентацію
вставка фігур в презентаціюНаталія Горя
 
Polar Express Power Point
Polar Express Power PointPolar Express Power Point
Polar Express Power PointCarol Tonhauser
 
Natural place
Natural placeNatural place
Natural placeBilly Choi
 
подорож з кімнатними рослинами
подорож з кімнатними рослинамиподорож з кімнатними рослинами
подорож з кімнатними рослинамиЮрій Сиротюк
 
designing conversations: Conversational interfaces, Bot Interactions, Chatb...
designing conversations: Conversational interfaces, Bot Interactions, Chatb...designing conversations: Conversational interfaces, Bot Interactions, Chatb...
designing conversations: Conversational interfaces, Bot Interactions, Chatb...Billy Choi
 
Virtual memory ppt
Virtual memory pptVirtual memory ppt
Virtual memory pptPunjab College Of Technical Education
 
BSIDI: Beyond SUV and Innovation with Disruptive Insight
BSIDI: Beyond SUV and Innovation with Disruptive Insight BSIDI: Beyond SUV and Innovation with Disruptive Insight
BSIDI: Beyond SUV and Innovation with Disruptive Insight Billy Choi
 
Raya code quality guidelines - enhancing readability
Raya code quality guidelines - enhancing readabilityRaya code quality guidelines - enhancing readability
Raya code quality guidelines - enhancing readabilityAbdel Hady Muhammad
 
To Mock or Not To Mock
To Mock or Not To MockTo Mock or Not To Mock
To Mock or Not To MockDelft University of Technology
 
Web 3.0 Summit.pdf
Web 3.0 Summit.pdfWeb 3.0 Summit.pdf
Web 3.0 Summit.pdfTejasMane18
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Software design patterns in laravel by phill sparks
Software design patterns in laravel by phill sparksSoftware design patterns in laravel by phill sparks
Software design patterns in laravel by phill sparksTheavuth NHEL
 
Kaiser Permanente CSUN 2018
Kaiser Permanente CSUN 2018Kaiser Permanente CSUN 2018
Kaiser Permanente CSUN 2018Mark Stimson
 
My life as a cyborg
My life as a cyborg My life as a cyborg
My life as a cyborg Alexander Serebrenik
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
ICSME2014
ICSME2014ICSME2014
ICSME2014swy351
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveRobert Grupe, CSSLP CISSP PE PMP
 
Software Design Patterns in Laravel by Phill Sparks
Software Design Patterns in Laravel by Phill SparksSoftware Design Patterns in Laravel by Phill Sparks
Software Design Patterns in Laravel by Phill SparksPhill Sparks
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRobert Grupe, CSSLP CISSP PE PMP
 

Mais conteúdo relacionado

Destaque

топ10 (підсумковий проект)
топ10 (підсумковий проект)топ10 (підсумковий проект)
топ10 (підсумковий проект)Наталія Горя
 
вставка фігур в презентацію
вставка фігур в презентаціювставка фігур в презентацію
вставка фігур в презентаціюНаталія Горя
 
Polar Express Power Point
Polar Express Power PointPolar Express Power Point
Polar Express Power PointCarol Tonhauser
 
подорож з кімнатними рослинами
подорож з кімнатними рослинамиподорож з кімнатними рослинами
подорож з кімнатними рослинамиЮрій Сиротюк
 
designing conversations: Conversational interfaces, Bot Interactions, Chatb...
designing conversations: Conversational interfaces, Bot Interactions, Chatb...designing conversations: Conversational interfaces, Bot Interactions, Chatb...
designing conversations: Conversational interfaces, Bot Interactions, Chatb...Billy Choi
 
BSIDI: Beyond SUV and Innovation with Disruptive Insight
BSIDI: Beyond SUV and Innovation with Disruptive Insight BSIDI: Beyond SUV and Innovation with Disruptive Insight
BSIDI: Beyond SUV and Innovation with Disruptive Insight Billy Choi
 

Destaque (10)

IC Photo Book 2015
IC Photo Book 2015IC Photo Book 2015
IC Photo Book 2015
 
топ10 (підсумковий проект)
топ10 (підсумковий проект)топ10 (підсумковий проект)
топ10 (підсумковий проект)
 
Intro to Jeroo Python
Intro to Jeroo PythonIntro to Jeroo Python
Intro to Jeroo Python
 
вставка фігур в презентацію
вставка фігур в презентаціювставка фігур в презентацію
вставка фігур в презентацію
 
Polar Express Power Point
Polar Express Power PointPolar Express Power Point
Polar Express Power Point
 
Natural place
Natural placeNatural place
Natural place
 
подорож з кімнатними рослинами
подорож з кімнатними рослинамиподорож з кімнатними рослинами
подорож з кімнатними рослинами
 
designing conversations: Conversational interfaces, Bot Interactions, Chatb...
designing conversations: Conversational interfaces, Bot Interactions, Chatb...designing conversations: Conversational interfaces, Bot Interactions, Chatb...
designing conversations: Conversational interfaces, Bot Interactions, Chatb...
 
Virtual memory ppt
Virtual memory pptVirtual memory ppt
Virtual memory ppt
 
BSIDI: Beyond SUV and Innovation with Disruptive Insight
BSIDI: Beyond SUV and Innovation with Disruptive Insight BSIDI: Beyond SUV and Innovation with Disruptive Insight
BSIDI: Beyond SUV and Innovation with Disruptive Insight
 

Semelhante a Why Java Developers Struggle With Cryptography APIs?

Raya code quality guidelines - enhancing readability
Raya code quality guidelines - enhancing readabilityRaya code quality guidelines - enhancing readability
Raya code quality guidelines - enhancing readabilityAbdel Hady Muhammad
 
Web 3.0 Summit.pdf
Web 3.0 Summit.pdfWeb 3.0 Summit.pdf
Web 3.0 Summit.pdfTejasMane18
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Software design patterns in laravel by phill sparks
Software design patterns in laravel by phill sparksSoftware design patterns in laravel by phill sparks
Software design patterns in laravel by phill sparksTheavuth NHEL
 
Kaiser Permanente CSUN 2018
Kaiser Permanente CSUN 2018Kaiser Permanente CSUN 2018
Kaiser Permanente CSUN 2018Mark Stimson
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
ICSME2014
ICSME2014ICSME2014
ICSME2014swy351
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveRobert Grupe, CSSLP CISSP PE PMP
 
Software Design Patterns in Laravel by Phill Sparks
Software Design Patterns in Laravel by Phill SparksSoftware Design Patterns in Laravel by Phill Sparks
Software Design Patterns in Laravel by Phill SparksPhill Sparks
 
sec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfsec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfJasonCravens
 
The Death of Flaky Tests by Dave Haeffner
The Death of Flaky Tests by Dave HaeffnerThe Death of Flaky Tests by Dave Haeffner
The Death of Flaky Tests by Dave HaeffnerSauce Labs
 
香港六合彩
香港六合彩香港六合彩
香港六合彩baoyin
 
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Chamila Wijayarathna
 
Understanding Log Lines using Development Knowledge
Understanding Log Lines using Development KnowledgeUnderstanding Log Lines using Development Knowledge
Understanding Log Lines using Development KnowledgeSAIL_QU
 
Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06Carl Brown
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...apidays
 

Semelhante a Why Java Developers Struggle With Cryptography APIs? (20)

Raya code quality guidelines - enhancing readability
Raya code quality guidelines - enhancing readabilityRaya code quality guidelines - enhancing readability
Raya code quality guidelines - enhancing readability
 
To Mock or Not To Mock
To Mock or Not To MockTo Mock or Not To Mock
To Mock or Not To Mock
 
Web 3.0 Summit.pdf
Web 3.0 Summit.pdfWeb 3.0 Summit.pdf
Web 3.0 Summit.pdf
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
Software design patterns in laravel by phill sparks
Software design patterns in laravel by phill sparksSoftware design patterns in laravel by phill sparks
Software design patterns in laravel by phill sparks
 
Kaiser Permanente CSUN 2018
Kaiser Permanente CSUN 2018Kaiser Permanente CSUN 2018
Kaiser Permanente CSUN 2018
 
My life as a cyborg
My life as a cyborg My life as a cyborg
My life as a cyborg
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
ICSME2014
ICSME2014ICSME2014
ICSME2014
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
 
Software Design Patterns in Laravel by Phill Sparks
Software Design Patterns in Laravel by Phill SparksSoftware Design Patterns in Laravel by Phill Sparks
Software Design Patterns in Laravel by Phill Sparks
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
 
sec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdfsec19_slides_sivakumaran.pdf
sec19_slides_sivakumaran.pdf
 
The Death of Flaky Tests by Dave Haeffner
The Death of Flaky Tests by Dave HaeffnerThe Death of Flaky Tests by Dave Haeffner
The Death of Flaky Tests by Dave Haeffner
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
 
Understanding Log Lines using Development Knowledge
Understanding Log Lines using Development KnowledgeUnderstanding Log Lines using Development Knowledge
Understanding Log Lines using Development Knowledge
 
Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06Better Swift from the Foundation up #tryswiftnyc17 09-06
Better Swift from the Foundation up #tryswiftnyc17 09-06
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Why Java Developers Struggle With Cryptography APIs?

  • 1. “Jumping Through Hoops” Why do Java Developers Struggle With Cryptography APIs? Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden sarahnadi.org@sarahnadi ICSE ’16 — May 20th, 2016
  • 2. Sarah Nadi An Application Developer’s World 2 Application
  • 3. Sarah Nadi User accounts Payment info. An Application Developer’s World 2 Application Sensitive user documents
  • 4. Sarah Nadi User accounts Payment info. How to encrypt data? Encryption vs Hashing? Encryption mode? Salted hashing? How to securely connect to a server? An Application Developer’s World 2 Application Sensitive user documents
  • 5. Sarah Nadi Application Developers in The Wild 3 83% of 269 Vulnerabilities are due to misuse of crypto libraries [Lazar et al., APSys ’14] Even Amazon & Paypal misuse SSL certificate validation [Georgiev et al., CCS ‘12] 88% of ~12,000 Android apps misuse crypto APIs [Egele et al., CCS ‘13]
  • 6. Sarah Nadi 4 So what exactly is a misuse?
  • 7. Sarah Nadi Example of an API Misuse 5 Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg);
  • 8. Sarah Nadi Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg); Example of an API Misuse 6 “Algorithm/Mode/Padding”
  • 9. Sarah Nadi Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg); Example of an API Misuse 6 “Algorithm/Mode/Padding” In some API implementations, default mode for AES is Electronic Codebook (ECB) — which is insecure
  • 10. Sarah Nadi Sarah Nadi Example of an API Misuse 5 SecretKey secretKey = … Cipher cipher = Cipher.getInstance("AES"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg); [https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation] Example of an API Misuse 6 “Algorithm/Mode/Padding” In some API implementations, default mode for AES is Electronic Codebook (ECB) — which is insecure
  • 11. Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs?
  • 12. Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs? What obstacles do developers face?
  • 13. Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs? What are the common cryptography tasks developers perform? What obstacles do developers face?
  • 14. Sarah Nadi 7 Why do Developers Struggle With Cryptography APIs? What are the common cryptography tasks developers perform? What tools/methods would help developers use cryptography more effectively? What obstacles do developers face?
  • 15. Sarah Nadi Empirical Investigation Study 1 Study 2 Study 4Study 3 8
  • 16. Sarah Nadi Study 1 (S1) Design 9 … <java> <cryptography> (Sorted by view count & score) Goal: Find obstacles
  • 17. Sarah Nadi Study 1 (S1) Design 9 … <java> <cryptography> top 100 (Sorted by view count & score) Goal: Find obstacles
  • 18. Sarah Nadi Study 1 (S1) Design 9 … <java> <cryptography> top 100 Question topic? Likely obstacle? (Sorted by view count & score) Goal: Find obstacles
  • 19. Sarah Nadi Study 2 (S2) Design 10 javax.crypto Goal: Find tasks
  • 20. Sarah Nadi Study 2 (S2) Design 10 random 100 repos javax.crypto Goal: Find tasks
  • 21. Sarah Nadi Study 2 (S2) Design 10 random 100 repos What crypto task is performed? javax.crypto Goal: Find tasks
  • 22. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Goal: Find obstacles, tasks, & suggestions
  • 23. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Goal: Find obstacles, tasks, & suggestions
  • 24. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Goal: Find obstacles, tasks, & suggestions
  • 25. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Goal: Find obstacles, tasks, & suggestions
  • 26. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Frequently-used Crypto APIs/libraries & ease of use Goal: Find obstacles, tasks, & suggestions
  • 27. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Frequently-used Crypto APIs/libraries & ease of use Obstacles (free-text + rated) Goal: Find obstacles, tasks, & suggestions
  • 28. Sarah Nadi Study 3 (S3) & Study 4 (S4) Survey Design 11 Background Frequency of Cryptography Use Never Rarely … Occasionally … Frequently … Cryptography Tasks Used/Needed Frequently-used Crypto APIs/libraries & ease of use Obstacles (free-text + rated) Goal: Find obstacles, tasks, & suggestions
  • 29. Sarah Nadi Survey Process & Participant Recruitment 12 Study 4 Study 3
  • 30. Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Study 4 Study 3
  • 31. Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Study 4 11 participants Study 3
  • 32. Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Study 4 11 participants Study 3 Refine
  • 33. Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Snowball sampling Emailed related committers + Study 4 11 participants Study 3 Refine
  • 34. Sarah Nadi Emailed <java><cryptography> posters Survey Process & Participant Recruitment 12 Snowball sampling Emailed related committers 37 participants+ Study 4 11 participants Study 3 Refine
  • 36. Sarah Nadi What Obstacles do Developers Face? 14
  • 37. Sarah Nadi What Obstacles do Developers Face? 15 Obstacle % Posts API use 57% Domain knowledge 15% Provider & Setup 15% Library Identification 7% Domain knowledge + API use 6%
  • 38. Sarah Nadi What Obstacles do Developers Face? 15 S3 participants mention: poor documentation, bad API design,and missing cryptography knowledge Obstacle % Posts API use 57% Domain knowledge 15% Provider & Setup 15% Library Identification 7% Domain knowledge + API use 6%
  • 39. Sarah Nadi What Obstacles do Developers Face? 15 S3 participants mention: poor documentation, bad API design,and missing cryptography knowledge 65% of S4 Participants find the APIs hard to use Obstacle % Posts API use 57% Domain knowledge 15% Provider & Setup 15% Library Identification 7% Domain knowledge + API use 6%
  • 40. Sarah Nadi Obstacle Category 1: Domain Knowledge 16 11% 24% 38% 27% Frequently Occasionally Rarely Never Don't know Identify correct cryptography algorithm 14% 41% 43% 3% Frequently Occasionally Rarely Never Don't know Identify relevant cryptography concepts
  • 41. Sarah Nadi Obstacle Category 1: Domain Knowledge 17 11% 24% 38% 27% Frequently Occasionally Rarely Never Don't know Identify correct cryptography algorithm 14% 41% 43% 3% Frequently Occasionally Rarely Never Don't know Identify relevant cryptography concepts Developers may not always know the correct cryptography algorithm to use
  • 42. Sarah Nadi Obstacle Category 2: Setting Up 18 27% 32% 27% 11% 3% Frequently Occasionally Rarely Never Don't know Identify relevant Java API 22% 41% 30% 5% 3% Frequently Occasionally Rarely Never Don't know Select provider 22% 27% 32% 16% 3% Frequently Occasionally Rarely Never Don't know Setup environment
  • 43. Sarah Nadi Obstacle Category 2: Setting Up 19 27% 32% 27% 11% 3% Frequently Occasionally Rarely Never Don't know Identify relevant Java API 22% 41% 30% 5% 3% Frequently Occasionally Rarely Never Don't know Select provider 22% 27% 32% 16% 3% Frequently Occasionally Rarely Never Don't know Setup environment Finding the right API/library to use & setting it up is often an obstacle in itself
  • 44. Sarah Nadi 19% 54% 22% 5% Frequently Occasionally Rarely Never Don't know 32% 43% 19% 5% Frequently Occasionally Rarely Never Don't know 35% 46% 11% 8% Frequently Occasionally Rarely Never Don't know Obstacle Category 3: API Use 20 Identify sequence of method calls Identify parameters Understand API error messages
  • 45. Sarah Nadi 19% 54% 22% 5% Frequently Occasionally Rarely Never Don't know 32% 43% 19% 5% Frequently Occasionally Rarely Never Don't know 35% 46% 11% 8% Frequently Occasionally Rarely Never Don't know Obstacle Category 3: API Use 21 Identify sequence of method calls Identify parameters Understand API error messages The most frequently faced obstacle is identifying the sequence of API method calls
  • 47. Sarah Nadi Common Cryptography Tasks 23 10% of analyzed GitHub repos Top task by 64% of S3 participants Avg. Rank of 3.95 by 28 S4 participants 6% of analyzed GitHub repos Top task by 34% of S3 participants Avg. Rank 2.22, 35 S4 participants 64% of analyzed GitHub repos 37% of analyzed StackOverflow posts Avg. rank 5.03, 25 S4 participants User Authentication Secure Communication Symmetric Encryption
  • 48. Sarah Nadi What do Developers Want? 24
  • 49. Sarah Nadi What do Developers Want? 25 Better Documentation “Better documentation with examples and deeper layers of documentations with theoretical knowledge” (S4-P23) “better examples” (S4-P2) “More/better example code, access to API source code and high quality JavaDoc with cross references” (S4-P12) “A real documentation would be very helpful. Some kind of best practice methodology for a crypto API usage could also help” (S4-P18)
  • 50. Sarah Nadi What do Developers Want? 26 Higher Abstraction Level “Make [the] API simpler, e.g., have a class with the name AES or RSA[;] getInstance(‘whatever’) is bad API design” (S4-P36) “[I want something that] just takes input […]. Short and sweet” (S3-P3) “Higher level task oriented APIs for things like public key crypto, key exchanges, ..” (S4-P27) “High level APIs [that] can't be used incorrectly..” (S4-P8) “A library providing simple API calls (one or two methods and simple parameters) for different use cases.” (S4-P7) “Standardized task-based API” (S4-P1) “…Providing higher-level APIs, .. would go along way to making sure developers don't do something dumb.” (S4-P27)
  • 51. Sarah Nadi What do Developers Want? 27 “Test tooling that understands encryption and verifies if encryption is used where it should be. Source scanners that identify configuration mistakes, weak algorithms etc.” (S4-P17) Tool Assistance “Some kind of testing tool…” (S4-P13) “Special CryptoDebugger” (S4-P11) “Templates for common used patterns” (S4-P7) “IDE Plugin generating code pattern for specific use cases” (S4-P6)
  • 52. Sarah Nadi 28 Better Documentation Higher Abstraction Level Tool Assistance
  • 53. Sarah Nadi 29 Better Documentation Higher Abstraction Level Tool Assistance How Can We Move Forward?
  • 54. Sarah Nadi The Ideal Tool Assistance 30 COMMON TASKS TO SUPPORT STEPS TO SUPPORT
  • 55. Sarah Nadi The Ideal Tool Assistance 30 COMMON TASKS TO SUPPORT STEPS TO SUPPORT
  • 56. Sarah Nadi The Ideal Tool Assistance 30 COMMON TASKS TO SUPPORT STEPS TO SUPPORT
  • 57. Sarah Nadi The Ideal Tool Assistance 30 BlockCipher AES keySize (128, 192, 256) mode (ECB, CBC, …) padding (PKCS5Padding, NoPadding) DES COMMON TASKS TO SUPPORT STEPS TO SUPPORT
  • 58. Sarah Nadi The Ideal Tool Assistance 30 BlockCipher AES keySize (128, 192, 256) mode (ECB, CBC, …) padding (PKCS5Padding, NoPadding) DES COMMON TASKS TO SUPPORT STEPS TO SUPPORT KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256); SecretKey secretKey = keyGen.generateKey(); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7PADDING"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg);
  • 59. Sarah Nadi The Ideal Tool Assistance 30 BlockCipher AES keySize (128, 192, 256) mode (ECB, CBC, …) padding (PKCS5Padding, NoPadding) DES COMMON TASKS TO SUPPORT STEPS TO SUPPORT KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(256); SecretKey secretKey = keyGen.generateKey(); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7PADDING"); cipher.init(Cipher.ENCRYPT_MODE, secretKey); cipher.doFinal(inputMsg);
  • 60. Sarah Nadi “The ability to just perform some simple cryptographic tasks in Java without jumping through hoops would be brilliant…” (S4-P10) 31
  • 61. “Jumping Through Hoops” Why do Java Developers Struggle With Cryptography APIs? Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden sarahnadi.org@sarahnadi