Background: Previous studies have shown that up to 99.59 % of the Java apps using crypto APIs misuse the API at least once. However, these studies have been conducted on Java and C, while empirical studies for other languages are missing. For example, a controlled user study with crypto tasks in Python has shown that 68.5 % of the professional developers write a secure solution for a crypto task.
Aims: To understand if this observation holds for real-world code, we conducted a study of crypto misuses in Python.
Method: We developed a static analysis tool that covers common misuses of 5 different Python crypto APIs. With this analysis, we analyzed 895 popular Python projects from GitHub and 51 MicroPython projects for embedded devices. Further, we compared our results with the findings of previous studies.
Results: Our analysis reveals that 52.26 % of the Python projects have at least one misuse. Further, some Python crypto libraries API design helps developers from misusing crypto functions, which were much more common in studies conducted with Java and C code.
Conclusion: We conclude that we can see a positive impact of the good API design on crypto misuses for Python applications. Further, our analysis of MicroPython projects reveals the importance of hybrid analyses.
Tue 12 OctDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
15:30 - 16:35 | Testing & Security 2Technical Papers / Emerging Results and Vision papers at ESEM ROOM Chair(s): Davide Fucci Blekinge Institute of Technology | ||
15:30 15mTalk | Barriers to Shift-Left Security: The Unique Pain Points of Writing Automated Tests Involving Security Controls Technical Papers Danielle Gonzalez Rochester Institute of Technology and Microsoft, Paola Peralta Perez Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology DOI | ||
15:45 15mTalk | Security Smells Pervade Mobile App Servers Technical Papers Pascal Gadient University of Bern, Marc-Andrea Tarnutzer University of Bern, Oscar Nierstrasz University of Bern, Switzerland, Mohammad Ghafari University of Auckland Pre-print | ||
16:00 15mTalk | Who are Vulnerability Reporters? A Large-scale Empirical Study on FLOSS Technical Papers Nikolaos Alexopoulos Technical University of Darmstadt, Andy Meneely Rochester Institute of Technology, Dorian Arnouts Technical University of Darmstadt, Max Mühlhäuser Technical University of Darmstadt Pre-print | ||
16:15 10mTalk | Python Crypto Misuses in the Wild Emerging Results and Vision papers Anna-Katharina Wickert TU Darmstadt, Germany, Lars Baumgärtner TU Darmstadt, Florian Breitfelder TU Darmstadt, Mira Mezini TU Darmstadt, Germany Pre-print Media Attached | ||
16:25 10mTalk | Web Application Testing: Using Tree Kernels to Detect Near-duplicate States in Automated Model Inference Emerging Results and Vision papers Anna Corazza Università degli Studi di Napoli Federico II, Sergio Di Martino Università degli Studi di Napoli Federico II, Adriano Peron Università degli Studi di Napoli Federico II, Luigi Libero Lucio Starace Università degli Studi di Napoli Federico II Pre-print Media Attached | ||