Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021
Tue 25 May 2021 10:50 - 11:10 at Blended Sessions Room 2 - 1.1.2. Developers: Behavior Chair(s): Andrea Zisman
Tue 25 May 2021 22:50 - 23:10 at Blended Sessions Room 2 - 1.1.2. Developers: Behavior

Does the act of writing a specification (how the code should behave) for a piece of security sensitive code lead to developers producing more secure code? We asked 138 developers to write a snippet of code to store a password: Half of them were asked to write down a specification of how the code should behave before writing the program, the other half were asked to write the code but without being prompted to write a specification first. We find that explicitly prompting developers to write a specification has a small positive effect on the security of password storage approaches implemented. However, developers often fail to store passwords securely, despite claiming to be confident and knowledgeable in their approaches, and despite considering an appropriate range of threats. We find a need for developer-centered usable mechanisms for telling developers how to store passwords: lists of what they must do are not working.

Conference Day
Tue 25 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

10:30 - 11:30
1.1.2. Developers: BehaviorTechnical Track / SEIP - Software Engineering in Practice at Blended Sessions Room 2 +12h
Chair(s): Andrea ZismanThe Open University
10:30
20m
Paper
A Passion for Security: Intervening to Help Software DevelopersSEIP
SEIP - Software Engineering in Practice
Charles WeirLancaster University, Ingolf BeckerUniversity College London, Lynne BlairLancaster University
DOI Pre-print Media Attached
10:50
20m
Paper
“Do this! Do that!, And nothing will happen” Do specifications lead to securely stored passwords?Technical Track
Technical Track
Joseph HallettUniversity of Bristol, Nikhil PatnaikUniversity of Bristol, Benjamin ShreeveUniversity of Bristol, Awais RashidUniversity of Bristol, UK
Pre-print Media Attached
11:10
20m
Paper
Why don’t Developers Detect Improper Input Validation?'; DROP TABLE Papers; --ACM SIGSOFT Distinguished PaperArtifact ReusableTechnical TrackArtifact Available
Technical Track
Larissa BrazUniversity of Zurich, Enrico FregnanUniversity of Zurich, Gül CalikliUniversity of Zürich, Alberto BacchelliUniversity of Zurich
Pre-print Media Attached