“Do this! Do that!, And nothing will happen” Do specifications lead to securely stored passwords? (ICSE 2021 - Technical Track)

Who

Joseph Hallett, Nikhil Patnaik, Benjamin Shreeve, Awais Rashid

Track

ICSE 2021 Technical Track

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Tue 25 May 2021 10:50 - 11:10 at Blended Sessions Room 2 - 1.1.2. Developers: Behavior Chair(s): Andrea Zisman
Tue 25 May 2021 22:50 - 23:10 at Blended Sessions Room 2 - 1.1.2. Developers: Behavior

Abstract

Does the act of writing a specification (how the code should behave) for a piece of security sensitive code lead to developers producing more secure code? We asked 138 developers to write a snippet of code to store a password: Half of them were asked to write down a specification of how the code should behave before writing the program, the other half were asked to write the code but without being prompted to write a specification first. We find that explicitly prompting developers to write a specification has a small positive effect on the security of password storage approaches implemented. However, developers often fail to store passwords securely, despite claiming to be confident and knowledgeable in their approaches, and despite considering an appropriate range of threats. We find a need for developer-centered usable mechanisms for telling developers how to store passwords: lists of what they must do are not working.

Link to Preprint

https://arxiv.org/abs/2102.09790

Joseph Hallett

University of Bristol

Nikhil Patnaik

University of Bristol

Benjamin Shreeve

University of Bristol

Awais Rashid

University of Bristol, UK

United Kingdom

“Do this! Do that!, and Nothing will Happen” Do Specifications Lead to Securely Stored Passwords?

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Tue 25 May
Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

10:30 - 11:30	1.1.2. Developers: BehaviorTechnical Track / SEIP - Software Engineering in Practice at Blended Sessions Room 2 +12h Chair(s): Andrea Zisman The Open University

10:30 20m Paper		A Passion for Security: Intervening to Help Software DevelopersSEIP SEIP - Software Engineering in Practice Charles Weir Lancaster University, Ingolf Becker University College London, Lynne Blair Lancaster University DOI Pre-print Media Attached
10:50 20m Paper		“Do this! Do that!, And nothing will happen” Do specifications lead to securely stored passwords?Technical Track Technical Track Joseph Hallett University of Bristol, Nikhil Patnaik University of Bristol, Benjamin Shreeve University of Bristol, Awais Rashid University of Bristol, UK Pre-print Media Attached
11:10 20m Paper		Why don’t Developers Detect Improper Input Validation?'; DROP TABLE Papers; --ACM SIGSOFT Distinguished PaperTechnical Track Technical Track Larissa Braz University of Zurich, Enrico Fregnan University of Zurich, Gül Calikli University of Zürich, Alberto Bacchelli University of Zurich Pre-print Media Attached

22:30 - 23:30	1.1.2. Developers: BehaviorTechnical Track / SEIP - Software Engineering in Practice at Blended Sessions Room 2

22:30 20m Paper		A Passion for Security: Intervening to Help Software DevelopersSEIP SEIP - Software Engineering in Practice Charles Weir Lancaster University, Ingolf Becker University College London, Lynne Blair Lancaster University DOI Pre-print Media Attached
22:50 20m Paper		“Do this! Do that!, And nothing will happen” Do specifications lead to securely stored passwords?Technical Track Technical Track Joseph Hallett University of Bristol, Nikhil Patnaik University of Bristol, Benjamin Shreeve University of Bristol, Awais Rashid University of Bristol, UK Pre-print Media Attached
23:10 20m Paper		Why don’t Developers Detect Improper Input Validation?'; DROP TABLE Papers; --ACM SIGSOFT Distinguished PaperTechnical Track Technical Track Larissa Braz University of Zurich, Enrico Fregnan University of Zurich, Gül Calikli University of Zürich, Alberto Bacchelli University of Zurich Pre-print Media Attached