Blindspots in Python and Java APIs Result in Vulnerable Code
Blindspots in APIs can cause software engineers to introduce vulnerabilities, but such blindspots are, unfortunately, common. We study the effect APIs with blindspots have on developers in two languages by replicating a 109-developer, 24-Java-API controlled experiment. Our replication applies to Python and involves 129 new developers and 22 new APIs. We find that using APIs with blindspots statistically significantly reduces the developers’ ability to correctly reason about the APIs in both languages, but that the effect is more pronounced for Python. Interestingly, for Java, the effect increased with complexity of the code relying on the API, whereas for Python, the opposite was true. This suggests that Python developers are less likely to notice potential for vulnerabilities in complex code than in simple code, whereas Java developers are more likely to recognize the extra complexity and apply more care, but are more careless with simple code. Whether the developers considered API uses to be more difficult, less clear, and less familiar did not have an effect on their ability to correctly reason about them. Developers with better long-term memory recall were more likely to correctly reason about APIs with blindspots, but short-term memory, processing speed, episodic memory, and memory span had no effect. Surprisingly, professional experience and expertise did not improve the developers’ ability to reason about APIs with blindspots across both languages, with long-term professionals with many years of experience making mistakes as often as relative novices. Finally, personality traits did not significantly affect the Python developers’ ability to reason about APIs with blindspots, but less extraverted and more open developers were better at reasoning about Java APIs with blindspots. Overall, our findings suggest that blindspots in APIs are a serious problem across languages, and that experience and education alone do not overcome that problem, suggesting that tools are needed to help developers recognize blindspots in APIs as they write code that uses those APIs.
Wed 17 MayDisplayed time zone: Hobart change
15:45 - 17:15 | Vulnerability analysis and assessmentTechnical Track / Journal-First Papers / DEMO - Demonstrations at Meeting Room 105 Chair(s): Xiaoyin Wang University of Texas at San Antonio | ||
15:45 15mTalk | Chronos: Time-Aware Zero-Shot Identification of Libraries from Vulnerability Reports Technical Track Yunbo Lyu Singapore Management University, Le-Cong Thanh The University of Melbourne, Hong Jin Kang UCLA, Ratnadira Widyasari Singapore Management University, Singapore, Zhipeng Zhao Singapore Management University, Xuan-Bach D. Le University of Melbourne, Ming Li Nanjing University, David Lo Singapore Management University Pre-print | ||
16:00 15mTalk | Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem Technical Track Yulun Wu Huazhong University of Science and Technology, Zeliang Yu Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Qiang Li Huazhong University of Science and Technology, Deqing Zou Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology Pre-print | ||
16:15 15mTalk | SecBench.js: An Executable Security Benchmark Suite for Server-Side JavaScript Technical Track Masudul Hasan Masud Bhuiyan CISPA Helmholtz Center for Information Security, Adithya Srinivas Parthasarathy Indian Institute of Information Technology, Design and Manufacturing, Kancheepuram, Nikos Vasilakis Massachusetts Institute of Technology, Michael Pradel University of Stuttgart, Cristian-Alexandru Staicu CISPA Helmholtz Center for Information Security Pre-print | ||
16:30 15mTalk | On Privacy Weaknesses and Vulnerabilities in Software Systems Technical Track Pattaraporn Sangaroonsilp University of Wollongong, Hoa Khanh Dam University of Wollongong, Aditya Ghose University of Wollongong | ||
16:45 7mTalk | A Multi-faceted Vulnerability Searching Website Powered by Aspect-level Vulnerability Knowledge Graph DEMO - Demonstrations Jiamou Sun CSIRO's Data61, Zhenchang Xing CSIRO’s Data61; Australian National University, Qinghua Lu CSIRO’s Data61, Xiwei (Sherry) Xu CSIRO’s Data61, Liming Zhu CSIRO’s Data61 | ||
16:52 7mTalk | An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities Journal-First Papers Imen Sayar IRIT, University of Toulouse, IUT Blagnac Toulouse II, 1 Place Georges Brassens, Blagnac Cedex, France, 31703, Alexandre Bartel Umeå University, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Yves Le Traon University of Luxembourg, Luxembourg | ||
17:00 7mTalk | Blindspots in Python and Java APIs Result in Vulnerable Code Journal-First Papers Yuriy Brun University of Massachusetts, Tian Lin University of Florida, Jessie Elise Somerville University of Florida, Elisha M. Myers Florida Atlantic University, Natalie C. Ebner University of Florida Link to publication DOI Pre-print Media Attached | ||