- This seminar has passed.
“Do This! Do That! And nothing will happen”: Do specifications lead to securely stored passwords? (ICSE ’21)
25 August 2021 @ 3:00 pm - 4:00 pm
Does the act of writing a specification (how the code should behave) for a piece of security-sensitive code lead to developers producing more secure code? We asked 138 developers to write a snippet of code to store a password: Half of them were asked to write down a specification of how the code should behave before writing the program, the other half were asked to write the code but without being prompted to write a specification first. We find that explicitly prompting developers to write a specification has a small positive effect on the security of password storage approaches implemented. However, developers often fail to store passwords securely, despite claiming to be confident and knowledgeable in their approaches, and despite considering an appropriate range of threats. We find a need for developer-centered usable mechanisms for telling developers how to store passwords: lists of what they must do are not working.
Zoom meeting link: https://newcastleuniversity.zoom.us/j/85712200902?pwd=NHc5R25HRUxjUE93STNVc21Yd2pNUT09
Meeting ID: 857 1220 0902
Passcode: 967353
Youtube live streaming: https://youtu.be/ex8Q5mkw6Ko
Youtube VoD
Presenter
-
Joseph Hallett (University of Bristol)Joseph Hallett is a lecturer at the University of Bristol working on developer centred security. Joseph’s research interests range from working out how we can help developers get security right, to how different groups think and reason about cybersecurity and risk.