You Get Where You’re Looking for: the Impact of Information Sources on Code Security

Principal Investigator: Professor Sascha Fahl, Leibniz University Hannover

RISCS would like to congratulate friend and fellow researcher Sascha Fahl. Every year the US National Security Agency runs a competition for the best scientific cyber security paper. This year, 2017, the winning paper is You Get Where You’re Looking for: The Impact of Information Sources on Code Security; Fahl, along with Yasemin Acar, Michael Backes, Doowon Kim, Michelle L. Mazurek, and Christian Stransky, is one of the authors.

The paper traces one of the problems facing software developers trying to write secure programs by examining the information sources developers use. In a study involving 54 developers, they found, as Fahl explained in a talk he gave at a RISCS workshop last year on secure development, that given their choice developers tend to prefer to consult websites such as Stack Overflow, where the information provided is highly accessible but often leads to insecurity. Official documentation leads to correct security, but is hard to use, and although books are both accurate and functional, few developers choose to use them.

We gratefully acknowledge Sascha Fahl’s contribution to the workshop, which led to the formulation of the research call for projects on secure software development. The result has been to open up a new area of research for RISCS that includes new projects intended to identify the problems developers have in trying to write secure code; motivating them to do better; and identifying helpful interventions.


Posted on

August 10, 2020