Its the psychology stupid

How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots

Daniela Oliveira, Marissa Rosenthal, N. Morin, Kuo-chuan Yeh, Justin Cappos, Y. Zhuang

Research output: Contribution to conferencePaper

8 Citations (Scopus)

Abstract

Despite the security community s emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is increasing. In addition, vulnerabilities that have been studied for years are still commonly reported in vulnerability databases. This paper investigates a new hypothesis that software vulnerabilities are blind spots in developer s heuristic-based decision-making processes. Heuristics are simple computational models to solve problems without considering all the information available. They are an adaptive response to our short working memory because they require less cognitive effort. Our hypothesis is that as software vulnerabilities represent corner cases that exercise unusual information flows, they tend to be left out from the repertoire of heuristics used by developers during their programming tasks. To validate this hypothesis we conducted a study with 47 developers using psychological manipulation. In this study each developer worked for approximately one hour on six vulnerable programming scenarios. The sessions progressed from providing no information about the possibility of vulnerabilities, to priming developers about unexpected results, and explicitly mentioning the existence of vulnerabilities in the code. The results show that (i) security is not a priority in software development environments, (ii) security is not part of developer s mindset while coding, (iii) developers assume common cases for their code, (iv) security thinking requires cognitive effort, (v) security education helps, but developers can have difficulties correlating a particular learned vulnerability or security information with their current working task, and (vi) priming or explicitly cueing about vulnerabilities on-the-spot is a powerful mechanism to make developers aware about potential vulnerabilities.

Original languageEnglish (US)
Pages296-305
Number of pages10
DOIs
StatePublished - Dec 8 2014
Event30th Annual Computer Security Applications Conference, ACSAC 2014 - New Orleans, United States
Duration: Dec 8 2014Dec 12 2014

Other

Other30th Annual Computer Security Applications Conference, ACSAC 2014
CountryUnited States
CityNew Orleans
Period12/8/1412/12/14

Fingerprint

Software engineering
Education
Decision making
Data storage equipment

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this

Oliveira, D., Rosenthal, M., Morin, N., Yeh, K., Cappos, J., & Zhuang, Y. (2014). Its the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots. 296-305. Paper presented at 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, United States. https://doi.org/10.1145/2664243.2664254
Oliveira, Daniela ; Rosenthal, Marissa ; Morin, N. ; Yeh, Kuo-chuan ; Cappos, Justin ; Zhuang, Y. / Its the psychology stupid : How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots. Paper presented at 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, United States.10 p.
@conference{6008120f0076437f921d0a408b8e30b8,
title = "Its the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots",
abstract = "Despite the security community s emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is increasing. In addition, vulnerabilities that have been studied for years are still commonly reported in vulnerability databases. This paper investigates a new hypothesis that software vulnerabilities are blind spots in developer s heuristic-based decision-making processes. Heuristics are simple computational models to solve problems without considering all the information available. They are an adaptive response to our short working memory because they require less cognitive effort. Our hypothesis is that as software vulnerabilities represent corner cases that exercise unusual information flows, they tend to be left out from the repertoire of heuristics used by developers during their programming tasks. To validate this hypothesis we conducted a study with 47 developers using psychological manipulation. In this study each developer worked for approximately one hour on six vulnerable programming scenarios. The sessions progressed from providing no information about the possibility of vulnerabilities, to priming developers about unexpected results, and explicitly mentioning the existence of vulnerabilities in the code. The results show that (i) security is not a priority in software development environments, (ii) security is not part of developer s mindset while coding, (iii) developers assume common cases for their code, (iv) security thinking requires cognitive effort, (v) security education helps, but developers can have difficulties correlating a particular learned vulnerability or security information with their current working task, and (vi) priming or explicitly cueing about vulnerabilities on-the-spot is a powerful mechanism to make developers aware about potential vulnerabilities.",
author = "Daniela Oliveira and Marissa Rosenthal and N. Morin and Kuo-chuan Yeh and Justin Cappos and Y. Zhuang",
year = "2014",
month = "12",
day = "8",
doi = "10.1145/2664243.2664254",
language = "English (US)",
pages = "296--305",
note = "30th Annual Computer Security Applications Conference, ACSAC 2014 ; Conference date: 08-12-2014 Through 12-12-2014",

}

Oliveira, D, Rosenthal, M, Morin, N, Yeh, K, Cappos, J & Zhuang, Y 2014, 'Its the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots' Paper presented at 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, United States, 12/8/14 - 12/12/14, pp. 296-305. https://doi.org/10.1145/2664243.2664254

Its the psychology stupid : How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots. / Oliveira, Daniela; Rosenthal, Marissa; Morin, N.; Yeh, Kuo-chuan; Cappos, Justin; Zhuang, Y.

2014. 296-305 Paper presented at 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, United States.

Research output: Contribution to conferencePaper

TY - CONF

T1 - Its the psychology stupid

T2 - How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots

AU - Oliveira, Daniela

AU - Rosenthal, Marissa

AU - Morin, N.

AU - Yeh, Kuo-chuan

AU - Cappos, Justin

AU - Zhuang, Y.

PY - 2014/12/8

Y1 - 2014/12/8

N2 - Despite the security community s emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is increasing. In addition, vulnerabilities that have been studied for years are still commonly reported in vulnerability databases. This paper investigates a new hypothesis that software vulnerabilities are blind spots in developer s heuristic-based decision-making processes. Heuristics are simple computational models to solve problems without considering all the information available. They are an adaptive response to our short working memory because they require less cognitive effort. Our hypothesis is that as software vulnerabilities represent corner cases that exercise unusual information flows, they tend to be left out from the repertoire of heuristics used by developers during their programming tasks. To validate this hypothesis we conducted a study with 47 developers using psychological manipulation. In this study each developer worked for approximately one hour on six vulnerable programming scenarios. The sessions progressed from providing no information about the possibility of vulnerabilities, to priming developers about unexpected results, and explicitly mentioning the existence of vulnerabilities in the code. The results show that (i) security is not a priority in software development environments, (ii) security is not part of developer s mindset while coding, (iii) developers assume common cases for their code, (iv) security thinking requires cognitive effort, (v) security education helps, but developers can have difficulties correlating a particular learned vulnerability or security information with their current working task, and (vi) priming or explicitly cueing about vulnerabilities on-the-spot is a powerful mechanism to make developers aware about potential vulnerabilities.

AB - Despite the security community s emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is increasing. In addition, vulnerabilities that have been studied for years are still commonly reported in vulnerability databases. This paper investigates a new hypothesis that software vulnerabilities are blind spots in developer s heuristic-based decision-making processes. Heuristics are simple computational models to solve problems without considering all the information available. They are an adaptive response to our short working memory because they require less cognitive effort. Our hypothesis is that as software vulnerabilities represent corner cases that exercise unusual information flows, they tend to be left out from the repertoire of heuristics used by developers during their programming tasks. To validate this hypothesis we conducted a study with 47 developers using psychological manipulation. In this study each developer worked for approximately one hour on six vulnerable programming scenarios. The sessions progressed from providing no information about the possibility of vulnerabilities, to priming developers about unexpected results, and explicitly mentioning the existence of vulnerabilities in the code. The results show that (i) security is not a priority in software development environments, (ii) security is not part of developer s mindset while coding, (iii) developers assume common cases for their code, (iv) security thinking requires cognitive effort, (v) security education helps, but developers can have difficulties correlating a particular learned vulnerability or security information with their current working task, and (vi) priming or explicitly cueing about vulnerabilities on-the-spot is a powerful mechanism to make developers aware about potential vulnerabilities.

UR - http://www.scopus.com/inward/record.url?scp=84954508470&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954508470&partnerID=8YFLogxK

U2 - 10.1145/2664243.2664254

DO - 10.1145/2664243.2664254

M3 - Paper

SP - 296

EP - 305

ER -

Oliveira D, Rosenthal M, Morin N, Yeh K, Cappos J, Zhuang Y. Its the psychology stupid: How heuristics explain software vulnerabilities and how priming can illuminate developers blind spots. 2014. Paper presented at 30th Annual Computer Security Applications Conference, ACSAC 2014, New Orleans, United States. https://doi.org/10.1145/2664243.2664254