UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKEdvotipka/slides/Votipka-HCSS2019.pdf ·...
Transcript of UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKEdvotipka/slides/Votipka-HCSS2019.pdf ·...
UNDERSTANDING SECURITY MISTAKES DEVELOPERS MAKE
Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle Mazurek, and Mike Hicks
Qualitative Analysis From Build It, Break It, Fix It
University of Maryland, College Park
1
“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM
2
“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM
2
“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM
2
“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM
2
“SOLVED” VULNERABILITIES ARE STILL A VERY REAL PROBLEM
2
3
“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys over the network, and were using a fixed
initialization vector… Moreover, the devices didn’t include any message signing”
3
“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys over the network, and were using a fixed
initialization vector… Moreover, the devices didn’t include any message signing”
3
“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys over the network, and were using a fixed
initialization vector… Moreover, the devices didn’t include any message signing”
3
“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys over the network, and were using a fixed
initialization vector… Moreover, the devices didn’t include any message signing”
3
“rolling its own crypto rather than relying on tried and tested solutions…. The devices were sending hardcoded encryption keys over the network, and were using a fixed
initialization vector… Moreover, the devices didn’t include any message signing”
3
“SBI's Mumbai-based data center had a server without password protection”
4
5
Why do developers continue to make
stupid and lazy mistakes?
6
Why do developers continue to make
stupid and lazy mistakes?
7
Why do developers continue to make
stupid and lazy mistakes?
How can we make secure programming easier?
8
POSSIBLE SOLUTIONS
9
POSSIBLE SOLUTIONS
More/Better Education
9
POSSIBLE SOLUTIONS
More/Better Education
Better APIs
9
POSSIBLE SOLUTIONS
More/Better Education
Better APIs
Better documentation
9
POSSIBLE SOLUTIONS
More/Better Education
Better APIs
Better documentation
Automation
9
POSSIBLE SOLUTIONS
More/Better Education
Better APIs
Better documentation
Automation
Etc
9
POSSIBLE SOLUTIONS
More/Better Education
Better APIs
Better documentation
Automation
Etc
How can we improve the effectiveness of these solutions?
9
IN ORDER TO IMPROVE THESE SOLUTIONS, WE NEED TO UNDERSTAND THE TYPES, CAUSES, AND PERVASIVENESS OF VULNERABILITIES.
10
HOW CAN WE MEASURE THIS?
Field studies
Field surveys
Lab studies
11
FIELD STUDIES
Immerse ourselves in the “real world” to observe and collect data
12
FIELD STUDIES
Immerse ourselves in the “real world” to observe and collect data
Pros:
12
FIELD STUDIES
Immerse ourselves in the “real world” to observe and collect data
Pros:
We can see what happens in the real world
12
FIELD STUDIES
Immerse ourselves in the “real world” to observe and collect data
Pros:
We can see what happens in the real world
Cons:
12
FIELD STUDIES
Immerse ourselves in the “real world” to observe and collect data
Pros:
We can see what happens in the real world
Cons:
Hard to get access to
12
FIELD STUDIES
Immerse ourselves in the “real world” to observe and collect data
Pros:
We can see what happens in the real world
Cons:
Hard to get access to
Hard to generalize site specific data 12
FIELD SURVEYS
CVEs, GitHub, etc
13
FIELD SURVEYS
CVEs, GitHub, etc
Pros:
13
FIELD SURVEYS
CVEs, GitHub, etc
Pros:
Large datasets publicly available
13
FIELD SURVEYS
CVEs, GitHub, etc
Pros:
Large datasets publicly available
Data is already categorized
13
FIELD SURVEYS
CVEs, GitHub, etc
Pros:
Large datasets publicly available
Data is already categorized
Cons:
13
FIELD SURVEYS
CVEs, GitHub, etc
Pros:
Large datasets publicly available
Data is already categorized
Cons:
Hard to understand why
13
FIELD SURVEYS
CVEs, GitHub, etc
Pros:
Large datasets publicly available
Data is already categorized
Cons:
Hard to understand why
Hard to compare possibly unrelated data 13
LAB STUDIES
Have people participate in a controlled experiment
14
LAB STUDIES
Have people participate in a controlled experiment
Pros:
14
LAB STUDIES
Have people participate in a controlled experiment
Pros:
A lot of control over conditions
14
LAB STUDIES
Have people participate in a controlled experiment
Pros:
A lot of control over conditions
Cons:
14
LAB STUDIES
Have people participate in a controlled experiment
Pros:
A lot of control over conditions
Cons:
Ecological validity
14
LAB STUDIES
Have people participate in a controlled experiment
Pros:
A lot of control over conditions
Cons:
Ecological validity
Potentially simple problems 14
BUILD IT, BREAK IT, FIX IT
Secure programming contest
Ruef et al. , CCS 2016
15
BUILD IT, BREAK IT, FIX IT
Secure programming contest
Build-It Phase
Ruef et al. , CCS 2016
15
BUILD IT, BREAK IT, FIX IT
Secure programming contest
Build-It Phase
2 weeks
Ruef et al. , CCS 2016
15
BUILD IT, BREAK IT, FIX IT
Secure programming contest
Build-It Phase
2 weeks
Develop to spec with open choices
Ruef et al. , CCS 2016
15
BUILD IT, BREAK IT, FIX IT
Secure programming contest
Build-It Phase
2 weeks
Develop to spec with open choices
Incentivized:
Ruef et al. , CCS 2016
15
BUILD IT, BREAK IT, FIX IT
Secure programming contest
Build-It Phase
2 weeks
Develop to spec with open choices
Incentivized:
Make it performant
Ruef et al. , CCS 2016
15
BUILD IT, BREAK IT, FIX IT
Secure programming contest
Build-It Phase
2 weeks
Develop to spec with open choices
Incentivized:
Make it performant
Make it secure
Ruef et al. , CCS 2016
15
BUILD IT, BREAK IT, FIX IT
Break-It Phase
Ruef et al. , CCS 2016
16
BUILD IT, BREAK IT, FIX IT
Break-It Phase
Get other teams’ source code
Ruef et al. , CCS 2016
16
BUILD IT, BREAK IT, FIX IT
Break-It Phase
Get other teams’ source code
Attack breadth of submissions
Ruef et al. , CCS 2016
16
BUILD IT, BREAK IT, FIX IT
Break-It Phase
Get other teams’ source code
Attack breadth of submissions
Find unique vulnerabilities
Ruef et al. , CCS 2016
16
BUILD IT, BREAK IT, FIX IT
Break-It Phase
Get other teams’ source code
Attack breadth of submissions
Find unique vulnerabilities
Prioritize security bugs over correctness
Ruef et al. , CCS 2016
16
BUILD IT, BREAK IT, FIX IT
Break-It Phase
Get other teams’ source code
Attack breadth of submissions
Find unique vulnerabilities
Prioritize security bugs over correctness
Fix-It Phase
Ruef et al. , CCS 2016
16
BUILD IT, BREAK IT, FIX IT
Break-It Phase
Get other teams’ source code
Attack breadth of submissions
Find unique vulnerabilities
Prioritize security bugs over correctness
Fix-It Phase
Make fixes and get points back
Ruef et al. , CCS 2016
16
SECURE LOG PROBLEM
log: Event LogTime User Action Where
17
SECURE LOG PROBLEM
./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log
log: Event LogTime User Action Where
17
SECURE LOG PROBLEM
./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log
log: Event LogTime User Action Where
8:00 AM Bob Enter Gallery
Event LogTime User Action Where
17
SECURE LOG PROBLEM
./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log
./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log
log: Event LogTime User Action Where
8:00 AM Bob Enter Gallery
Event LogTime User Action Where
17
SECURE LOG PROBLEM
./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log
./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log
log: Event LogTime User Action Where
8:00 AM Bob Enter Gallery8:01 AM Alice Enter Office
Event LogTime User Action Where
8:00 AM Bob Enter Gallery
Event LogTime User Action Where
17
SECURE LOG PROBLEM
./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log
./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log
log:
./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log
Event LogTime User Action Where
8:00 AM Bob Enter Gallery8:01 AM Alice Enter Office
Event LogTime User Action Where
8:00 AM Bob Enter Gallery
Event LogTime User Action Where
17
SECURE LOG PROBLEM
./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log
./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log
log:
./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office
Event LogTime User Action Where
8:00 AM Bob Enter Gallery8:01 AM Alice Enter Office
Event LogTime User Action Where
8:00 AM Bob Enter Gallery
Event LogTime User Action Where
17
SECURE LOG PROBLEM
./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log
./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log
log:
./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office
Event LogTime User Action Where
8:00 AM Bob Enter Gallery8:01 AM Alice Enter Office
Event LogTime User Action Where
8:00 AM Bob Enter Gallery
Event LogTime User Action Where
17
SECURE LOG PROBLEM
./logappend –T 0800 –K XDFLKJSLJDLJFLKJLSDF –E Bob -A –R Gallery log
./logappend –T 0801 –K XDFLKJSLJDLJFLKJLSDF –E Alice -A –R Office log
log:
./logread –K XDFLKJSLJDLJFLKJLSDF –R –E Alice log Office
Event LogTime User Action Where
8:00 AM Bob Enter Gallery8:01 AM Alice Enter Office
X
Event LogTime User Action Where
8:00 AM Bob Enter Gallery
Event LogTime User Action Where
17
SECURE COMMUNICATIONS PROBLEM
18
SECURE COMMUNICATIONS PROBLEM
./bank –s auth
18
SECURE COMMUNICATIONS PROBLEM
auth: XDFLKJSLJDLJFLKJLSDF
./bank –s auth
18
SECURE COMMUNICATIONS PROBLEM
auth: XDFLKJSLJDLJFLKJLSDF
./bank –s auth
18
SECURE COMMUNICATIONS PROBLEM
auth: XDFLKJSLJDLJFLKJLSDF
./bank –s auth ./atm –s auth –c card –a bob –n 1000
18
SECURE COMMUNICATIONS PROBLEM
auth: XDFLKJSLJDLJFLKJLSDF
./bank –s auth
card: DFLLKSDF
./atm –s auth –c card –a bob –n 1000
bob balance: 1000
18
SECURE COMMUNICATIONS PROBLEM
auth: XDFLKJSLJDLJFLKJLSDF
./bank –s auth
card: DFLLKSDF
./atm –s auth –c card –a bob –n 1000
./atm –s auth –c card –a bob –d 50 bob balance: 10001050
18
SECURE COMMUNICATIONS PROBLEM
auth: XDFLKJSLJDLJFLKJLSDF
./bank –s auth
card: DFLLKSDF
./atm –s auth –c card –a bob –n 1000
./atm –s auth –c card –a bob –d 50
./atm –s auth –c card –a bob –w 600bob balance: 10001050450
18
SECURE COMMUNICATIONS PROBLEM
auth: XDFLKJSLJDLJFLKJLSDF
./bank –s auth
card: DFLLKSDF
./atm –s auth –c card –a bob –n 1000
./atm –s auth –c card –a bob –d 50
./atm –s auth –c card –a bob –w 600bob balance: 10001050450
18
SECURE COMMUNICATIONS PROBLEM
auth: XDFLKJSLJDLJFLKJLSDF
./bank –s auth
card: DFLLKSDF
./atm –s auth –c card –a bob –n 1000
./atm –s auth –c card –a bob –d 50
./atm –s auth –c card –a bob –w 600bob balance: 10001050450
18
MULTIUSER DATABASE PROBLEM
19
MULTIUSER DATABASE PROBLEM
as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" ***
19
MULTIUSER DATABASE PROBLEM
as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" ***
as principal alice password ”alices_password" do return msg ***
19
MULTIUSER DATABASE PROBLEM
as principal admin password "admin" do create principal alice "alices_password" set msg = "Hi Alice. Good luck in Build it, Break it, Fix it!" set delegation msg admin read -> alice return "success" ***
as principal alice password ”alices_password" do return msg ***
as principal bob password ”bobs_password" do return msg ***
19
RESEARCH QUESTIONS
20
RESEARCH QUESTIONS
What types of vulnerabilities do developers introduce?
20
RESEARCH QUESTIONS
What types of vulnerabilities do developers introduce?
How severe are the vulnerabilities? If exploited, what is the effect on the system?
20
RESEARCH QUESTIONS
What types of vulnerabilities do developers introduce?
How severe are the vulnerabilities? If exploited, what is the effect on the system?
How exploitable are the vulnerabilities? What level of insight is required and how much work is necessary?
20
What types of vulnerabilities do developers introduce?
How severe are the vulnerabilities? If exploited, what is the effect on the system?
How exploitable are the vulnerabilities? What level of insight is required and how much work is necessary?
RESEARCH QUESTIONS
21
ANALYSIS APPROACH
22
ANALYSIS APPROACH
Examine projects and associated exploits in detail
22
ANALYSIS APPROACH
Examine projects and associated exploits in detail
Iterative open coding
22
ANALYSIS APPROACH
Examine projects and associated exploits in detail
Iterative open coding
Two independent researchers with high reliability
22
ANALYSIS APPROACH
Examine projects and associated exploits in detail
Iterative open coding
Two independent researchers with high reliability
76 projects with 866 submitted exploits
22
ANALYSIS APPROACH
Examine projects and associated exploits in detail
Iterative open coding
Two independent researchers with high reliability
76 projects with 866 submitted exploits
Both qualitative and quantitative analysis performed
22
RESULTS
23
Mistake
Vulnerability classes
No implementation Misunderstanding
Intuitive Bad Choice Conceptual ErrorUnintuitive
24
Vulnerability classes
No implementation
25
Vulnerability classes
No implementation
Intuitive
• Missed something “Intuitive”
26
Vulnerability classes
No implementation
Intuitive
• Missed something “Intuitive”• No encryption (log, ATM)
26
Vulnerability classes
No implementation
Intuitive
• Missed something “Intuitive”• No encryption (log, ATM)• No access control (MD)
26
Vulnerability classes
No implementation
Intuitive Unintuitive
• Missed something “Intuitive”• No encryption (log, ATM)• No access control (MD)
• Missed something “Unintuitive”• No MAC (log)
27
Vulnerability classes
No implementation
Intuitive Unintuitive
• Missed something “Intuitive”• No encryption (log, ATM)• No access control (MD)
• Missed something “Unintuitive”• No MAC (log)• Side-channel leakage (ATM,
MD)
27
Vulnerability classes
No implementation
Intuitive Unintuitive
• Missed something “Intuitive”• No encryption (log, ATM)• No access control (MD)
• Missed something “Unintuitive”• No MAC (log)• Side-channel leakage (ATM,
MD)• No replay prevention (ATM)
27
Vulnerability classes
Misunderstanding
28
Vulnerability classes
Misunderstanding
Bad Choice
• Made a “Bad Choice”
29
Vulnerability classes
Misunderstanding
Bad Choice
• Made a “Bad Choice”• Weak algorithms
(log, ATM)
29
Vulnerability classes
Misunderstanding
Bad Choice
• Made a “Bad Choice”• Weak algorithms
(log, ATM)• Homemade
encryption (log, ATM)
29
Vulnerability classes
Misunderstanding
Bad Choice
• Made a “Bad Choice”• Weak algorithms
(log, ATM)• Homemade
encryption (log, ATM)
• strcpy (log, ATM, MD)
29
Vulnerability classes
Misunderstanding
Bad Choice Conceptual Error
• Made a “Conceptual Error”
30
Vulnerability classes
Misunderstanding
Bad Choice Conceptual Error
• Made a “Conceptual Error”• Fixed value (log,
ATM, MD)
30
31
31
31
Vulnerability classes
Misunderstanding
Bad Choice Conceptual Error
• Made a “Conceptual Error”• Fixed value (log,
ATM, MD)
32
Vulnerability classes
Misunderstanding
Bad Choice Conceptual Error
• Made a “Conceptual Error”• Fixed value (log,
ATM, MD)• Lacking sufficient
randomness (log, ATM)
32
Vulnerability classes
Misunderstanding
Bad Choice Conceptual Error
• Made a “Conceptual Error”• Fixed value (log,
ATM, MD)• Lacking sufficient
randomness (log, ATM)
• Disabling protections in library (log)
32
33
33
Mistake
Vulnerability classes
• Made a “Mistake”
34
Mistake
Vulnerability classes
• Made a “Mistake”• Control flow mistake (ATM, MD)
34
Mistake
Vulnerability classes
• Made a “Mistake”• Control flow mistake (ATM, MD)• Skipped algorithmic step (ATM, MD)
34
Mistake
Vulnerability classes
• Made a “Mistake”• Control flow mistake (ATM, MD)• Skipped algorithmic step (ATM, MD)
34
Mistake
Vulnerability classes
• Made a “Mistake”• Control flow mistake (ATM, MD)• Skipped algorithmic step (ATM, MD)
34
PREVALENCEPercentage of projects that introduced a mistake, misunderstanding,
and no implementation vulnerability grouped by problem:
20% of projects 800 40 60
Secure log Secure communication Multiuser database Totals
Mistake
Misund.
No Impl.
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
35
PREVALENCEPercentage of projects that introduced a mistake, misunderstanding,
and no implementation vulnerability grouped by problem:
20% of projects 800 40 60
Secure log Secure communication Multiuser database Totals
Mistake
Misund.
No Impl.
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
35
PREVALENCEPercentage of projects that introduced a mistake, misunderstanding,
and no implementation vulnerability grouped by problem:
20% of projects 800 40 60
Secure log Secure communication Multiuser database Totals
Mistake
Misund.
No Impl.
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
introd_metagroup_noattempt
introd_metagroup_misunderstood
introd_metagroup_mistake
0 20 40 60 80Percentage of Projects
Vuln
erab
ility
Cla
ss problem
ATM
EHR
Gallery
Total
35
PREVALENCE
Intuitive
Unituitive
Bad choice
Concept error
0 14 28 41 55
No
Impl
.
Mis
und.
% of Projects that introduced each subclass
% of projects
36
PREVALENCE
Intuitive
Unituitive
Bad choice
Concept error
0 14 28 41 55
No
Impl
.
Mis
und.
% of Projects that introduced each subclass
% of projects
36
PREVALENCE
Intuitive
Unituitive
Bad choice
Concept error
0 14 28 41 55
No
Impl
.
Mis
und.
% of Projects that introduced each subclass
% of projects
36
PREVALENCE
Intuitive
Unituitive
Bad choice
Concept error
0 14 28 41 55
No
Impl
.
Mis
und.
% of Projects that introduced each subclass
% of projects
36
PREVALENCE
Intuitive
Unituitive
Bad choice
Concept error
0 14 28 41 55
No
Impl
.
Mis
und.
% of Projects that introduced each subclass
% of projects
36
PREVALENCE
Intuitive
Unituitive
Bad choice
Concept error
0 14 28 41 55
No
Impl
.
Mis
und.
% of Projects that introduced each subclass
% of projects
36
PREVALENCE
Intuitive
Unituitive
Bad choice
Concept error
0 14 28 41 55
No
Impl
.
Mis
und.
% of Projects that introduced each subclass
% of projects
36
TRENDS WITHIN MISTAKES
37
TRENDS WITHIN MISTAKES
Complexity breeds mistakes.
37
TRENDS WITHIN MISTAKES
Complexity breeds mistakes.
Most common in the multi-user database problem (most complex) and least common in log problem (least complex)
37
TRENDS WITHIN MISTAKES
Complexity breeds mistakes.
Most common in the multi-user database problem (most complex) and least common in log problem (least complex)
Writing security checks once reduced mistakes
37
TRENDS WITHIN MISTAKES
Complexity breeds mistakes.
Most common in the multi-user database problem (most complex) and least common in log problem (least complex)
Writing security checks once reduced mistakes
37
Almost all mistakes were found in the Break-It phase
RECOMMENDATIONS
38
RECOMMENDATIONS
Simplify API design
Build in security primitives and focus on common use-cases
38
RECOMMENDATIONS
Simplify API design
Build in security primitives and focus on common use-cases
Indicate security impact of non-default use in API Documentation
Explain the negative effects of turning off certain things
38
RECOMMENDATIONS
Simplify API design
Build in security primitives and focus on common use-cases
Indicate security impact of non-default use in API Documentation
Explain the negative effects of turning off certain things
Vulnerability Analysis Tools
More emphasis on design-level conceptual issues 38
SUMMARY
39
SUMMARY
Developers struggle with security concepts
39
SUMMARY
Developers struggle with security concepts
Mostly knew they needed security and picked the right tools
39
SUMMARY
Developers struggle with security concepts
Mostly knew they needed security and picked the right tools
Didn’t know all the security requirements (Unintuitive) or all the implementation details (Conceptual Error)
39
SUMMARY
Developers struggle with security concepts
Mostly knew they needed security and picked the right tools
Didn’t know all the security requirements (Unintuitive) or all the implementation details (Conceptual Error)
Mistakes happen, but can be reduced through code review and best practices
39
SUMMARY
Developers struggle with security concepts
Mostly knew they needed security and picked the right tools
Didn’t know all the security requirements (Unintuitive) or all the implementation details (Conceptual Error)
Mistakes happen, but can be reduced through code review and best practices
Improve API design, documentation, and automation to handle conceptual nuances
39
SUMMARY
Developers struggle with security concepts
Mostly knew they needed security and picked the right tools
Didn’t know all the security requirements (Unintuitive) or all the implementation details (Conceptual Error)
Mistakes happen, but can be reduced through code review and best practices
Improve API design, documentation, and automation to handle conceptual nuances
39
sec-professionals.cs.umd.edu