Blindspots in Python and Java APIs Result in Vulnerable Code

Author:

Brun Yuriy1ORCID,Lin Tian2ORCID,Somerville Jessie Elise2ORCID,Myers Elisha M.3ORCID,Ebner Natalie2ORCID

Affiliation:

1. University of Massachusetts Amherst, Amherst, MA

2. University of Florida, Gainesville, FL

3. Florida Atlantic University, University of Florida, Gainesville, FL

Abstract

Blindspots in APIs can cause software engineers to introduce vulnerabilities, but such blindspots are, unfortunately, common. We study the effect APIs with blindspots have on developers in two languages by replicating a 109-developer, 24-Java-API controlled experiment. Our replication applies to Python and involves 129 new developers and 22 new APIs. We find that using APIs with blindspots statistically significantly reduces the developers’ ability to correctly reason about the APIs in both languages, but that the effect is more pronounced for Python. Interestingly, for Java, the effect increased with complexity of the code relying on the API, whereas for Python, the opposite was true. This suggests that Python developers are less likely to notice potential for vulnerabilities in complex code than in simple code, whereas Java developers are more likely to recognize the extra complexity and apply more care, but are more careless with simple code. Whether the developers considered API uses to be more difficult, less clear, and less familiar did not have an effect on their ability to correctly reason about them. Developers with better long-term memory recall were more likely to correctly reason about APIs with blindspots, but short-term memory, processing speed, episodic memory, and memory span had no effect. Surprisingly, professional experience and expertise did not improve the developers’ ability to reason about APIs with blindspots across both languages, with long-term professionals with many years of experience making mistakes as often as relative novices. Finally, personality traits did not significantly affect the Python developers’ ability to reason about APIs with blindspots, but less extroverted and more open developers were better at reasoning about Java APIs with blindspots. Overall, our findings suggest that blindspots in APIs are a serious problem across languages, and that experience and education alone do not overcome that problem, suggesting that tools are needed to help developers recognize blindspots in APIs as they write code that uses those APIs.

Funder

National Science Foundation

Publisher

Association for Computing Machinery (ACM)

Subject

Software

Reference111 articles.

1. Comparing the Usability of Cryptographic APIs

2. You Get Where You're Looking for: The Impact of Information Sources on Code Security

3. How Internet Resources Might Be Helping You Develop Faster but Less Securely

4. You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users

5. Alekh Agarwal, Alina Beygelzimer, Miroslav Dudík, John Langford, and Hanna Wallach. 2018. A reductions approach to fair classification. In International Conference on Machine Learning (ICML’18), Vol. PMLR 80. 60–69.

Cited by 3 articles. 订阅此论文施引文献 订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献

1. Methods and Benchmark for Detecting Cryptographic API Misuses in Python;IEEE Transactions on Software Engineering;2024-05

2. Hard to Read and Understand Pythonic Idioms? DeIdiom and Explain Them in Non-Idiomatic Equivalent Code;Proceedings of the IEEE/ACM 46th International Conference on Software Engineering;2024-04-12

3. “C”ing the light – assessing code comprehension in novice programmers using C code patterns;Computer Science Education;2024-02-15

同舟云学术

1.学者识别学者识别

2.学术分析学术分析

3.人才评估人才评估

"同舟云学术"是以全球学者为主线,采集、加工和组织学术论文而形成的新型学术文献查询和分析系统,可以对全球学者进行文献检索和人才价值评估。用户可以通过关注某些学科领域的顶尖人物而持续追踪该领域的学科进展和研究前沿。经过近期的数据扩容,当前同舟云学术共收录了国内外主流学术期刊6万余种,收集的期刊论文及会议论文总量共计约1.5亿篇,并以每天添加12000余篇中外论文的速度递增。我们也可以为用户提供个性化、定制化的学者数据。欢迎来电咨询!咨询电话:010-8811{复制后删除}0370

www.globalauthorid.com

TOP

Copyright © 2019-2024 北京同舟云网络信息技术有限公司
京公网安备11010802033243号  京ICP备18003416号-3