Blindspots in Python and Java APIs Result in Vulnerable Code-Reference-Cited by-同舟云学术

Blindspots in Python and Java APIs Result in Vulnerable Code

Published:2023-04-26 Issue:3 Volume:32 Page:1-31
ISSN:1049-331X
Container-title:ACM Transactions on Software Engineering and Methodology
language:en
Short-container-title:ACM Trans. Softw. Eng. Methodol.

Author:

Brun Yuriy¹^ORCID,Lin Tian²^ORCID,Somerville Jessie Elise²^ORCID,Myers Elisha M.³^ORCID,Ebner Natalie²^ORCID

Affiliation:

1. University of Massachusetts Amherst, Amherst, MA

2. University of Florida, Gainesville, FL

3. Florida Atlantic University, University of Florida, Gainesville, FL

Abstract

Blindspots in APIs can cause software engineers to introduce vulnerabilities, but such blindspots are, unfortunately, common. We study the effect APIs with blindspots have on developers in two languages by replicating a 109-developer, 24-Java-API controlled experiment. Our replication applies to Python and involves 129 new developers and 22 new APIs. We find that using APIs with blindspots statistically significantly reduces the developers’ ability to correctly reason about the APIs in both languages, but that the effect is more pronounced for Python. Interestingly, for Java, the effect increased with complexity of the code relying on the API, whereas for Python, the opposite was true. This suggests that Python developers are less likely to notice potential for vulnerabilities in complex code than in simple code, whereas Java developers are more likely to recognize the extra complexity and apply more care, but are more careless with simple code. Whether the developers considered API uses to be more difficult, less clear, and less familiar did not have an effect on their ability to correctly reason about them. Developers with better long-term memory recall were more likely to correctly reason about APIs with blindspots, but short-term memory, processing speed, episodic memory, and memory span had no effect. Surprisingly, professional experience and expertise did not improve the developers’ ability to reason about APIs with blindspots across both languages, with long-term professionals with many years of experience making mistakes as often as relative novices. Finally, personality traits did not significantly affect the Python developers’ ability to reason about APIs with blindspots, but less extroverted and more open developers were better at reasoning about Java APIs with blindspots. Overall, our findings suggest that blindspots in APIs are a serious problem across languages, and that experience and education alone do not overcome that problem, suggesting that tools are needed to help developers recognize blindspots in APIs as they write code that uses those APIs.

Funder

National Science Foundation

Publisher

Association for Computing Machinery (ACM)

Subject

Software

Link

https://dl.acm.org/doi/pdf/10.1145/3571850

Reference111 articles.

1. Comparing the Usability of Cryptographic APIs

2. You Get Where You're Looking for: The Impact of Information Sources on Code Security

3. How Internet Resources Might Be Helping You Develop Faster but Less Securely

4. You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users

5. Alekh Agarwal, Alina Beygelzimer, Miroslav Dudík, John Langford, and Hanna Wallach. 2018. A reductions approach to fair classification. In International Conference on Machine Learning (ICML’18), Vol. PMLR 80. 60–69.