TeamUSEC

Listen to Developers! A Participatory Design Study on Security Warnings for Cryptographic APIs

Peter Leo Gorski, Yasemin Acar, Luigi Lo Iacono, and Sascha Fahl.
CHI '20: CHI Conference on Human Factors in Computing Systems, Honolulu, HI, USA, April 25-30, 2020
PDF Abstract Cite DOI

Abstract

The positive effect of security information communicated to developers through API warnings has been established. However, current prototypical designs are based on security warnings for end-users. To improve security feedback for developers, we conducted a participatory design study with 25 professional software developers in focus groups. We identify which security information is considered helpful in avoiding insecure cryptographic API use during development. Concerning console messages, participants suggested five core elements, namely message classification, title message, code location, link to detailed external resources, and color. Design guidelines for end-user warnings are only partially suitable in this context. Participants emphasized the importance of tailoring the detail and content of security information to the context. Console warnings call for concise communication; further information needs to be linked externally. Therefore, security feedback should transcend tools and should be adjustable by software developers across development tools, considering the work context and developer needs.

Reference

@inproceedings{DBLP:conf/chi/GorskiAIF20,
 author = {Peter Leo Gorski and
Yasemin Acar and
Luigi Lo Iacono and
Sascha Fahl},
 bibsource = {dblp computer science bibliography, https://dblp.org},
 biburl = {https://dblp.org/rec/conf/chi/GorskiAIF20.bib},
 booktitle = {CHI '20: CHI Conference on Human Factors in Computing Systems,
Honolulu, HI, USA, April 25-30, 2020},
 doi = {10.1145/3313831.3376142},
 editor = {Regina Bernhaupt and
Florian 'Floyd' Mueller and
David Verweij and
Josh Andres and
Joanna McGrenere and
Andy Cockburn and
Ignacio Avellino and
Alix Goguey and
Pernille Bjøn and
Shengdong Zhao and
Briane Paul Samson and
Rafal Kocielnik},
 pages = {1--13},
 publisher = {ACM},
 title = {Listen to Developers! A Participatory Design Study on Security Warnings
for Cryptographic APIs},
 url = {https://doi.org/10.1145/3313831.3376142},
 year = {2020}
}