Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It. Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks, August 2019.

Secure software development is a challenging task requiring programmers to consider many possible threats and mitigations. This paper investigates how and why programmers, despite having a baseline of security experience, make security-relevant errors. To do this, we conducted an in-depth analysis of 94 submissions to a secure programming contest designed to mimic real-world constraints: correctness, performance, and security. In addition to writing secure code, participants were asked to search for vulnerabilities in other teams' programs; in total, teams submitted 866 exploits against the submissions we considered. Over an intensive six-month period, we used iterative open coding to manually, but systematically, characterize each submitted project and vulnerability against it (including vulnerabilities we identified ourselves). We labeled vulnerabilities by type, severity, and ease of exploitation, and projects according to security implementation strategy. Several patterns emerged. For example, we found that simple mistakes were least common: only 21% of projects introduced such an error. Conversely, vulnerabilities arising from a misunderstanding of security concepts were significantly more common: 78% of projects introduced at least one such error. Our results have implications for improving secure-programming APIs, API documentation, vulnerability-finding tools, and security education.

[ .pdf ]

@MISC{votipka19bibifiqual,
  AUTHOR = {Daniel Votipka and Kelsey Fulton and James Parker and Matthew Hou and Michelle L. Mazurek and Michael Hicks},
  TITLE = {Understanding security mistakes developers make: Qualitative analysis from {Build It, Break It, Fix It}},
  YEAR = {2019},
  MONTH = AUG,
  SUBMITTED = {yes}
}

This file has been generated by bibtex2html 1.69