POSTER: A Qualitative Study on Developers’ Security Library Decisions
Lea Theresa Groeber, Johanna Schrader, Tamara Lopez, Sascha Fahl, and Yasemin Acar. In 39th IEEE Symposium on Security and Privacy 2018
The recommendation to not reinvent the wheel and choose a library is common in programming, especially in the security field. Libraries are widely used to make the programmer’s life easier. They provide solutions to common programming obstacles and thus can provide functionality and security features if applied correctly. Choosing a less-than- optimal library, however, may lead to problems ranging from poor usability to insecure code. In this paper, we investigate why developers choose a certain library with impact on security for their projects, which criteria are important to them, and which procedures they adhere to. If we can understand how they make their decisions, which resources they trust, which criteria they look for and what matters to them, we can better support informed and secure choices. As a first step, we conducted 20 in-depth interviews with professional software developers on how they choose libraries relevant to security. These interviews lead to several key findings: (1) Developers apply a “solution-oriented” search strategy where they quickly pick an early search result and engage with it, solidifying their choice as they learn the library (2) they care about a library being open source, usable, up-to-date and used by a large community (3) their choice is rarely limited by time- pressure, but often by their role not including security (4) they base their trust in libraries in the open source community and the assumption that an established, open source library will be secure. These and other findings unveil that software developers choose third party libraries with substantial trust in external developers, outsourcing product, company and users’ security and privacy.
IEEE Security and Privacy 2018