In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
Twelfth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2018)
Title: Warn if Secure or How to Deal with Security by Default in Software Development?
Author(s): Peter Leo Gorski, Luigi Lo Iacono, Stephan Wiefling, Sebastian Möller
Keywords: Web Application Development, Web Frameworks, Content Security Policies, Warnings, Security by default, Usable Security
Abstract: Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises.
In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.
Download count: 40
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.