"Do this! Do that!, And nothing will happen" Do specifications lead to securely stored passwords?

by   Joseph Hallett, et al.

Does the act of writing a specification (how the code should behave) for a piece of security sensitive code lead to developers producing more secure code? We asked 138 developers to write a snippet of code to store a password: Half of them were asked to write down a specification of how the code should behave before writing the program, the other half were asked to write the code but without being prompted to write a specification first. We find that explicitly prompting developers to write a specification has a small positive effect on the security of password storage approaches implemented. However, developers often fail to store passwords securely, despite claiming to be confident and knowledgeable in their approaches, and despite considering an appropriate range of threats. We find a need for developer-centered usable mechanisms for telling developers how to store passwords: lists of what they must do are not working.


page 7

page 8


Improving students' code correctness and test completeness by informal specifications

The quality of software produced by students is often poor. How to teach...

RulePad: Interactive Authoring of Checkable Design Rules

Good documentation offers the promise of enabling developers to easily u...

Automatically Generating Dockerfiles via Deep Learning: Challenges and Promises

Containerization allows developers to define the execution environment i...

How to write a coequation

There is a large amount of literature on the topic of covarieties, coequ...

Now It Compiles! Certified Automatic Repair of Uncompilable Protocols

Choreographic programming is a paradigm where developers write the globa...

Extending Classic Paxos for High-performance Read-Modify-Write Registers

In this work we provide a detailed specification of how we extended and ...

"To Clean-Code or Not To Clean-Code" A Survey among Practitioners

Context: Writing Clean Code understandable by other collaborators has be...

Please sign up or login with your details

Forgot password? Click here to reset