TU Berlin

Quality and Usability Lab2019_07_08_Gorski

Inhalt des Dokuments

zur Navigation

Warn if Secure or How to Deal with Security by Default in Software Development?

LOCATION:  TEL, Room Auditorium 3 (20th floor), Ernst-Reuter-Platz 7, 10587 Berlin  

Date/Time: 08.07.2019, 14:15-15:00 

SPEAKER: Peter Gorski  (TH Köln)


Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises.
In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.



Schnellnavigation zur Seite über Nummerneingabe