Conference paper

Warn if Secure or How to Deal with Security by Default in Software Development?


Authors listGorski, Peter Leo; Lo Iacono, Luigi; Wiefling, Stephan; Möller, Sebastian

Appeared inProceedings of the Twelfth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2018)

Editor listClarke, N; Furnel, S

Publication year2018

Pages170-190

ISBN978-0-244-40254-9

Conference12th International Symposium on Human Aspects of Information Security & Assurance (HAISA 2018)


Abstract

Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises.
In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.




Citation Styles

Harvard Citation styleGorski, P., Lo Iacono, L., Wiefling, S. and Möller, S. (2018) Warn if Secure or How to Deal with Security by Default in Software Development?, in Clarke, N. and Furnel, S. (eds.) Proceedings of the Twelfth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2018). Plymouth: University of Plymouth. pp. 170-190

APA Citation styleGorski, P., Lo Iacono, L., Wiefling, S., & Möller, S. (2018). Warn if Secure or How to Deal with Security by Default in Software Development?. In Clarke, N., & Furnel, S. (Eds.), Proceedings of the Twelfth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2018). (pp. 170-190). University of Plymouth.


Last updated on 2025-05-08 at 14:33