Dec. 21, 2017 —
Want to write more secure code? Skip the online forum and take the time to use the official programming documentation or a book. That's the message of the paper that won the NSA's 5th Annual Best Scientific Cybersecurity Paper Competition, titled "You Get What You're Looking For: The Impact of Information Sources on Code Security".
One expert reviewer hailed the paper as, "one of the greatest pieces of research in our field in recent years. It shows what dramatic improvements can be made when researchers take the effort to trace the root of the problem and come up with a solution that makes it easy for the people involved to choose the secure option within the other demands they face."
The paper was written by researchers at the Center for IT-Security, Privacy and Accountability at Saarland University in Germany and at the University of Maryland, College Park. The authors, Ms. Yasemin Acar, Prof. Dr. Michael Backes, Dr. Sascha Fahl, Mr. Doowon Kim, Prof. Michelle L. Mazurek, and Mr. Christian Stransky were initially published in the 37th IEEE Symposium on Security and Privacy. The authors studied how a programmer's choice of reference materials influenced his or her ability to write functional and secure programs. They found that programmers who relied on online forums completed tasks faster, but the programs were less secure. Those programmers who used official documentation developed more secure code, but took the longest to complete the programming tasks, and indicated that the official documentation was not user-friendly. Books were a good balance between completion time and security however; in the study, only one programmer voluntarily used a book.
The winning team of researchers presented its work at a late October 2017 awards ceremony hosted by NSA's Research Directorate. In her remarks, Dr. Deborah Frincke, NSA's Director of Research, said, "Papers like this one are particularly valuable, because they identify potential blind spots in current practice, as well as illustrating what good science looks like."
The Annual Best Scientific Cybersecurity Paper Competition is hosted by NSA's Research Directorate Science of Security Initiative to support and encourage strong scientific achievements in cybersecurity research with the goal of developing a more secure and trustworthy internet. The competition recognizes the best paper published from the previous year, judging papers on scientific merit, significance, and quality of scientific reporting.
The 6th Annual paper competition is now accepting public nominations for papers published in 2017. For more details, requirements, and to nominate papers, please visit the paper competition home page.