The Impact of Developer Experience in Using Java Cryptography

M. Hazhirpasand, M. Ghafari, S. Krüger, E. Bodden, and O. Nierstrasz. The Impact of Developer Experience in Using Java Cryptography. In 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), p. 1-6, September 2019. Details.


Background: Previous research has shown that crypto APIs are hard for developers to understand and difficult for them to use. They consequently rely on unvalidated boilerplate code from online resources where security vulnerabilities are common.Aims and method: We analyzed 2,324 open-source Java projects that rely on Java Cryptography Architecture (JCA) to understand how crypto APIs are used in practice, and what factors account for the performance of developers in using these APIs.Results: We found that, in general, the experience of developers in using JCA does not correlate with their performance. In particular, none of the factors such as the number or frequency of committed lines of code, the number of JCA APIs developers use, or the number of projects they are involved in correlate with developer performance in this domain.Conclusions: We call for qualitative studies to shed light on the reasons underlying the success of developers who are expert in using cryptography. Also, detailed investigation at API level is necessary to further clarify a developer obstacles in this domain.

Posted by scg at 11 December 2019, 1:10 pm link
Last changed by admin on 21 April 2009