Not logged in.
Quick Search - Contribution
Contribution Details
| Type | Conference or Workshop Paper |
| Scope | Discipline-based scholarship |
| Published in Proceedings | Yes |
| Title | Why Don’t Developers Detect Improper Input Validation? |
| Other Titles | DROP TABLE Papers |
| Organization Unit | |
| Authors |
|
| Presentation Type | paper |
| Item Subtype | Original Work |
| Refereed | Yes |
| Status | Published in final form |
| Language |
|
| ISBN | 978-1-6654-0296-5 |
| Page Range | 499 - 511 |
| Event Title | 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE) |
| Event Type | conference |
| Event Location | Madrid, ES |
| Event Start Date | May 22 - 2021 |
| Event End Date | May 30 - 2021 |
| Place of Publication | Washington, DC, United States |
| Publisher | IEEE |
| Abstract Text | Improper Input Validation (IIV) is a software vulnerability that occurs when a system does not safely handle input data. Even though IIV is easy to detect and fix, it still commonly happens in practice. In this paper, we study to what extent developers can detect IIV and investigate underlying reasons. This knowledge is essential to better understand how to support developers in creating secure software systems. We conduct an online experiment with 146 participants, of which 105 report at least three years of professional software development experience. Our results show that the existence of a visible attack scenario facilitates the detection of IIV vulnerabilities and that a significant portion of developers who did not find the vulnerability initially could identify it when warned about its existence. Yet, a total of 60 participants could not detect the vulnerability even after the warning. Other factors, such as the frequency with which the participants perform code reviews, influence the detection of IIV. Preprint: https://arxiv.org/abs/2102.06251. Data and materials: https://doi.org/10.5281/zenodo.3996696. |
| Free access at | DOI |
| Related URLs | |
| Digital Object Identifier | 10.1109/ICSE43902.2021.00054 |
| Other Identification Number | merlin-id:21599 |
| PDF File |
Download from ZORA
|
| Export |
BibTeX
EP3 XML (ZORA)
|
| Funders | SNF Projects No. PP00P2_170529 and PZ00P2_186090 |