Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nalin Asanka Gamagedara Arachchilage

3,315 views

Published on

apidays LIVE Australia - Building Business Ecosystems
Evaluating the usability of security APIs
Dr Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security (DevOpsSec) at La Trobe University

Published in: Technology
  • Are you looking for genuine love spell caster? Unbelievable! It's worked within few hours! Get ex boyfriend or husband back no matter why he left you by Powerful love spell caster dr unity.! After 2 year relationship with my boyfriend, he changed suddenly and stopped contacting me regularly, he would come up with excuses of not seeing me all the time. He stopped answering my calls and my sms and he stopped seeing me regularly. I then started catching him with different girls several times but every time he would say that he love me and that he needed some time to think about our relationship. But cannot stop thinking about him so I decided to go online and i saw so many good talk about this spell caster called Dr Unity and i contact him and explain my problems to him. He cast a love spell for me which i use and after 11 hours, my boyfriend came back to me and started contacting me regularly and we moved in together after a few months and he was more open to me than before and he started spending more time with me than his friends. We eventually got married and we now have been married happily for 3 years with a son. Ever since Dr Unity helped me, my partner is very stable, faithful and closer to me than before.You can also contact this spell caster and get your relationship fix. Here his contact, WhatsApp him: +2348055361568 Email him at: Unityspelltemple@gmail.com His website:https://unityspells.blogspot.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Get your husband back from the other woman....... Get up and get your husband back from the claws of another woman. Don’t let those years you have invested in your marriage go to waste. Stop sulking and take action. I just got my husband back through the help of Dr Unity love spell Experts. My name is Emily Sarah am from Tx,USA. My husband left me for another woman, This was just 3 years of our marriage. The most painful thing is that I was pregnant with our second baby. I wanted him back. I did everything within my reach to bring him back but all was in vain, I wanted him back so badly because of the love I had for him, I begged him with everything, I made promises but he refused. I explained my problem to my friend and she suggested that I should rather contact a spell caster that could help me cast a spell to bring him back , I had no choice than to try it. I messaged the spell caster called dr unity, and he assured me there was no problem and that everything will be okay before 11 hours. He cast the spell and surprisingly 11 hours later my husband called me. I was so surprised, I answered the call and all he said was that he was so sorry for everything that had happened He wanted me to return to him. He also said he loved me so much. I was so happy and went to him that was how we started living together happily again.thanks to dr unity . if you are here and your Lover is turning you down, or your husband moved to another woman, do not cry anymore, contact Dr.Unity for help now..Here his contact, WhatsApp him: +2348055361568 Email him at: Unityspelltemple@gmail.com His website:https://unityspells.blogspot.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • RSorder Thrilling Halloween Party: 6% off code RHK6 for all rs/osrs products buying on RSorder.com from Oct 23 to Nov 2, 2020.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I never believed in Spells or Magic until I met this great spell caster called DR ONIHA.. The man I wanted to marry left me 3 months after our wedding ceremony and my life was upside down. He was with me for 4 years and I really love him so much. He left me for another woman with no reasons. When I called him, he never picked up my calls and he didn't want to see me around him. I was helpless and didn't know what to do to get the man I love back in my life. I went online in search of help and I found the DR ONIHA website. I have to contact him. So when i told DR ONIHA what happened. he helped me to do some readings, and after the readings he made me to realize that the other woman has done some spells over my boyfriend and that is the reason why he left me.. he told me he will help me to cast a spell to bring him back. At first I was skeptical but I just gave it a try. In 4 days after which the spell was done by DR ONIHA, My boyfriend called me himself and came to me apologizing. I can't believe he can ever come back to me again but now i am happy he's back and we are married now and we live as a happy family. Am posting this to the forum if anyone needs the help of this great man, you can also contact him through this.  Email address: onihaspelltemple@gmail.com   Website: http://onihaspells.com Call/Whatsapp number: + 16692213962 
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Get Your Husband or Boyfriend Back and keep him permanently” Dr.unity is a true and real love spell caster. I just got my husband back through the help of Dr Unity love spell Experts. My name is Emily Sarah am from Tx,USA. My husband left me for another woman, This was just 3 years of our marriage. The most painful thing is that I was pregnant with our second baby. I wanted him back. I did everything within my reach to bring him back but all was in vain, I wanted him back so badly because of the love I had for him, I begged him with everything, I made promises but he refused. I explained my problem to my friend and she suggested that I should rather contact a spell caster that could help me cast a spell to bring him back , I had no choice than to try it. I messaged the spell caster called dr unity, and he assured me there was no problem and that everything will be okay before 11 hours. He cast the spell and surprisingly 11 hours later my husband called me. I was so surprised, I answered the call and all he said was that he was so sorry for everything that had happened He wanted me to return to him. He also said he loved me so much. I was so happy and went to him that was how we started living together happily again.thanks to dr unity . if you are here and your Lover is turning you down, or your husband moved to another woman, do not cry anymore, contact Dr.Unity for help now..Here his contact, WhatsApp him: +2348055361568 Email him at: Unityspelltemple@gmail.com His website:https://unityspells.blogspot.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

apidays LIVE Australia - Evaluating the usability of security APIs by Dr Nalin Asanka Gamagedara Arachchilage

  1. 1. Evaluating the usability of security APIs Nalin Asanka Gamagedara Arachchilage, PhD
  2. 2. Secure Coding or Programming issues
  3. 3. What we investigated… • Context: Programmers make mistakes when implementing security APIs. – Introduces security vulnerabilities into applications they develop. • There is no methodology to evaluate the usability of security APIs. • We developed a Cognitive Dimensions Framework (CDF) based usability evaluation methodology to empirically evaluate the usability of security APIs. • We evaluated our CDF through 4 security APIs: – Google authentication API – Bouncy Castle lightweight crypto API – Java Secure Socket Extension (JSSE) API – OWASP Enterprise Security API (ESAPI) • Results: – Identified over 83% of the usability issues – a considerably good validity and reliability. • Recommendation: – Our developed CDF provides a good platform to conduct usability evaluation for security APIs. – API developers can use our CDF to design security APIs that are more usable. 3
  4. 4. Implementing Security into Software ACM Reference Format: Chamila Wijayarathna and Nalin A. G. Arachchilage. 2018. Why Johnny Can’t Store Passwords Securely?: A Usability Evaluation of Bouncycastle Password Hashing. In EASE’18: 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, June 28–29, 2018, Christchurch, New Zealand. ACM, New York, NY, USA, 6 pages. https://doi.org/10.1145/3210459.3210483
  5. 5. What we did? • In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API. • Programmers to make mistakes (i.e. usability issues) while developing applications that would result in security vulnerabilities. • We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution using Bouncycastle API. • We identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. • Each participant had reported an average of approximately 15 usability issues. • Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them.
  6. 6. The issues we identified • Selecting method parameters for SCrypt generate method invocation. • If the programmer uses weak values for these parameters, security of the password storage will be weak and it will be vulnerable to attacks. • Using salt with SCrypt.generate() method • Usage of salt provides protection against dictionary attacks and pre-computed rainbow attacks. • Usage of byte array vs String to store passwords • Strings, password will be stored in the memory for longer and cannot be deleted until garbage collector clears them. • Issues observed about the documentation of Bouncycastle API • Other observed issues (a) Suggestions shown in Integrated Development Environment for method parameters (b) Method parameter names used in Bouncycastle SCrypt source code (c) Java API documentation of SCrypt.generate() method
  7. 7. Issues identified in all 4 APIs 7
  8. 8. We developed: Cognitive Dimensions Framework for security APIs 8
  9. 9. Cognitive Dimensions Framework for security APIs • Abstraction level: The minimum and maximum levels of abstraction exposed by the API, and the minimum and maximum levels usable by a targeted developer. • Learning style: The knowledge about the API and its security background that a programmer needs to have before starting to use the API and how a programmer would gain the knowledge about the API and its security background. • Working framework: The size of the conceptual chunk (developer working set) needed to work effectively. 9
  10. 10. Cognitive Dimensions Framework for security APIs • Work-step unit: How much of a programming task must/can be completed in a single step. • Progressive evaluation: To what extent partially completed code can be executed to obtain feedback on code behavior. • Premature commitment: The amount of decisions that developers have to make when writing code for a given scenario and the consequences of those decisions. • Penetrability: How the API facilitates exploration, analysis and understanding of its components and its security related information, and the way a targeted developer should go about retrieving what is needed. 10
  11. 11. Cognitive Dimensions Framework for security APIs • API elaboration: The extent to which the API must be adapted to meet the needs of a targeted developer. • API viscosity: The barriers to change inherent in the API, and how much effort a targeted developer needs to expend to make a change. • Consistency: How much of the rest of an API can be inferred once part of it is learned. • Role expressiveness: How apparent the relationship is between each component exposed by an API and the program as a whole. 11
  12. 12. Cognitive Dimensions Framework for security APIs • A Domain correspondence: How clearly the API components map to the domain and any special tricks that the developer needs to be aware of to accomplish some functionality. • Hard-to Misuse: How hard it is to make mistakes while using the API and how much help does the API provide to identify mistakes that programmers make. • End-user protection: How much does the security of the end user of an application developed using the API depend on the programmer who developed the application. • Testability: The amount of support that the API provides for the programmer to test the security of an application that was developed using the API. 12
  13. 13. 13
  14. 14. Evaluating the usability of security APIs Nalin Asanka Gamagedara Arachchilage, PhD

×