SlideShare a Scribd company logo

apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr Nalin Asanka Gamagedara Arachchilage

apidays
apidays

apidays LIVE Australia 2020 - Building Business Ecosystems Evaluating the usability of security APIs Dr Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security (DevOpsSec) at La Trobe University

Technology
1 of 14
Download to read offline
Evaluating the usability of security APIs Nalin Asanka Gamagedara Arachchilage, PhD
Secure Coding or Programming issues
What we investigated… • Context: Programmers make mistakes when implementing security APIs. – Introduces security vulnerabilities into applications they develop. • There is no methodology to evaluate the usability of security APIs. • We developed a Cognitive Dimensions Framework (CDF) based usability evaluation methodology to empirically evaluate the usability of security APIs. • We evaluated our CDF through 4 security APIs: – Google authentication API – Bouncy Castle lightweight crypto API – Java Secure Socket Extension (JSSE) API – OWASP Enterprise Security API (ESAPI) • Results: – Identified over 83% of the usability issues – a considerably good validity and reliability. • Recommendation: – Our developed CDF provides a good platform to conduct usability evaluation for security APIs. – API developers can use our CDF to design security APIs that are more usable. 3
Implementing Security into Software ACM Reference Format: Chamila Wijayarathna and Nalin A. G. Arachchilage. 2018. Why Johnny Can’t Store Passwords Securely?: A Usability Evaluation of Bouncycastle Password Hashing. In EASE’18: 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, June 28–29, 2018, Christchurch, New Zealand. ACM, New York, NY, USA, 6 pages. https://doi.org/10.1145/3210459.3210483
What we did? • In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API. • Programmers to make mistakes (i.e. usability issues) while developing applications that would result in security vulnerabilities. • We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution using Bouncycastle API. • We identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. • Each participant had reported an average of approximately 15 usability issues. • Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them.
The issues we identified • Selecting method parameters for SCrypt generate method invocation. • If the programmer uses weak values for these parameters, security of the password storage will be weak and it will be vulnerable to attacks. • Using salt with SCrypt.generate() method • Usage of salt provides protection against dictionary attacks and pre-computed rainbow attacks. • Usage of byte array vs String to store passwords • Strings, password will be stored in the memory for longer and cannot be deleted until garbage collector clears them. • Issues observed about the documentation of Bouncycastle API • Other observed issues (a) Suggestions shown in Integrated Development Environment for method parameters (b) Method parameter names used in Bouncycastle SCrypt source code (c) Java API documentation of SCrypt.generate() method
Issues identified in all 4 APIs 7
We developed: Cognitive Dimensions Framework for security APIs 8
Cognitive Dimensions Framework for security APIs • Abstraction level: The minimum and maximum levels of abstraction exposed by the API, and the minimum and maximum levels usable by a targeted developer. • Learning style: The knowledge about the API and its security background that a programmer needs to have before starting to use the API and how a programmer would gain the knowledge about the API and its security background. • Working framework: The size of the conceptual chunk (developer working set) needed to work effectively. 9
Cognitive Dimensions Framework for security APIs • Work-step unit: How much of a programming task must/can be completed in a single step. • Progressive evaluation: To what extent partially completed code can be executed to obtain feedback on code behavior. • Premature commitment: The amount of decisions that developers have to make when writing code for a given scenario and the consequences of those decisions. • Penetrability: How the API facilitates exploration, analysis and understanding of its components and its security related information, and the way a targeted developer should go about retrieving what is needed. 10
Cognitive Dimensions Framework for security APIs • API elaboration: The extent to which the API must be adapted to meet the needs of a targeted developer. • API viscosity: The barriers to change inherent in the API, and how much effort a targeted developer needs to expend to make a change. • Consistency: How much of the rest of an API can be inferred once part of it is learned. • Role expressiveness: How apparent the relationship is between each component exposed by an API and the program as a whole. 11
Cognitive Dimensions Framework for security APIs • A Domain correspondence: How clearly the API components map to the domain and any special tricks that the developer needs to be aware of to accomplish some functionality. • Hard-to Misuse: How hard it is to make mistakes while using the API and how much help does the API provide to identify mistakes that programmers make. • End-user protection: How much does the security of the end user of an application developed using the API depend on the programmer who developed the application. • Testability: The amount of support that the API provides for the programmer to test the security of an application that was developed using the API. 12
13
Evaluating the usability of security APIs Nalin Asanka Gamagedara Arachchilage, PhD

Recommended

apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...
apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...
apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...apidays
 
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...apidays
 
Executing on API Developer Experience
Executing on API Developer Experience Executing on API Developer Experience
Executing on API Developer Experience SmartBear
 
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays
 
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty apidays
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...apidays
 
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays
 

Recommended

apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...
apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...
apidays LIVE Australia 2020 - Contract-first API development with Spot by Fra...apidays
 
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...
apidays LIVE Australia 2020 - Building a scalable API platform for an IoT eco...apidays
 
Executing on API Developer Experience
Executing on API Developer Experience Executing on API Developer Experience
Executing on API Developer Experience SmartBear
 
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...
apidays LIVE LONDON - Discovering API Version differences with ease by Jaap B...apidays
 
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty
apidays LIVE Australia 2020 - Data with a Mission by Matt McLarty apidays
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security StrategySmartBear
 
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...
apidays LIVE Australia 2020 - The Evolution of APIs: Events and the AsyncAPI ...apidays
 
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays
 
Rest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookRest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookKaty Slemon
 
Api clarity webinar
Api clarity webinarApi clarity webinar
Api clarity webinarLibbySchulze
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays
 
Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Alianna Inzana
 
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...apidays
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...apidays
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsAPI Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsDevOps Indonesia
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays
 
Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approov Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approovapidays
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
 
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...apidays
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays
 
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...apidays
 
Open Event API
Open Event APIOpen Event API
Open Event APIAvi Aryan
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays
 
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...apidays
 
Pure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsPure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsJosé Haro Peralta
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs42Crunch
 
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Chamila Wijayarathna
 

More Related Content

What's hot

Rest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookRest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookKaty Slemon
 
Api clarity webinar
Api clarity webinarApi clarity webinar
Api clarity webinarLibbySchulze
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays
 
Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Alianna Inzana
 
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...apidays
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...apidays
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsAPI Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsDevOps Indonesia
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays
 
Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approov Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approovapidays
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
 
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...apidays
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays
 
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...apidays
 
Open Event API
Open Event APIOpen Event API
Open Event APIAvi Aryan
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays
 
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...apidays
 
Pure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsPure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsJosé Haro Peralta
 

What's hot (20)

Rest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbookRest api best practices – comprehensive handbook
Rest api best practices – comprehensive handbook
 
Api clarity webinar
Api clarity webinarApi clarity webinar
Api clarity webinar
 
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
apidays LIVE Hong Kong 2021 - Event-driven APIs & Schema governance for Apach...
 
Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020Contract {Collaboration} Driven Development - APIdays Interface 2020
Contract {Collaboration} Driven Development - APIdays Interface 2020
 
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
apidays LIVE Australia 2021 - From apps to APIs: how no-code is transforming ...
 
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...INTERFACE, by apidays - Building contextualized API specifications by Boris ...
INTERFACE, by apidays - Building contextualized API specifications by Boris ...
 
API Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIsAPI Security Webinar : Security Guidelines for Providing and Consuming APIs
API Security Webinar : Security Guidelines for Providing and Consuming APIs
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
 
Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approov Mobile - Your API Security Blindspot by David Stewart, Approov
Mobile - Your API Security Blindspot by David Stewart, Approov
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
 
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
apidays LIVE Australia 2020 - API Design in Fintech: Challenges and Opportuni...
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...
 
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
 
Open Event API
Open Event APIOpen Event API
Open Event API
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
apidays LIVE Singapore 2021 - What financial services can learn from Marketpl...
 
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgirapidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
apidays LIVE Paris - Succeeding with API Programs by Kiran Nadgir
 
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
INTERFACE, by apidays - Playing with FHIR: Hacking FHIR and mHealth APIs by ...
 
Pure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrationsPure APIs: Development workflows for successful API integrations
Pure APIs: Development workflows for successful API integrations
 

Similar to apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr Nalin Asanka Gamagedara Arachchilage

Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs42Crunch
 
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Chamila Wijayarathna
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsApigee | Google Cloud
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPADiemShin
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security EditionAPIsecure_ Official
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!Shelly Megan
 
Pain Points In API Development? They’re Everywhere
Pain Points In API Development? They’re EverywherePain Points In API Development? They’re Everywhere
Pain Points In API Development? They’re EverywhereNordic APIs
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...apidays
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIsWSO2
 
Extend soa with api management spoug- Madrid
Extend soa with api management spoug- MadridExtend soa with api management spoug- Madrid
Extend soa with api management spoug- MadridVinay Kumar
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeEmerasoft, solutions to collaborate
 

Similar to apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr Nalin Asanka Gamagedara Arachchilage (20)

Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncyca...
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition2022 APIsecure_The Real World, API Security Edition
2022 APIsecure_The Real World, API Security Edition
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
Pain Points In API Development? They’re Everywhere
Pain Points In API Development? They’re EverywherePain Points In API Development? They’re Everywhere
Pain Points In API Development? They’re Everywhere
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
INTERFACE by apidays 2023 - Something Old, Something New, Colin Domoney, 42Cr...
 
Outpost24 webinar - Api security
Outpost24 webinar - Api securityOutpost24 webinar - Api security
Outpost24 webinar - Api security
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
apidays LIVE Paris 2021 - The Real World, API Security Edition by Michael Isb...
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs5 Pillars of Building Enterprise0grade APIs
5 Pillars of Building Enterprise0grade APIs
 
Extend soa with api management spoug- Madrid
Extend soa with api management spoug- MadridExtend soa with api management spoug- Madrid
Extend soa with api management spoug- Madrid
 
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - SonatypeOpen DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype
 

More from apidays

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...apidays
 
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...apidays
 
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...apidays
 
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...apidays
 
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...apidays
 
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...apidays
 
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...apidays
 
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...apidays
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...apidays
 
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...apidays
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...apidays
 

More from apidays (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
 
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
 
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
 
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
 
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
 
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
 
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
 
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
 
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
 

Recently uploaded

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr Nalin Asanka Gamagedara Arachchilage

  • 1. Evaluating the usability of security APIs Nalin Asanka Gamagedara Arachchilage, PhD
  • 2. Secure Coding or Programming issues
  • 3. What we investigated… • Context: Programmers make mistakes when implementing security APIs. – Introduces security vulnerabilities into applications they develop. • There is no methodology to evaluate the usability of security APIs. • We developed a Cognitive Dimensions Framework (CDF) based usability evaluation methodology to empirically evaluate the usability of security APIs. • We evaluated our CDF through 4 security APIs: – Google authentication API – Bouncy Castle lightweight crypto API – Java Secure Socket Extension (JSSE) API – OWASP Enterprise Security API (ESAPI) • Results: – Identified over 83% of the usability issues – a considerably good validity and reliability. • Recommendation: – Our developed CDF provides a good platform to conduct usability evaluation for security APIs. – API developers can use our CDF to design security APIs that are more usable. 3
  • 4. Implementing Security into Software ACM Reference Format: Chamila Wijayarathna and Nalin A. G. Arachchilage. 2018. Why Johnny Can’t Store Passwords Securely?: A Usability Evaluation of Bouncycastle Password Hashing. In EASE’18: 22nd International Conference on Evaluation and Assessment in Software Engineering 2018, June 28–29, 2018, Christchurch, New Zealand. ACM, New York, NY, USA, 6 pages. https://doi.org/10.1145/3210459.3210483
  • 5. What we did? • In this work, we evaluated the usability of SCrypt password hashing functionality of Bouncycastle API. • Programmers to make mistakes (i.e. usability issues) while developing applications that would result in security vulnerabilities. • We conducted a study with 10 programmers where each of them spent around 2 hours for the study and attempted to develop a secure password storage solution using Bouncycastle API. • We identified 63 usability issues that exist in the SCrypt implementation of Bouncycastle API. • Each participant had reported an average of approximately 15 usability issues. • Furthermore, we expect that this work will provide a guidance on how to conduct usability evaluations for security APIs to identify usability issues exist in them.
  • 6. The issues we identified • Selecting method parameters for SCrypt generate method invocation. • If the programmer uses weak values for these parameters, security of the password storage will be weak and it will be vulnerable to attacks. • Using salt with SCrypt.generate() method • Usage of salt provides protection against dictionary attacks and pre-computed rainbow attacks. • Usage of byte array vs String to store passwords • Strings, password will be stored in the memory for longer and cannot be deleted until garbage collector clears them. • Issues observed about the documentation of Bouncycastle API • Other observed issues (a) Suggestions shown in Integrated Development Environment for method parameters (b) Method parameter names used in Bouncycastle SCrypt source code (c) Java API documentation of SCrypt.generate() method
  • 7. Issues identified in all 4 APIs 7
  • 9. Cognitive Dimensions Framework for security APIs • Abstraction level: The minimum and maximum levels of abstraction exposed by the API, and the minimum and maximum levels usable by a targeted developer. • Learning style: The knowledge about the API and its security background that a programmer needs to have before starting to use the API and how a programmer would gain the knowledge about the API and its security background. • Working framework: The size of the conceptual chunk (developer working set) needed to work effectively. 9
  • 10. Cognitive Dimensions Framework for security APIs • Work-step unit: How much of a programming task must/can be completed in a single step. • Progressive evaluation: To what extent partially completed code can be executed to obtain feedback on code behavior. • Premature commitment: The amount of decisions that developers have to make when writing code for a given scenario and the consequences of those decisions. • Penetrability: How the API facilitates exploration, analysis and understanding of its components and its security related information, and the way a targeted developer should go about retrieving what is needed. 10
  • 11. Cognitive Dimensions Framework for security APIs • API elaboration: The extent to which the API must be adapted to meet the needs of a targeted developer. • API viscosity: The barriers to change inherent in the API, and how much effort a targeted developer needs to expend to make a change. • Consistency: How much of the rest of an API can be inferred once part of it is learned. • Role expressiveness: How apparent the relationship is between each component exposed by an API and the program as a whole. 11
  • 12. Cognitive Dimensions Framework for security APIs • A Domain correspondence: How clearly the API components map to the domain and any special tricks that the developer needs to be aware of to accomplish some functionality. • Hard-to Misuse: How hard it is to make mistakes while using the API and how much help does the API provide to identify mistakes that programmers make. • End-user protection: How much does the security of the end user of an application developed using the API depend on the programmer who developed the application. • Testability: The amount of support that the API provides for the programmer to test the security of an application that was developed using the API. 12
  • 13. 13
  • 14. Evaluating the usability of security APIs Nalin Asanka Gamagedara Arachchilage, PhD