TY  - CHAP
U1  - Konferenzveröffentlichung
A1  - Gorski, Peter Leo
A1  - Lo Iacono, Luigi
A1  - Wiefling, Stephan
A1  - Möller, Sebastian
T1  - Warn if Secure or How to Deal with Security by Default in Software Development?
T2  - Twelfth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2018), Dundee, Scotland, UK, August 29-31, 2018
N2  - Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises.
In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.
Y1  - 2018
UR  - https://www.cscan.org/?page=openaccess&eid=20&id=388
SN  - 978-0-244-40254-9
SB  - 978-0-244-40254-9
SP  - 170
EP  - 190
S1  - 21
PB  - CSCAN
CY  - Plymouth
ER  -