Volltext-Downloads (blau) und Frontdoor-Views (grau)

Warn if Secure or How to Deal with Security by Default in Software Development?

  • Software development is a complex task. Merely focussing on functional requirements is not sufficient any more. Developers are responsible to take many non-functional requirements carefully into account. Security is amongst the most challenging, as getting it wrong will result in a large user-base being potentially at risk. A similar situation exists for administrators. Security defaults have been put into place here to encounter lacking security controls. As first attempts to establish security by default in software development are flourishing, the question on their usability for developers arises. In this paper we study the effectiveness and efficiency of Content Security Policy (CSP) enforced as security default in a web framework. When deployed correctly, CSP is a valid protection mean in a defence-in-depth strategy against code injection attacks. In this paper we present a first qualitative laboratory study with 30 participants to discover how developers deal with CSP when deployed as security default. Our results emphasize that the deployment as security default has its benefits but requires careful consideration of a comprehensive information flow in order to improve and not weaken security. We provide first insights to inform research about aiding developers in the creation of secure web applications with usable security by default.

Export metadata

Additional Services

Search Google Scholar Check availability


Show usage statistics
Document Type:Conference Object
Author:Peter Leo Gorski, Luigi Lo Iacono, Stephan WieflingORCiD, Sebastian Möller
Parent Title (English):Twelfth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2018), Dundee, Scotland, UK, August 29-31, 2018
Number of pages:21
First Page:170
Last Page:190
Place of publication:Plymouth
Publication year:2018
Departments, institutes and facilities:Institut für Cyber Security & Privacy (ICSP)
Dewey Decimal Classification (DDC):0 Informatik, Informationswissenschaft, allgemeine Werke / 00 Informatik, Wissen, Systeme / 004 Datenverarbeitung; Informatik
Entry in this database:2020/06/29