Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021
Tue 25 May 2021 11:10 - 11:30 at Blended Sessions Room 2 - 1.1.2. Developers: Behavior Chair(s): Andrea Zisman
Tue 25 May 2021 23:10 - 23:30 at Blended Sessions Room 2 - 1.1.2. Developers: Behavior

Improper Input Validation (IIV) is a software vulnerability that occurs when a system does not safely handle input data. Even though IIV is easy to detect and fix, it still commonly happens in practice. In this paper, we study to what extent developers can detect IIV and investigate underlying reasons. This knowledge is essential to better understand how to support developers in creating secure software systems. We conduct an online experiment with 146 participants, of which 105 report at least three years of professional software development experience. Our results show that the existence of a visible attack scenario facilitates the detection of IIV vulnerabilities and that a significant portion of developers who did not find the vulnerability initially could identify it when warned about its existence. Yet, a total of 60 participants could not detect the vulnerability even after the warning. Other factors, such as the frequency with which the participants perform code reviews, influence the detection of IIV.

Data and materials: https://doi.org/10.5281/zenodo.3996696

Tue 25 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

10:30 - 11:30
1.1.2. Developers: BehaviorTechnical Track / SEIP - Software Engineering in Practice at Blended Sessions Room 2 +12h
Chair(s): Andrea Zisman The Open University
10:30
20m
Paper
A Passion for Security: Intervening to Help Software DevelopersSEIP
SEIP - Software Engineering in Practice
Charles Weir Lancaster University, Ingolf Becker University College London, Lynne Blair Lancaster University
DOI Pre-print Media Attached
10:50
20m
Paper
“Do this! Do that!, And nothing will happen” Do specifications lead to securely stored passwords?Technical Track
Technical Track
Joseph Hallett University of Bristol, Nikhil Patnaik University of Bristol, Benjamin Shreeve University of Bristol, Awais Rashid University of Bristol, UK
Pre-print Media Attached
11:10
20m
Paper
Why don’t Developers Detect Improper Input Validation?'; DROP TABLE Papers; --ACM SIGSOFT Distinguished PaperArtifact ReusableTechnical TrackArtifact Available
Technical Track
Larissa Braz University of Zurich, Enrico Fregnan University of Zurich, Gül Calikli University of Zürich, Alberto Bacchelli University of Zurich
Pre-print Media Attached
22:30 - 23:30
22:30
20m
Paper
A Passion for Security: Intervening to Help Software DevelopersSEIP
SEIP - Software Engineering in Practice
Charles Weir Lancaster University, Ingolf Becker University College London, Lynne Blair Lancaster University
DOI Pre-print Media Attached
22:50
20m
Paper
“Do this! Do that!, And nothing will happen” Do specifications lead to securely stored passwords?Technical Track
Technical Track
Joseph Hallett University of Bristol, Nikhil Patnaik University of Bristol, Benjamin Shreeve University of Bristol, Awais Rashid University of Bristol, UK
Pre-print Media Attached
23:10
20m
Paper
Why don’t Developers Detect Improper Input Validation?'; DROP TABLE Papers; --ACM SIGSOFT Distinguished PaperArtifact ReusableTechnical TrackArtifact Available
Technical Track
Larissa Braz University of Zurich, Enrico Fregnan University of Zurich, Gül Calikli University of Zürich, Alberto Bacchelli University of Zurich
Pre-print Media Attached