12 Angry Developers – A Qualitative Study on Developers’ Struggles with CSP

Roth, Sebastian and Gröber, Lea and Backes, Michael and Krombholz, Katharina and Stock, Ben
(2021) 12 Angry Developers – A Qualitative Study on Developers’ Struggles with CSP.
In: ACM CCS 2021.
Conference: CCS ACM Conference on Computer and Communications Security

[img]
Preview
 Text
roth2021usable.pdf - Published Version
Download (1MB) | Preview

Abstract

The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks. However, research has shown that the vast majority of all policies in the wild are trivially bypassable. To uncover the root causes behind the omnipresent misconfiguration of CSP, we conducted a qualitative study involving 12 real-world Web developers. By combining a semi-structured interview, a drawing task, and a programming task, we were able to identify the participant’s misconceptions regarding the attacker model covered by CSP as well as roadblocks for secure deployment or strategies used to create a CSP.

Item Type: Conference or Workshop Item (A Paper) (Paper)
Divisions: Ben Stock (Secure Web Applications Group, SWAG)
Katharina Krombholz (Human-Oriented Security, HOS)
Conference: CCS ACM Conference on Computer and Communications Security
Depositing User: Ben Stock
Date Deposited: 11 Aug 2021 15:47
Last Modified: 03 Jun 2022 09:29
Primary Research Area: NRA5: Empirical & Behavioral Security
URI: https://publications.cispa.saarland/id/eprint/3463

Actions

Actions (login required)

View Item View Item
CISPA is powered by EPrints 3 which is developed by the School of Electronics and Computer Science at the University of Southampton. More information and software credits.