Slides I used to present our paper "Why Johnny Can't Store Passwords Securely? " at Evaluation and Assessment in Software Engineering (EASE) 2018 Conference. The full paper can be accessed at https://arxiv.org/ftp/arxiv/papers/1805/1805.09487.pdf
Having good knowledge on C, C++, Linux device driver,linux kernel programming and working for reputed semiconductor client
Specialties: Linux Device Driver, Linux Kernel programming, C, Data structure, Operating system
Functional testing vs non functional testing | Difference Between Functional ...Intellipaat
In This Video We know about what are the difference between Functional and Non Functional Testing in details.
Link : ‘ https://www.youtube.com/watch?v=v9fSH2nAxks ‘
Empower your Enterprise with language intelligence_Francisco Webber Dataconomy Media
Francisco's Webber presentation, Inventor and Co-founder of cortical.io, who discusses how one can fundamentally understand how we can computationally model language and revolutionise semantic fingerprinting. Those are the slides from his presentations in Big Data Berlin, London, Paris, Munich and Vienna
Seminar on November 4, 2017
Currently many things has its own app on android. Are they secure enough? What if they are not engineered with security in mind? But most importantly, can we do something to them?
Anamitra Dutta Majumdar & Anubhav Saini
Increasing adoption of Machine Learning and Artificial Intelligence by data-driven organizations like LinkedIn is posing some important challenges related to data security and privacy. On the one hand, member data is an asset that unlocks unlimited business potential whereas, on the other hand, the consumption of the data must happen in a secure and privacy-preserving manner. This poses an interesting challenge for security and operations teams in the organization. In this presentation, we will walk through all the well-known use cases of machine learning at LinkedIn and also the phases of a machine learning pipeline. We will identify key security gaps and the corresponding security controls to address the gaps at each phase of any machine learning pipeline. The associated scalability and operational challenges for the application of security control will be explained. Controls in each phase would be put into the perspective of the Productive Machine Learning pipeline phases being built at LinkedIn There will be a section on how Blueshift will impact the application of security controls once compute and data have been decoupled. By the end of the talk, we would have described what a secure machine learning pipeline looks like and what are the key security patterns to be put in place to secure the pipeline.
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...Agile Testing Alliance
Pankaj Kumar who is a Principal Quality Engineer at Allscripts took a Session on "Security testing using ML(Machine learning), AI(Artifical intelligence), Deep learning(DL)" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/05/global-testing-retreat-atagtr2019-welcomes-pankaj-kumar-as-our-esteemed-speaker/
In 2003 Dave et al. have coined the term “opinion mining” to refer to “processing a set of search results for a given item, generating a list of product attributes (quality, features, etc.) and aggregating opinions about each of them (poor, mixed, good)”. Nine years later, in 2012 Brooks and Swigger have applied sentiment analysis in the context of software engineering. Today another nine years have passed and it is time to look back: what have we achieved as a research community and where should we go next?
To answer this question we conducted a systematic literature review involving 185 papers. Based on the literature review we present 1) well-defined categories of opinion mining-related software development activities, 2) available opinion mining approaches, whether they are evaluated when adopted in other studies, and how their performance is compared, 3) available datasets for performance evaluation and tool customization, and 4) concerns or limitations SE researchers might need to take into account when applying/customizing these opinion mining techniques. The results of our study serve as references to choose suitable opinion mining tools for SE tasks, and provide critical insights for the further development of opinion mining techniques in the SE domain.
This work has been done together with Bin Lin, Gabriele Bavota and Michele Lanza from Università della Svizzera italiana, Switzerland, Nathan Cassee from Eindhoven University of Technology, The Netherlands and Nicole Novielli from University of Bari, Italy.
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...apidays
apidays LIVE Australia 2020 - Building Business Ecosystems
Evaluating the usability of security APIs
Dr Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security (DevOpsSec) at La Trobe University
Having good knowledge on C, C++, Linux device driver,linux kernel programming and working for reputed semiconductor client
Specialties: Linux Device Driver, Linux Kernel programming, C, Data structure, Operating system
Functional testing vs non functional testing | Difference Between Functional ...Intellipaat
In This Video We know about what are the difference between Functional and Non Functional Testing in details.
Link : ‘ https://www.youtube.com/watch?v=v9fSH2nAxks ‘
Empower your Enterprise with language intelligence_Francisco Webber Dataconomy Media
Francisco's Webber presentation, Inventor and Co-founder of cortical.io, who discusses how one can fundamentally understand how we can computationally model language and revolutionise semantic fingerprinting. Those are the slides from his presentations in Big Data Berlin, London, Paris, Munich and Vienna
Seminar on November 4, 2017
Currently many things has its own app on android. Are they secure enough? What if they are not engineered with security in mind? But most importantly, can we do something to them?
Anamitra Dutta Majumdar & Anubhav Saini
Increasing adoption of Machine Learning and Artificial Intelligence by data-driven organizations like LinkedIn is posing some important challenges related to data security and privacy. On the one hand, member data is an asset that unlocks unlimited business potential whereas, on the other hand, the consumption of the data must happen in a secure and privacy-preserving manner. This poses an interesting challenge for security and operations teams in the organization. In this presentation, we will walk through all the well-known use cases of machine learning at LinkedIn and also the phases of a machine learning pipeline. We will identify key security gaps and the corresponding security controls to address the gaps at each phase of any machine learning pipeline. The associated scalability and operational challenges for the application of security control will be explained. Controls in each phase would be put into the perspective of the Productive Machine Learning pipeline phases being built at LinkedIn There will be a section on how Blueshift will impact the application of security controls once compute and data have been decoupled. By the end of the talk, we would have described what a secure machine learning pipeline looks like and what are the key security patterns to be put in place to secure the pipeline.
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...Agile Testing Alliance
Pankaj Kumar who is a Principal Quality Engineer at Allscripts took a Session on "Security testing using ML(Machine learning), AI(Artifical intelligence), Deep learning(DL)" at Global Testing Retreat #ATAGTR2019
Please refer our following post for session details:
https://atablogs.agiletestingalliance.org/2019/12/05/global-testing-retreat-atagtr2019-welcomes-pankaj-kumar-as-our-esteemed-speaker/
In 2003 Dave et al. have coined the term “opinion mining” to refer to “processing a set of search results for a given item, generating a list of product attributes (quality, features, etc.) and aggregating opinions about each of them (poor, mixed, good)”. Nine years later, in 2012 Brooks and Swigger have applied sentiment analysis in the context of software engineering. Today another nine years have passed and it is time to look back: what have we achieved as a research community and where should we go next?
To answer this question we conducted a systematic literature review involving 185 papers. Based on the literature review we present 1) well-defined categories of opinion mining-related software development activities, 2) available opinion mining approaches, whether they are evaluated when adopted in other studies, and how their performance is compared, 3) available datasets for performance evaluation and tool customization, and 4) concerns or limitations SE researchers might need to take into account when applying/customizing these opinion mining techniques. The results of our study serve as references to choose suitable opinion mining tools for SE tasks, and provide critical insights for the further development of opinion mining techniques in the SE domain.
This work has been done together with Bin Lin, Gabriele Bavota and Michele Lanza from Università della Svizzera italiana, Switzerland, Nathan Cassee from Eindhoven University of Technology, The Netherlands and Nicole Novielli from University of Bari, Italy.
apidays LIVE Australia 2020 - Evaluating the usability of security APIs by Dr...apidays
apidays LIVE Australia 2020 - Building Business Ecosystems
Evaluating the usability of security APIs
Dr Nalin Asanka Gamagedara Arachchilage, Senior Research Fellow in Cyber Security (DevOpsSec) at La Trobe University
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIsapidays
APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
Closing Keynote: API First Hacking
Corey Ball, Chief Hacking Officer APIsec University| Author of Hacking APIs
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
I have 3.5+ years exp in QA. I have knowledge in Game Testing, Platform Testing, Device Testing, Web Testing, Desktop Testing, I am learning Automation Testing with Java language. I have little bit knowledge about SQL for Database Testing. I have done more project with Client(Aristocrat Technologies Pvt. Ltd.). I did UAT with client(HCL Technologies) for SHIKSHA project. I have done Functional Testing. I have done one project with Core Java. I have done Internship with NGO(RAKSHA) and RAW. I know about SDLC and STLC.
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Curiosity and Xray present - In sprint testing: Aligning tests and teams to r...Curiosity Software Ireland
This webinar was co-hosted by Xray and Curiosity Software on 18th May 2021. Watch the on demand recording here: https://opentestingplatform.curiositysoftware.ie/xray-in-sprint-testing-webinar
In-sprint testing must tackle three pressing problems:
1. You must know exactly what needs testing before each release. There’s not time to test everything.
2. You need up-to-date and aligned test assets, including test cases, data, scripts and CI/CD artefacts.
3. Test teams must know what needs testing, when, and have on demand access to environments, tests and data.
These problems are near-impossible to crack at organisations who struggle with application complexity, rapid system change, and overly-manual testing processes. Challenges include:
1. Test creation time. Manually creating test cases, data and scripts is slow and unsystematic, resulting in low coverage tests.
2. Slow test maintenance. Changes break tests, with little time in sprints to check test cases, scripts, and data.
3. Knowing when testing is “done”. There is little measurability or peace of mind when systems “go live”.
This webinar will set out how maintaining a “digital twin” of the system under test prioritises testing time AND maintains rigorous tests in-sprint. You will see how:
1. Intuitive flowcharts generate optimised test cases, scripts, and data.
2. Feeding changes into the models maintains up-to-date tests.
3. Pushing the tests to agile test management tooling then makes sure that teams know which tests to run, when, with full traceability and a measurable definition of ‘done’.
James Walker, Curiosity’s Director of Technology, and Sérgio Freire, Head of Product Evangelism for Xray, will set out this cutting-edge approach to in-sprint testing. Günther-Matthias Bär, Test Automation Engineer at Sogeti, will then draw on implementation experience to discuss the value of the proposed approach.
Using Cognitive Dimensions Questionnaire to Evaluate the Usability of Securit...Chamila Wijayarathna
This was presented by me at the 28th annual gathering of Psychology of Programmers Interest Group (PPIG).
Usability issues that exist in security APIs cause programmers to embed those security APIs incorrectly to the applications they develop. This results in introduction of security vulnerabilities to those applications. One of the main reasons for security APIs to be not usable is currently there is no proper method by which the usability issues of security APIs can be identified. We conducted a study to assess the effectiveness of the cognitive dimensions questionnaire based usability evaluation methodology in evaluating the usability of security APIs. We used a cognitive dimensions based generic questionnaire to collect feedback from programmers who participated in the study. Results revealed interesting facts about the prevailing usability issues in four commonly used security APIs and the capability of the methodology to identify those issues.
Today, the corpus based approach can be identified as the state of the art methodology in
language learning studying for both prominent and less known languages in the world. The
corpus based approach mines new knowledge on a language by answering two main
questions:
What particular patterns are associated with lexical or grammatical features of the
language?
How do these patterns differ within varieties and registers?
A language corpus can be identified as a collection of authentic texts that are stored
electronically. It contains different language patterns in different genres, time periods and
social variants. Most of the major languages in the world have their own corpora. But corpora
which have been implemented for Sinhala language have so many limitations.
SinMin is a corpus for Sinhala language which is
Continuously updating
Dynamic (Scalable)
Covers wide range of language (Structured and unstructured)
Providing a better interface for users to interact with the corpus
This report contains the comprehensive literature review done and the research, and design
and implementation details of the SinMin corpus. The implementation details are organized
according to the various components of the platform. Testing, and future works have been
discussed towards the end of this report.
This project is about building a corpus for Sinhala language. This is the presentation about its literature review. This includes previous literature we referred in this project.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Why Johnny Can't Store Passwords Securely? A Usability Evaluation of Bouncycastle Password Hashing
1. Why Johnny Can’t Store Passwords Securely?
A Usability Evaluation of Bouncy Castle Password Hashing
Chamila Wijayarathna,
Dr. Nalin Asanka Gamagedara Arachchilage
School of Engineering and IT
University of New South Wales
Australia
2. • Password breaches at major companies have
affected billions of user accounts.
4. Research Questions.
• What are the usability issues exist in the password hashing
functionality of Bouncy Castle API?
• How those issues affect the security of the applications that
programmers develop?
5. Methodology
Identified issues by analyzing recordings, code artifacts and questionnaire responses
Participant completed cognitive dimensions questionnaire based on their experience with the API
Participant completed programming task while thinking aloud and recording their screen
Designed a programming task that use the password hashing functionality of Bouncy Castle API.
Participant signed up and completed demographic questionnaire and consent form
6. Study Results
• Identified 63 usability issues of Bouncy Castle SCrypt password
hashing.
• Average 15 usability issues were encountered by each
participant.
7. Selecting parameters for Scrypt.generate()
method
• Difficult to understand meaning of method parameters.
• Difficult to select correct values for these parameters.
• IDE suggestions does not help to understand parameters and select
correct values.
8. Issues encountered related to Salt
• Using a salt when hashing passwords helps to defend against
dictionary attacks and pre-computed rainbow attacks.
• Participants used constant values for salt, because their lack of
knowledge in salt and other related security concepts.
• API did not help participants to identify
their mistakes.
9. Issues of API Documentation
• Lack of sufficient documentation to refer.
• Difficult to find existing documentation.
• No enough usage examples.
• Google search results do not show official documentation at the
top.
10. Usage of Byte Array vs. String
• Byte arrays and char arrays are recommended over Strings to
store passwords because while using Strings, password will be
stored in the memory for longer and cannot be deleted until
garbage collector clears them.
• Some participants used string to save passwords before/after
calling the API, which made the application’s security weak.
11. Where to Improve?
• Provide programmers with overloaded Scrypt.generate() method
o Byte[] Scrypt.generate (byte[] password, byte[] salt)
o Object Scrypt.generate (byte[] password)
• Improve documentation
• Include more examples for documentation
14. “Security API is an application programming interface that
provides developers with security functionalities that enforce
one or more security policies on the interaction between at
least two entities.”
Gorski and Iacono (2016)
P. L. Gorski and L. L. Iacono, “Towards the usability evaluation of security apis,”, In HAISA 2016. 252–265.
Editor's Notes
Good morning,
I am chamila wijayarathna,
I am a PhD student from University of New South Wales, Australia.
In this presentation, I am going to present our work,
Why Johny Can’t store passwords securely,
A usability evaluation of Bouncy Castle Password Hashing
This paper is co-authored by Dr. Nalin Asanka.
Security breaches related to stealing passwords are an increasingly common problem and have affected billions of people.
These are some of the popular organizations that faced this issue in recent years.
However, there are so many technologies, algorithms, etc introduced every now and then to protect user passwords from attacker.
Despite these mechanisms, it appears that some software applications are still contain vulnerabilities that open backdoors for attackers to steal user passwords.
So, why applications still contain vulnerabilities when there are many technologies to protect those applications from attackers.
One of the main reasons for this is that programmers have been unable to use these technologies correctly when developing applications,
Especially they have been unable to correctly use Application Programming Interfaces that provide security functionalities.
Research has found that most programmers involved in the software development process are not experts of security.
these non expert programmers find it difficult to use security APIs correctly, when they are not usable,
Hence results in using security APIs incorrectly and
leave their applications vulnerable to attacks.
In this study, we attempted to evaluate the usability of a security API, that provides functionalities to secure passwords of application, Bouncy Castle API.
Bouncycastle is a vastly used open source API that provides a variety of cryptographic functionalities.
In this study, we mainly expected to evaluate the usability of the password hashing functionality of Bouncy castle API, and identify usability issues of it.
We mainly tried to identify
What are the usability issues exist in the password hashing functionality of Bouncy Castle API
And how those issues affect the security of applications that programmers develop using the API.
To answer these two questions, we conducted a user study based usability evaluation for the Bouncy Castle API.
This diagram shows a summary of the methodology we followed.
In this study, few programmers completed a programming task using the Bouncy Castle API,
And we tried to identify usability issues they encountered by observing them and from the feedback they gave.
So, first we designed a task for participants to follow.
Bouncy castle has a number of different password hashing algorithm implementations,
Designing a task to evaluate all of them in one study was not a feasible thing,
So we selected to evaluate Scrypt hashing implementation of Bouncy castle API.
Scrypt was the most secure password hashing algorithm implementation available in Bouncycastle at the time we conducted the study.
The task was to securely store passwords of a web application that has user registration and login functionalities.
We provided them source code for an application that stores passwords insecurely in plain text,
and asked them to secure password storage by hashing passwords using Bouncy castle’s Scrypt functionality.
We needed software developers to participate in the study.
We identified Java developers from Github and invited them to participate.
Response rate was low, since software developers are busy people.
This is a common issue in this area of research.
Once they signed up, we sent them guidelines and study material.
They participated remotely, using their own equipment.
We asked them to think-aloud while completing the task, and they recorded their screens with voice.
Once they completed the task, they had to answer the cognitive dimensions questionnaire.
This was developed by us previously, by improving a questionnaire that was proposed to evaluate the usability of general APIs.
Cognitive dimensions questionnaire method is a common method used to identify usability issues of applications as well as of APIs.
Then we analysed questionnaire responses, screen recordings and code artifacts
and identified usability issues of the API from them.
A total of 10 programmers participated in the study.
We could identify 63 usability issues of the API,
Average of 15 issues were identified from the results of each participant.
Some of these issues caused participants to make choices that are incorrect and hence reduced the security of programmes they developed.
Some of the issues just reduced their efficiency.
Our main focus for discussion is the issues that affected the security of developed solutions.
Scrypt password hashing of bouncy castle API is exposed to programmer via the static generate method of Scrypt class.
This method invocation requires 6 parameters, which are password, salt, work factor, blocksize for underline hash, parallelization factor and length of key to generate.
We observed that participants of our study found it difficult to understand meanings of the last 4 parameters.
These 4 parameters decides the cost of generating the hash from password. Selecting weaker values for them would make it less costly for attackers to perform attacks, and hence make the security of the application weak.
Not having a proper idea about these parameters made it difficult for participants to select proper values for these parameters.
There was not much help available for selecting proper parameters either.
Specially, participants expected to see more information about how strength of the hash and processing time varies with these parameters.
Other than those 4 parameters, participants also incorrectly used salt parameter.
Using salt in password hashing makes passwords more secure, specially against dictionary attacks and pre computed rainbow attacks.
To achieve this, API expected programmers to use unique salt for every user and save it with the password hash.
But some participants used same value among all users of the application as the salt value.
This made having a salt value useless.
Main reason for this mistake was the lack of security knowledge of the programmers.
Also, there was not much guidance available and participants had no way to identify that they are using it incorrectly.
Many participants encountered issues related to API documentation.
There was not much information available about using the particular functionality, other than few StackOverflow discussions and API java doc.
Specially, information about method parameters was difficult to find.
Participants had to put some effort to find details about using the API which reduced their efficiency.
Most participants expected to see some examples on using the functionality, in their learning process.
But it was difficult to find enough examples, which made it difficult to get a good understanding about using the API.
This made it difficult to use the API correctly.
Furthermore, we observed that, when programmers search Google to get help,
Top results popped up were from third parties such as Stack Overflow.
Some of the third party resources they used had some incorrect solutions.
Some had used parameter values without giving a proper explanation,
which made participants to use those values assuming that they are recommended.
Even though, this is not something directly related to the API,
it definitely reduced the effectiveness of using the API
and therefore reduced the usability of it.
Finally, as same as other Java crypto APIs, Bouncy castle also used Byte arrays as the data type for allocating memory for passwords
This is considered secure and recommended.
However, participants preferred using Strings,
Therefore, this reduced their satisfaction on the API.
Furthermore, some of them intermediately used Strings to save passwords,
before and after using the API, which reduced the security of their application.
Bouncy castle API or if we more generally talk about Java APIs,
they should consider this and provide more usable options for programmers to use them effectively and
in a way that make them satisfied.
Some participants suggested some improvements for the API also, to improve its usability.
These are only suggestions and need to study more to see whether they actually work, or whether they have any tradeoffs:
Most participants who faced difficulties with method parameters of Scrypt.generate method, suggested that API should provide overloaded method options with less parameters,
These are the two options they suggested,
They wanted the API to use defaults with values that suits majority of hardware.
They also suggested to improve API documentation and include more examples in to the documentation.
However, programmers are not required to implement all the security related stuff that are required for their applications.
Most of them are already there,
Developed by security experts,
And made available to use for non expert programmers via security APIs
Non-expert programmers can use those functionalities to embed security into their applications via these security APIs.
For password protection also, there are so many security APIs that provide required functionalities.
So why programmers still make mistakes, making their applications vulnerable?
Security APIs that programmers use being not usable, is one of the reasons for this.
When security APIs are not usable, programmers find it difficult to use them correctly,
Hence results in using them incorrectly and
Leave their applications vulnerable to attacks.
In this study, we attempted to evaluate the usability of a security API, that provides functionalities to secure passwords of applications from attackers, Bouncy Castle API.
Bouncycastle is a vastly used open source API that provides a variety of cryptographic functionalities.
In this study, we mainly expected to evaluate the usability of the password hashing functionality of Bouncy castle API, and identify usability issues of it.