Front-line developers default to insecure practices unless they are advised to do otherwise

Front-line developers default to insecure practices unless they are advised to do otherwise

It’s always sort of baffling when security breaches reveal that a company has stored millions of users’ passwords in unencrypted form, or put their data on an insecure cloud drive, or transmitted it between the users’ devices and the company’s servers without encryption, or left an API wide open, or some other elementary error: how…

It’s constantly sort of baffling when security breaches expose that a company has kept countless users’ passwords in unencrypted kind, or put their information on an insecure cloud drive, or sent it between the users’ devices and the business’s servers without file encryption, or left an API wide open, or some other elementary mistake: how does anyone in this day and age release something so insecure?

A brand-new study performed by University of Bonn scientists offers a hint: front-line developers working as freelancers default to incredibly insecure practices unless their clients know enough to demand much better ones.

The researchers hired 43 freelance Java developers through and asked to develop a registration system for an imaginary social network the scientists declared to be starting. Half the devs were paid EUR100 and half were paid EUR200 for the job; half of each of the two pay-groups were offered specific instructions to utilize safe password storage and half were left to their own devices.

Though this yielded small sample sizes, the impact was large enough to bear deeper examination: 15 of the 18 who were not given password security guidelines saved passwords in plaintext; 3 of the group who were advised to store passwords firmly also stored passwords in plaintext. Additionally, even the programmers who secured the passwords used insecure methods to do so: 31 of the developers used insecure approaches like Base64 encoding (!), MD5, SHA-1, etc– while only 12 used safe and secure approaches like bcrypt and PBKDF2.

The programmers likewise extremely failed to implement basic security practices like salting their hashes. And 17 out of 43 copy-pasted their code from random sites (alas, these copy-pasters didn’t seek advice from something helpful like OWASP’s password security guidelines).

The low-pay and high-pay groups carried out at about the very same level.

The entire study is quite dismaying, recommending that basic security awareness is extremely low amongst developers, which all the things that may fix for this– like fine example code that has high search-rank– are also doing not have.

” Of the 18 individuals who got the extra security request, 3 chose to utilize Base64 and argued, for instance: ‘[I] secured it so the clear password is not noticeable’ and ‘It is extremely difficult to decrypt’,” researcher said– highlighting that some study individuals didn’t understand the fundamental difference between an encryption algorithm and a function that simply jumbles characters around.

Additionally, only 15 of the 43 developers selected to implement salting, a procedure through which the encrypted password stored inside an application’s database is made more difficult to split with the addition of a random information element.

The research study likewise discovered that 17 of the 43 developers copied their code from web websites, recommending that the freelancers didn’t have the required skills to develop a safe and secure system from scratch, and chose to utilize code that may be obsoleted or even filled with bugs.

Paying developers greater rates didn’t assist significantly, scientists stated.

” If you desire, I can save the encrypted password.” A Password-Storage Field Study with Freelance Developers[Alena Naiakshina, Eva Gerlitz, Emanuel von Zezschwitz and Matthew Smith/University of Bonn].

Study reveals programmers will take the simple escape and not execute proper password security[Catalin Cimpanu/Zero Day].

( via Schneier).

Learn More

Please follow and like us:

Leave a Reply

Your email address will not be published.

Enjoy this blog? Please spread the word :)