More Like this

1. Build It, Break It, Fix It: Contesting Secure Development

   https://doi.org/10.1145/3383773  

   Parker, James; Hicks, Michael; Ruef, Andrew; Mazurek, Michelle L.; Levin, Dave; Votipka, Daniel; Mardziel, Piotr; Fulton, Kelsey R. (May 2020, ACM Transactions on Privacy and Security)
2. Cross-Validation: What Does It Estimate and How Well Does It Do It?

   https://doi.org/10.1080/01621459.2023.2197686  

   Bates, Stephen; Hastie, Trevor; Tibshirani, Robert (May 2023, Journal of the American Statistical Association)
3. Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It

   Daniel Votipka, Kelsey R. (August 2020, USENIX Security Symposium)

   null (Ed.)

   Secure software development is a challenging task requiring consideration of many possible threats and mitigations.This paper investigates how and why programmers, despite a baseline of security experience, make security-relevant errors.To do this, we conducted an in-depth analysis of 94 submissions to a secure-programming contest designed to mimic real-world constraints: correctness, performance, and security.In addition to writing secure code, participants were asked to search for vulnerabilities in other teams’ programs; in total, teams submitted 866 exploits against the submissions we considered. Over an intensive six-month period, we used iterative open coding to manually, but systematically, characterize each submitted project and vulnerability (including vulnerabilities we identified ourselves). We labeled vulnerabilities by type, attacker control allowed, and ease of exploitation,and projects according to security implementation strategy.Several patterns emerged. For example, simple mistakes were least common: only 21% of projects introduced such an error.Conversely, vulnerabilities arising from a misunderstanding of security concepts were significantly more common, appearing in 78% of projects. Our results have implications for improving secure-programming APIs, API documentation,vulnerability-finding tools, and security education. 

   more » « less
4. Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It

   Daniel Votipka, Kelsey R. (January 2020, USENIX Security Symposium)

   Secure software development is a challenging task requiring consideration of many possible threats and mitigations. This paper investigates how and why programmers, despite a baseline of security experience, make security-relevant errors. To do this, we conducted an in-depth analysis of 94 submissions to a secure-programming contest designed to mimic real-world constraints: correctness, performance, and security. In addition to writing secure code, participants were asked to search for vulnerabilities in other teams’ programs; in total, teams submitted 866 exploits against the submissions we considered. Over an intensive six-month period, we used iterative open coding to manually, but systematically, characterize each submitted project and vulnerability (including vulnerabilities we identified ourselves). We labeled vulnerabilities by type, attacker control allowed, and ease of exploitation, and projects according to security implementation strategy. Several patterns emerged. For example, simple mistakes were least common: only 21% of projects introduced such an error. Conversely, vulnerabilities arising from a misunderstanding of security concepts were significantly more common, appearing in 78% of projects. Our results have implications for improving secure-programming APIs, API documentation, vulnerability-finding tools, and security education. 

   more » « less
5. vernamlab/Bake-it-till-you-make-it: Releasing on Zenodo

   https://doi.org/10.5281/zenodo.15259011  

   Hashemi, Mohammad; Mehta, Dev; Ganji, Fatemeh Saba (January 2025, Zenodo)

   Releasing on Zenodo 

   more » « less