{"title":"A Human Error Based Approach to Understanding Programmer-Induced Software Vulnerabilities","authors":"Vaibhav Anu, Kazi Zakia Sultana, B. Samanthula","doi":"10.1109/ISSREW51248.2020.00036","DOIUrl":null,"url":null,"abstract":"Many security incidents can be traced back to software vulnerabilities, which can be described as security-related defects/bugs in the code that can potentially be exploited by the attackers to perform unauthorized actions. An analysis of vulnerability data disseminated by organizations such as NIST’ s National Vulnerability (NVD) and SANS Institute shows that a majority of vulnerabilities can be traced back to a relatively small set of root causes mostly related to the repeated mistakes by the programmers. That is, programmers exhibit a pattern of erroneous coding practices or behavior which lead to vulnerable code. Cognitive Psychologists have long been studying these erroneous behavior patterns and have termed them as human cognition failures or simply, human errors. The primary goal of this paper is to propose a classification for the most frequently observed human errors committed by the programmers (the commitment of a human error can lead to injection of one or more security defects/bugs). Such a classification can be useful for software development organizations as they can train developers on the human errors so that developers can avoid committing the human errors themselves, thereby reducing the chances of vulnerability injection in their code.","PeriodicalId":202247,"journal":{"name":"2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2020-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSREW51248.2020.00036","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 5
Abstract
Many security incidents can be traced back to software vulnerabilities, which can be described as security-related defects/bugs in the code that can potentially be exploited by the attackers to perform unauthorized actions. An analysis of vulnerability data disseminated by organizations such as NIST’ s National Vulnerability (NVD) and SANS Institute shows that a majority of vulnerabilities can be traced back to a relatively small set of root causes mostly related to the repeated mistakes by the programmers. That is, programmers exhibit a pattern of erroneous coding practices or behavior which lead to vulnerable code. Cognitive Psychologists have long been studying these erroneous behavior patterns and have termed them as human cognition failures or simply, human errors. The primary goal of this paper is to propose a classification for the most frequently observed human errors committed by the programmers (the commitment of a human error can lead to injection of one or more security defects/bugs). Such a classification can be useful for software development organizations as they can train developers on the human errors so that developers can avoid committing the human errors themselves, thereby reducing the chances of vulnerability injection in their code.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
