Does the act of writing a specification (how the code should behave) for a
piece of security sensitive code lead to developers producing more secure code?
We asked 138 developers to write a snippet of code to store a password: Half of
them were asked to write down a specification of how the code should behave
before writing the program, the other half were asked to write the code but
without being prompted to write a specification first. We find that explicitly
prompting developers to write a specification has a small positive effect on
the security of password storage approaches implemented. However, developers
often fail to store passwords securely, despite claiming to be confident and
knowledgeable in their approaches, and despite considering an appropriate range
of threats. We find a need for developer-centered usable mechanisms for telling
developers how to store passwords: lists of what they must do are not working.

By admin