Kuo-Chuan Yeh

It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots

Despite the security communitys emphasis on the importance of building secure software, the number of new vulnerabilities found in our systems is increasing. In addition, vulnerabilities that have been studied for years are still commonly reported in vulnerability databases. This paper investigates a new hypothesis that software vulnerabilities are blind spots in developers heuristic-based decision-making processes. Heuristics are simple computational models to solve problems without considering all the information available. They are an adaptive response to our short working memory because they require less cognitive effort. Our hypothesis is that as software vulnerabilities represent corner cases that exercise unusual information flows, they tend to be left out from the repertoire of heuristics used by developers during their programming tasks. To validate this hypothesis we conducted a study with 47 developers using psychological manipulation. In this study each developer worked for approximately one hour on six vulnerable programming scenarios. The sessions progressed from providing no information about the possibility of vulnerabilities, to priming developers about unexpected results, and explicitly mentioning the existence of vulnerabilities in the code. The results show that (i) security is not a priority in software development environments, (ii) security is not part of developers mindset while coding, (iii) developers assume common cases for their code, (iv) security thinking requires cognitive effort, (v) security education helps, but developers can have difficulties correlating a particular learned vulnerability or security information with their current working task, and (vi) priming or explicitly cueing about vulnerabilities on-the-spot is a powerful mechanism to make developers aware about potential vulnerabilities.

One Laptop per Child: POLISHING UP THE XO LAPTOP USER EXPERIENCE

FEATURE AT A GLANCE: We examine the user experience of the XO laptop (the “

Teaching computational thinking to non-computing majors using spreadsheet functions

100 laptop”). The XO laptop combines many technology innovations and is used in the United States and abroad. We asked users to perform a range of simple tasks to demonstrate that several aspects of the XO laptop and similar devices can be improved, including hardware and software. Our recommendations are not difficult modifications. What we found suggests that usability problems may pose a greater risk to the success of this device than perhaps was imagined by its designers. We hope to see the XO laptops usability become more polished and that usability, in general, will be considered appropriately as a potential risk for similar products.