Important: To participate in our labs, you are expected to apply with a short exposé (max. two pages). Simply send the exposés for the topics you are interested in to the corresponding supervisor until the 3rd of October. You will get feedback until the 7th of October.
Please note that sending in an exposé does not guarantee you a topic!
Test knowledge on privacy risks
With privacy laws like the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), software developers are expected to develop software in accordance with those laws. However, as most developers are not privacy experts, governments and security organizations often publish guidelines, common risks and advice for software developers to guide them during the programming process . It is, however, unclear if those information sources are well known to developers and formulated in an understandable way . Your tasks in this lab would be to compare the information publicly available for developers and create a study testing the knowledge of the developers about the subject as well as testing their usefulness. The study will be piloted with a small sample size.
Literature: https://owasp.org/www-project-top-10-privacy-risks/ Accessed: August 2022  Senarath, Awanthika, and Nalin AG Arachchilage. „Why developers cannot embed privacy into software systems? An empirical investigation.“ Proceedings of the 22nd International Conference on Evaluation and Assessment in Software Engineering 2018. 2018.
Where do developers look for information regarding privacy?
Software developers are regularly required to ensure that their applications fulfill the requirements of laws like the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). However, without being legal experts, developers can have problems understanding these laws. While developers in large companies may have a privacy expert to contact, many developers may be required to figure out themselves what to do . This can lead to problems, as not all sources online are accurate. Your task in this project would be to develop a study to see what information sources developers use when unsure about certain privacy issues during the development process. This study would be piloted by you. The used sources could be compared with regards to their accuracy.
Literature: Tahaei, Mohammad, Kami Vaniea, and Naomi Saphra. „Understanding privacy-related questions on stack overflow.“ Proceedings of the 2020 CHI conference on human factors in computing systems. 2020.
How do different roles in a company assess security needs of a product?
When it comes to ensuring a secure product, companies tend to put the focus solely on developers and try to educate developers on secure software development. Although this is a step in the right direction, it is not a comprehensive solution. Building a secure product is a process involving different teams with different disciplines in addition to software development teams, educating only part of the project participants is not enough. Security should not only be a concern for the developers, but it should also concern all stakeholders involved in the project. It needs to be an integral part of the product, and definitely not an extra patch.
Your task in this lab will be to design an experimental study where participants ( professionals with roles involved in the creation of a secure product) will be given a task to complete. The goal of this lab is to figure out how the participants assess security needs. This study will be designed and piloted by you.
Comparing company and non-company software developers
In recent years, more and more research is conducted with company software developers on how to support them in implementing secure code. However, many researchers are conducting developer studies with participants recruited from platforms (e.g., Mturk, Prolific, Freelancer.com), where it isn’t clear how well this sample reflects actual company software developers. Unfortunately, there has been very little research comparing these two.
In this lab, you will be designing and piloting a study in which you will be measuring security-related differences between company and non-company developers. As such, the task has to be designed in a way, where it is possible to measure a difference if it exists.
Password storage study comparing students, freelancer and professional software developer:
Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, and Matthew Smith. 2020. On Conducting Security Developer Studies with CS Students: Examining a Password-Storage Study with CS Students, Freelancers, and Company Developers. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (CHI ’20). Association for Computing Machinery, New York, NY, USA, 1–13. https://doi.org/10.1145/3313831.3376791
Effect of different levels of monetary compensation on task outcome in company developer security studies
Company software developers are often not compensated using monetary compensation (cash). Instead, this demographic is frequently recruited by appealing to idealism, the drive to help, or self-improvement, learning from own mistakes. However, monetary compensation is still one of the strongest motivators for company software developers to participate in developer security studies. As such, there is little insight on how different payment levels might affect the task outcome (e.g., level of security in a programming task or level of security awareness during code review)
In this lab, you will be designing and piloting a study which compares the task outcome of professional software developers in a developer security study based on different payment levels. As such, the task has to be designed in a way, where it is possible to measure a difference if it exists.
Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel von Zezschwitz, and Matthew Smith. 2019. „If You Want, I Can Store the Encrypted Password“: A Password-Storage Field Study with Freelance Developers. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (CHI ’19). ACM, New York, NY, USA, Article 140, 12 pages. DOI: http://dx.doi.org/10.1145/3290605.3300370
Usability Evaluation and Comparison of Security Tools Developers Use
Many security tools have been developed to help developers in software security. However, only recently security research started to focus on developers instead of end-users and with this, research has been extended to study developers and the tools they use. Goal of this lab is to create an overview of ways to test security tools for usability and additionally compare these tools.
In this lab you will be designing and piloting a study which compares and evaluates the usability of one security tool which is used by developers.
Alena Naiakshina, Anastasia Danilova, Christian Tiefenau, Marco Herzog, Sergej Dechand, and Matthew Smith. 2017. Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ’17). Association for Computing Machinery, New York, NY, USA, 311–328.
Nudging Software Developers Towards Secure Code
Due to external requirements, time pressure, and additional effort, it is essential to understand how software developers can be motivated to change their previously learned routines and integrate new concepts of security. One of the interventions to change behavior is nudging [1, 2]. A nudge is an attempt at influencing behavior in a situation in which a person needs to make a decision. Here, we want to influence software developers to make them choose the option that is more secure.
In this lab you will be designing and piloting a study which evaluates nudging techniques. This includes working with literature beyond the topic of security, e.g. behavioral literature.
Literature: K. Renaud and V. Zimmermann. Ethical guidelines for nudging in information security & privacy. International Journal of Human-Computer Studies, 120:22–35, 2018.  F. Fischer and J. Grossklags, „Nudging Software Developers Toward Secure Code“ in IEEE Security & Privacy, vol. 20, no. 02, pp. 76-79, 2022.