Updating Cryptographic Implementations in Software Projects - Interview Study

Project Overview

Within this study, we are interested how software projects update cryptographic methods. This includes their motivation, developers' experiences on the update process. In addition, we aim to identify how developers can be better supported to update cryptographic methods in their projects.

We are a group of security & privacy researchers from the German CISPA Helmholtz-Center for Information Security and the Leibniz University Hannover with collaborations to various other institutions.

We are looking for developers who experienced updating cryptographic methods in their projects. We are interested in your experiences, challenges, decisions, and strategies. We are also interested in your motivation for updating cryptographic methods. The interview would:

  • Be fully pseudonymized for you and the projects, at most, short anonymized quotes from the interview might be published.
  • Take not longer than ~60 minutes of your valuable time and includes a compensation of $60.
  • Be on any audio/video platform of your choice (our self-hosted Jitsi, BigBlueButton, zoom,… ), camera optional. (We recommand BigBlueButton, hosted by GWDG or zoom)
Participate: Please fill out our pre-registration form to participate in the study.

Please contact us if you have any questions: alexander.krause@cispa.de

Project Context #

Vulnerabilities in software systems are not unheard of, be it in projects or zero-days discovered in productionized systems. Secure software is imperative when it comes to any kind of data handling tasks. Moreover, it is crucial and of utmost importance that developers know which cryptographic methods are needed when implementing security-critical software components. In addition, developers have to correctly implement and, when required, update these methods to ensure overall software security. While previous works have evaluated cryptographic libraries in different contexts, such as, comparing usability of cryptographic APIs, evaluating API-integrated security advice for cryptographic APIs or identifying helpful security information to avoid insecure cryptographic API use during development, we are still unaware about developers’ experiences and challenges when implementing cryptographic methods.

Over time, used cryptographic implementations become insecure due to new standards, deprecation or due to invalid or wrong implementations within software. Cryptographic implementations are particularly important due to their high security relevance.

Data Handling #

For the analysis of the interviews we would like to use transcripts. For this we need to collect the following data:

  • A recording of your interview that will be destroyed after transcription (a few days after the interview is processed).
  • A fully disidentified (your & project information) transcript of the interview, which will be destroyed after our research is complete (likely a few months after the interview).

The interview and data processing has been approved by our German equivalent of an IRB:

  • The data collected will be fully disidentified whenever necessary.
  • Throughout the research, access to the data is limited to a few trained researchers only.
  • All data collected will be handled in accordance with strict GDPR/DSGVO regulations.
  • All data will be destroyed upon completion of our research.

Our full consent disclosure is as follows:

  • Participation: Your participation is of course entirely voluntary. You may skip any questions you don’t want to answer, abort the interview at any time for any reason, or cancel the interview appointment.
  • Data Collection: We would like to record the interviews’s audio (and video optionally) for later transcription by a GDPR compliant transcription service. After we disidentify transcripts and check them for accuracy, all recordings will be discarded.
  • Risks: The risks to your participation in this online interview study are those associated with basic computer tasks, including boredom, fatigue, mild stress, or breach of confidentiality.
  • Benefits: Benefits of participating in the interview are the learning experience from participating in a research study, and the contribution to the state of scientific knowledge.

Who we are #

Our group studies the intersection of computer security and privacy with human factors. We are particularly interested in investigating end users, administrators, developers, and designers of computer systems and their interdependencies with computer security and privacy mechanisms.

You can find some of our recent publications here.

Researchers

Alexander Krause | Project Lead
Researcher (CISPA).
Websitealexander.krause@cispa.de
Harjot Kaur
Researcher (CISPA).
Websiteharjot.kaur@cispa.de
Sascha Fahl | Principal Investigator
Tenured Faculty (CISPA) and Full Professor (Leibniz University Hannover).
Websitesascha.fahl@cispa.de

Institutions

CISPA Helmholtz-Center for Information Security
German national Big Science Institution within the Helmholtz Association.
Website
Leibniz University Hannover
University, Hannover, Germany.
Website