It's the psychology stupid: how heuristics explain software vulnerabilities and how priming can illuminate developer's blind spots

摘要: Despite the security community's emphasis on importance of building secure software, number new vulnerabilities found in our systems is increasing. In addition, that have been studied for years are still commonly reported vulnerability databases. This paper investigates a hypothesis software blind spots developer's heuristic-based decision-making processes. Heuristics simple computational models to solve problems without considering all information available. They an adaptive response short working memory because they require less cognitive effort. Our as represent corner cases exercise unusual flows, tend be left out from repertoire heuristics used by developers during their programming tasks.To validate this we conducted study with 47 using psychological manipulation. each developer worked approximately one hour six vulnerable scenarios. The sessions progressed providing no about possibility vulnerabilities, priming unexpected results, and explicitly mentioning existence code. results show (i) not priority development environments, (ii) part mindset while coding, (iii) assume common code, (iv) thinking requires effort, (v) education helps, but can difficulties correlating particular learned or current task, (vi) cueing on-the-spot powerful mechanism make aware potential vulnerabilities.