In today's software landscape, security vulnerabilities remain a persistent challenge despite the diligent efforts of the security community. These vulnerabilities often stem from shortcomings within the language and library APIs that developers rely on. Developers may inadvertently introduce vulnerabilities due to misunderstandings or misuse of these APIs, a phenomenon we refer to as "blindspots".
Our primary objective was to delve into API blindspots from the perspective of developers, aiming to understand their perception and handling of blindspots within their code.
We conducted a comprehensive study involving 109 developers from diverse backgrounds. Participants engaged in solving programming puzzles involving Java APIs known to contain blindspots. Through this study, we aimed to uncover insights into how developers perceive and address blindspots within their codebase.
Impact on Security Concerns
The presence of blindspots negatively correlated with developers' accuracy in addressing implicit security questions and their ability to recognize potential security issues within the codebase. Notably, this effect was more pronounced for APIs related to input/output operations and for puzzles with higher complexity.
Surprisingly, higher levels of cognitive functioning and greater programming experience did not necessarily translate to improved detection of API blindspots.
Developers with a higher level of openness as a personality trait exhibited a greater propensity to identify API blindspots.
The insights gained from this study hold significant implications for enhancing API security and software development practices: