Developers are Not the Enemy!: The Need for Usable Security APIs


Usability problems are a major cause of many of today’s IT security incidents. Despite the critical importance of securing information systems, the security mechanisms we deploy often prove too complicated, timeconsuming and error-prone when placed into the hands of users. This problem has motivated the field of usable security. For over a decade, researchers in this field have attempted to combat these problems by conducting interdisciplinary research focusing on the root causes of the end-user problems and on the creation of security mechanisms that are compatible with ordinary users. However, many recent security incidents were not caused by end-users, but rather by software developers making mistakes. Unfortunately, while it has become accepted that systems should be user-friendly and robust to the end-user, the prevailing attitude towards software developers amongst cryptographer library designers is that they are experts and thus should know better. This attitude persists even when considering complex areas such as cryptography and user authentication, where the typical software engineer cannot be expected to possess the domain expertise necessary to navigate all pitfalls. Unfortunately, rather than recognizing the limitations of software engineers, modern security practice has created an adversarial environment between the designers of security software and the developers who use this software to construct applications. In this article we argue that developers are not the enemy, and that – to strengthen security systems across the board – security professionals need to re-focus their efforts on creating developer-friendly and developer-centric approaches to assist these professionals in their complex tasks. To illustrate our thesis, we focus on the usability of cryptographic and other security related Application Program Interfaces (APIs). Over the past several years a number of new cryptographic libraries and APIs have become available to developers. These libraries promise to greatly increase the use of cryptography on the web and in the cloud, but they often do so at a cost. In this article we propose several characteristics we believe will lead to more usable security APIs that treat normal developers, rather than cryptographers, as the primary consumer.