Worrisome Patterns in Developers: A Survey in Cryptography

TL;DR

This survey of 97 open-source cryptography developers reveals significant differences in practices based on experience levels, but also uncovers concerning patterns like reliance on unreliable sources and low security tool adoption across all groups.

Contribution

The study provides new insights into developer security practices and highlights widespread risky behaviors in cryptography development.

Findings

High-profile developers have more security knowledge and tool usage.

All groups frequently rely on unreliable sources like Stack Overflow.

Low overall adoption of security tools among developers.

Abstract

We surveyed 97 developers who had used cryptography in open-source projects, in the hope of identifying developer security and cryptography practices. We asked them about individual and company-level practices, and divided respondents into three groups (i.e., high, medium, and low) based on their level of knowledge. We found differences between the high-profile developers and the other two groups. For instance, high-profile developers have more years of experience in programming, have attended more security and cryptography courses, have more background in security, are highly concerned about security, and tend to use security tools more than the other two groups. Nevertheless, we observed worrisome patterns among all participants such as the high usage of unreliable sources like Stack Overflow, and the low rate of security tool usage.