Freelance devs: Oh, you wanted the app to be secure? The job spec didn't mention that
Boffins find pros-for-hire no better at writing secure code than compsci beginners
Freelance developers hired to implement password-based security systems do so about as effectively as computer science students, which is to say not very well at all.
Boffins at the University of Bonn in Germany set out to expand on research in 2017 and 2018 that found computer science students asked to implement a user registration system didn't do so securely unless asked, and even then didn't always get it right.
The scientists speculated that because the surveyed students knew they were taking part in a study, then they didn't make security a priority. So they modified the experiment to test whether developers unaware that they were participating in a study did any better.
The eggheads – Alena Naiakshina, Anastasia Danilova, Eva Gerlitz, Emanuel von Zezschwitz, and Matthew Smith – describe their findings in a paper titled, "'If you want, I can store the encrypted password.' A Password-Storage Field Study with Freelance Developers."
Their paper is scheduled to be presented at the CHI Conference on Human Factors in Computing Systems Proceedings, which runs from May 4–9, 2019, in Glasgow, Scotland.
Posing as a client trying to build a social networking site, the researchers hired 43 developers for either €100 (~$112) or €200 (~$225) from Freelancer.com to help them create a portion of the fictitious project, the site's registration system.
The deception was approved by the university's Research Ethics Board and study participants were told after the conclusion of the research that they could withdraw from the study if they wished. None did and only one declined to answer the post-job questionnaire.
The freelancers were hired to work in Java and took anywhere from one to five days to complete the assigned task. Those hired ranged from 22 to 68 years in age (median: 29; mean: 30.34) and 39 of the 43 reported being male. All but two said they'd been programming for at least two years and in Java for at least one year. Most were not fluent in English.
The study confirms previous findings that if you want security, you won't get it by default; you have to ask for it. "Our sample shows that freelancers who believe they are creating code for a real company also seldom store passwords securely without prompting," the paper says.
Security? We've heard of it, say web-app devs. 31 in 33 codebases have at least one big bad vulnREAD MORE
The boffins also found many of the freelancers misunderstood that encryption, hashing and encoding are different things. "We found a number of freelancers were reducing password storage security to a visual representation and thus using Base64 as their preferred method to ensure security," the paper says. "Additionally, encryption and hashing were used as synonyms, which was often reflected by the freelancers’ programming code."
Another finding consistent with the student research is that many freelancers (16 in this instance) submitted code copied from the internet.
This isn't necessarily bad if the copied example is actually a secure implementation of a security method worth using. In the 2018 research study of computer science students, all the secure solutions came from people who copied and pasted secure code examples and none came from those who didn't.
The researchers note in closing that they received more secure code from the better paid group, although not enough to be statistically significant. They suggested further study might be warranted to find whether there's anything to the saying, "You get what you pay for." ®