API Usability and Security

We're collaborating with the Human-Computer Interaction Institute at Carnegie Mellon University (under NSF grant CNS-1423054) to study the interactions between making an application program interface (API) more usable and making it more secure. In some cases, these features appear to be in concert (i.e., making the API more usable makes it easier to use correctly, so there are fewer security errors), while in other cases, security and usability features seem to conflict.

APIs are typically designed by a small number of experienced developers but have an extremely long lifespan. For example, buffer overflows were understood and documented as early as 1972, but are still one of the most common vulnerabilities. Likewise, the gets() C Standard library function has been the cause of innumerable security vulnerabilities. Because of this, the impact of good API design has a lasting multiplicative effect.

The objective of this research is to gather empirical evidence about the security impacts of API design. Ultimately, the cause of many cybersecurity failures is flawed code written by programmers. Our philosophy for this project is that programmers are people and we need to study how to design APIs that are usable by programmers as they develop secure code. To our knowledge, we are the first researchers to study the security aspects of API usability.

This work—API design—can have a major impact on security and the barrier it can pose is difficult, if not impossible, to overcome by training.