Why the “Study shows programmers will take the easy way out” ZNet article is rubbish
TL;DR: This study shows that random anonymous freelance and student JAVA (JAVA!) developers contracted online for a single task to create roll-your-own encryption didn’t do a very good job at it. gtf outta here.
I have hardly ever read ZNet before but, as a programmer, I felt the strong need to read this article right away to find the false assumption this person has to write an article with this premise.
Implying that a massive entire industry of workers, diverse in niches if not diverse in terms of the actual people, “will take the easy way out” is just objectively insulting. We don’t need that kind of attitude coming our way. Let’s get something straight: we’re all people, trying our best to navigate a hostile world while maintaining some sense of personal standards. Also, you studied JAVA developers. If JAVA devs alone are representative of the industry as a whole, we are seriously in trouble. (I can say that, I was a JAVA dev)
The methodological discussion is really the highlight of the study (https://net.cs.uni-bonn.de/fileadmin/user_upload/naiakshi/Naiakshina_Password_Study.pdf). They tried to recruit via GitHub, but, I kid you not, only 0.14% (0.0014) of the people they contacted on GitHub agreed to do the task. They concluded, not that they may be ignorant of how the industry actually works but, that you just can’t recruit for studies from GitHub. Sure, Jan.
They fail to mention in their methodological discussion how they think their method of recruiting might have limited their insight into the field to a small subset of the group they wanted to subset. Failing to find any willing contestants on GitHub, they instead recruited that highly-reputable and well-known source of the best security-minded devs around, Freelancers.com.
“The participants had to implement salting and hashing on their own.” There’s your problem right there, Jan. Of course developers are bad at doing encryption. We don’t do encryption ourselves because to do so is to take a great security risk. Make your way through this article by auth0, a favorite company of mine, https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/, and you’ll find a salient quote about the chosen measure this study chose to measure how developers as a whole manage the issue of security:
“Hashing and salting are complex methods to create hardy and resilient systems. It’s best to leave their implementation to security experts. A misstep in a home-made security strategy may lead to damage to a business, its users, and reputation.”
Yet implementing hashing and salting is exactly what they asked these basically anonymous freelance developers do. Accepting a low-paying bid for a tiny job that will likely never be used in any kind of major production application (Freelancers.com) is different than discussing the security architecture of your domain-driven design micro-services distributed cloud web application. If they’re going to generalize from your data, you have to repeat that fact along with every “analysis” they offer. It’s required, yes. Legally required. To complicate the occasionally insinuating language of studies, many journalists are ready to spin the wildest yarns from even the most measured and careful researchers. It’s all for those sweet, sweet clicks.
This study was of student and online freelancer JAVA developers, assumedly from all around the world, who were asked to do a task which most developers should not actually do themselves. As auth0 pointed out, we should not roll our own encryption. To then judge developers on how good they are at something that they should not be doing is probably not going to give you the most useful of data.
On a final note, why do people assume that developers have all this agency and are the ones in control of the quality standards of code they write? Of course, we all have a responsibility to continuously learn and improve, and most of us do. There’s a lot of common-sense things developers could all do better at to promote a more secure web. But developers don’t do fast and dirty because they categorically aren’t concerned with web security. Developers work fast and dirty because the industry and employers demand it, and refuse to give us additional time to spend on improving the quality of the code.
Do workers in most industries have control of the tools they use, the way they do their job, their deadlines, and so on? Do you think in the case of the Equifax security breach, it was the developers, dressed in their business casuals, showing up to their cavernous open-workspaces at 8 am sharp with a cup of Keurig coffee-water, who made the choice not to upgrade that software. It was their bosses, Jan.
Instead of suggesting your data shows that developers do less than the bare minimum, maybe acknowledge that you had a failed study. Analyze the ways in which your study design and methodology lead you to such a narrow corner of the industry. Discuss how that illustrates how unimaginably large and diverse (again, for the US, in content, not people) the field is, and how even though this study was the second following this premise, no generalizations can reasonably be drawn from it except for generalizations of Freelancer.com devs. I could have saved you a lot of money if you had just asked. Having devs from Freelancer.com do your security is not a good idea. You’re welcome.
