Vulnerabilities as blind spots in developer's heuristic-based decision-making processes

Justin Cappos, Yanyan Zhuang, Daniela Oliveira, Marissa Rosenthal, Kuo Chuan Yeh

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Scopus citations


The security community spares no effort in emphasizing security awareness and the importance of building secure software. However, the number of new vulnerabilities found in today's systems is still increasing. Furthermore, old and well-studied vulnerability types such as buffer overflows and SQL injections, are still repeatedly reported in vulnerability databases. Historically, the common response has been to blame the developers for their lack of security education. This paper discusses a new hypothesis to explain this problem by introducing a new security paradigm where software vulnerabilities are viewed as developers' blind spots in their decision making. We argue that such a flawed mental process is heuristic-based, where humans solve problems without considering all the information available, just like taking shortcuts. This paper's thesis is that security thinking tends to be left out by developers during their programming, as vulnerabilities usually exist in corner cases with unusual information flows. Leveraging this paradigm, this paper introduces a novel methodology for capturing and understanding security-related blind spots in Application Programming Interfaces (APIs). Finally, it discusses how this methodology can be applied to the design and implementation of the next generation of automated diagnosis tools.

Original languageEnglish (US)
Title of host publicationNSPW 2014 - Proceedings of the 2014 New Security Pardigms Workshop
PublisherAssociation for Computing Machinery
Number of pages9
ISBN (Electronic)9781450330626
StatePublished - Sep 15 2014
Event2014 New Security Pardigms Workshop, NSPW 2014 - Victoria, Canada
Duration: Sep 15 2014Sep 18 2014

Publication series

NameACM International Conference Proceeding Series


Other2014 New Security Pardigms Workshop, NSPW 2014

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications


Dive into the research topics of 'Vulnerabilities as blind spots in developer's heuristic-based decision-making processes'. Together they form a unique fingerprint.

Cite this