Back to overview

The Impact of Developer Experience in Using Java Cryptography

Type of publication Peer-reviewed
Publikationsform Proceedings (peer-reviewed)
Author Hazhirpasand M., Ghafari M., Krüger S., Bodden E., Nierstrasz O.,
Project Agile Software Assistance
Show all

Proceedings (peer-reviewed)

Page(s) 1 - 6
Title of proceedings 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)
DOI 10.1109/esem.2019.8870184

Open Access

Type of Open Access Repository (Green Open Access)


Background: Previous research has shown that crypto APIs are hard for developers to understand and difficult for them to use. They consequently rely on unvalidated boilerplate code from online resources where security vulnerabilities are common.Aims and method: We analyzed 2,324 open-source Java projects that rely on Java Cryptography Architecture (JCA) to understand how crypto APIs are used in practice, and what factors account for the performance of developers in using these APIs.Results: We found that, in general, the experience of developers in using JCA does not correlate with their performance. In particular, none of the factors such as the number or frequency of committed lines of code, the number of JCA APIs developers use, or the number of projects they are involved in correlate with developer performance in this domain.Conclusions: We call for qualitative studies to shed light on the reasons underlying the success of developers who are expert in using cryptography. Also, detailed investigation at API level is necessary to further clarify a developer obstacles in this domain.