Design and implementation of the crypto-assistant: an eclipse plugin for usable password-based column level encryption based on hiberate and jasypt

Abstract

The lack of encryption of data at rest or in motion is one of the top 10 database vulnerabilities according to team SHATTER [72]. In the quest to improve the security landscape, we identify an opportunity area: two tools Hibernate and Jasypt that work together to provide password-based database encryption. The goal is to encourage developers to think about security and incorporate security related tasks early in the development process through the improvement of their programming system or integrated development environment (IDE). To this end, we modified the Hibernate Tools plugin for the popular Eclipse IDE, to integrate it with Hibernate and Jasypt with the purpose of mitigating the impact of the lack of security knowledge and training. We call this prototype the Crypto-Assistant. We designed an experiment to simulate a situation where the developers had to deal with time constraints, functional requirements, and lack of familiarity with the technology and the code they are modifying. We provide a report on the observations drawn from this preliminary evaluation. We anticipate that, in the near future, the prototype will be released to the public domain and encourage IDE developers to create more tools like Crypto-Assistant to help developers create more secure applications.