Secure coding practices in Java challenges and vulnerabilities

The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand dev...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE) s. 372 - 383
Hlavní autori: Meng, Na, Nagy, Stefan, Yao, Danfeng (Daphne), Zhuang, Wenjie, Argoty, Gustavo Arango
Médium: Konferenčný príspevok..
Jazyk:English
Vydavateľské údaje: New York, NY, USA ACM 27.05.2018
Edícia:ACM Conferences
Predmet:
Authentication
authorization
certificate validation
cryptographic hash functions
Cryptography
CSRF
Encoding
General and reference > Cross-computing tools and techniques > Empirical studies
Java
Libraries
Programming
Secure coding
Spring security
SSL/TLS
StackOverflow
authorization
cryptographic hash functions
spring security
SSL/TLS
secure coding
stackOverflow
certificate validation
cryptography
CSRF
authentication
ISBN:9781450356381, 1450356389
ISSN:1558-1225
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Abstract The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security---a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverfow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.
AbstractList The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security-a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverflow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.
The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security---a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverfow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.
Author Yao, Danfeng (Daphne)
Argoty, Gustavo Arango
Zhuang, Wenjie
Nagy, Stefan
Meng, Na
Author_xml – sequence: 1
  givenname: Na
  surname: Meng
  fullname: Meng, Na
  email: nm8247@vt.edu
  organization: Virginia Tech
– sequence: 2
  givenname: Stefan
  surname: Nagy
  fullname: Nagy, Stefan
  email: snagy2@vt.edu
  organization: Virginia Tech
– sequence: 3
  givenname: Danfeng (Daphne)
  surname: Yao
  fullname: Yao, Danfeng (Daphne)
  email: danfeng@vt.edu
  organization: Virginia Tech
– sequence: 4
  givenname: Wenjie
  surname: Zhuang
  fullname: Zhuang, Wenjie
  email: kaito@vt.edu
  organization: Virginia Tech
– sequence: 5
  givenname: Gustavo Arango
  surname: Argoty
  fullname: Argoty, Gustavo Arango
  email: gustavo1@vt.edu
  organization: Virginia Tech
BookMark eNqNkDtPwzAURs1LopTMDAxkZEm4N9d2nBFVPFWJAZgt27lBBppUSUHi35OqmZiYznD0fcM5EYdt17IQZwg5olRXhAZQqXzLAnBPJFVpRgGkNBncF7PRmgyLQh38ccciGYZ3ACi0kQb1TFw8c_jqOQ1dHdu3dN27sImBhzS26aP7dqfiqHGfAycT5-L19uZlcZ8tn-4eFtfLzGFZbjL2EjCQYwy6JqM1eOObUgWD6JWkINl4JFPVnrxrQGqsC66wcNQ4J5nm4nz3G5nZrvu4cv2PNVIRVGq0-c66sLK-6z4Gi2C3NexUw041rO8jN-Pg8p8D-gWZGloh
CODEN IEEPAD
ContentType Conference Proceeding
Copyright 2018 ACM
Copyright_xml – notice: 2018 ACM
DBID 6IE
6IH
CBEJK
RIE
RIO
DOI 10.1145/3180155.3180201
DatabaseName IEEE Electronic Library (IEL) Conference Proceedings
IEEE Proceedings Order Plan (POP) 1998-present by volume
IEEE Xplore All Conference Proceedings
IEEE Electronic Library (IEL)
IEEE Proceedings Order Plans (POP) 1998-present
DatabaseTitleList

Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library (IEL)
  url: https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISBN 9781450356381
1450356389
EISSN 1558-1225
EndPage 383
ExternalDocumentID 8453095
Genre orig-research
GroupedDBID 6IE
6IF
6IG
6IL
6IM
6IN
AAJGR
ABLEC
ABQGA
ACM
ADPZR
ALMA_UNASSIGNED_HOLDINGS
APO
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
CBEJK
GUFHI
IEGSK
IJVOP
LHSKQ
OCL
RIB
RIC
RIE
RIL
RIO
-~X
.4S
.DC
123
23M
29O
5VS
6IH
6IK
8US
AAWTH
ADZIZ
AFFNX
ARCSS
AVWKF
CHZPO
EDO
FEDTE
I-F
I07
IPLJI
M43
RNS
XOL
ID FETCH-LOGICAL-a177t-eb401c3ae1c6d38660b8bf75c811b543c4e8b1389db3baf0461d2e912a3faa4e3
IEDL.DBID RIE
ISBN 9781450356381
1450356389
ISICitedReferencesCount 89
ISICitedReferencesURI http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000454843300041&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
IngestDate Wed Aug 27 02:07:57 EDT 2025
Fri Sep 13 11:04:35 EDT 2024
IsPeerReviewed false
IsScholarly true
Keywords authorization
cryptographic hash functions
spring security
SSL/TLS
secure coding
stackOverflow
certificate validation
cryptography
CSRF
authentication
Language English
License Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Permissions@acm.org
LinkModel DirectLink
MeetingName ICSE '18: 40th International Conference on Software Engineering
MergedId FETCHMERGED-LOGICAL-a177t-eb401c3ae1c6d38660b8bf75c811b543c4e8b1389db3baf0461d2e912a3faa4e3
PageCount 12
ParticipantIDs acm_books_10_1145_3180155_3180201_brief
ieee_primary_8453095
acm_books_10_1145_3180155_3180201
PublicationCentury 2000
PublicationDate 20180527
2018-May
PublicationDateYYYYMMDD 2018-05-27
2018-05-01
PublicationDate_xml – month: 05
  year: 2018
  text: 20180527
  day: 27
PublicationDecade 2010
PublicationPlace New York, NY, USA
PublicationPlace_xml – name: New York, NY, USA
PublicationSeriesTitle ACM Conferences
PublicationTitle 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE)
PublicationTitleAbbrev ICSE
PublicationYear 2018
Publisher ACM
Publisher_xml – name: ACM
SSID ssj0002684816
ssj0006499
Score 2.374552
Snippet The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and...
SourceID ieee
acm
SourceType Publisher
StartPage 372
SubjectTerms Authentication
authorization
certificate validation
cryptographic hash functions
Cryptography
CSRF
Encoding
General and reference -- Cross-computing tools and techniques -- Empirical studies
Java
Libraries
Programming
Secure coding
Spring security
SSL/TLS
StackOverflow
Subtitle challenges and vulnerabilities
Title Secure coding practices in Java
URI https://ieeexplore.ieee.org/document/8453095
WOSCitedRecordID wos000454843300041&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1dS8MwFL1swwefpm7i_CKC4IvdliZNUl-HQ3wYe1DZW8nHLQy0k339fpO2mwiCCIWWkkI5pM25N_eeA3Cbp4opf0TWURZxJkyUuqGKnBVcpyI1fJiXZhNyMlGzWTptwP2-FwYRy-Iz7IfLci_fLewmpMoGiifMU4ImNKUUVa_WPp8SVEtUoDr1X1h4Kl9L-VCeDPzUDeygH85xcIBpavvxw1GlXFDG7f-9yhF0vzvzyHS_5hxDA4sTaO-sGUj9pXY8Bw95dCSjRRhHpnUv1IrMC_Kst_qBjHYuKiuiC0feNu9Bf7oslfXBcxdex48vo6eo9kqINJVyHaEHlVqmkVrhmBJiaJTJZWIVpSbhzHJUJmxKOsOMzoPMuosxpbFmudYc2Sm0ikWBZ0CC5LzJBcaGIfd0wAidKJdISbnjPhDvwY3HLgtBwCqr-pqTrMY3q_Htwd2fYzKznGPeg05AN_usxDWyGtjz329fwKF_UlUVh5fQWi83eAUHdruer5bX5Yz4AnRnr88
linkProvider IEEE
linkToHtml http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1dS8MwFL1sU9CnqZs4PyMIvtitadI09XU4ps6xhyl7K_kqDLSTddvvN-m6iSCIUGgpoZRD2px7c-85ADdpzAm3h6c0Jh4lTHqx9rmnFaMiZrGkflqYTUTDIZ9M4lEF7ra9MMaYovjMtN1lsZevZ2rpUmUdTkNiKUEVdkJKA3_drbXNqDjdEu7ITvkfZpbMl2I-mIYdO3kdP2i7c-A8YKpCffzwVCmWlF79fy9zAM3v3jw02q46h1Ax2RHUN-YMqPxWG5aFu0y6Qd2ZG4dGZTdUjqYZehIrcY-6Gx-VHIlMo7flu1OgLoplbfjchNfew7jb90q3BE_gKFp4xsKKFREGK6YJZ8yXXKZRqDjGMqREUcOl25bUkkiROqF1HZgYB4KkQlBDjqGWzTJzAsiJzsuUmUASQy0hkEyEXIdRhKmmNhRvwbXFLnFhQJ6sO5vDpMQ3KfFtwe2fYxI5n5q0BQ2HbvK5ltdISmBPf799BXv98csgGTwOn89g3z6Fr-sPz6G2mC_NBeyq1WKazy-L2fEFzLKzFg
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+of+the+40th+International+Conference+on+Software+Engineering&rft.atitle=Secure+coding+practices+in+Java&rft.au=Meng%2C+Na&rft.au=Nagy%2C+Stefan&rft.au=Yao%2C+Danfeng+%28Daphne%29&rft.au=Zhuang%2C+Wenjie&rft.series=ACM+Conferences&rft.date=2018-05-27&rft.pub=ACM&rft.isbn=9781450356381&rft.spage=372&rft.epage=383&rft_id=info:doi/10.1145%2F3180155.3180201
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781450356381/lc.gif&client=summon&freeimage=true
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781450356381/mc.gif&client=summon&freeimage=true
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=9781450356381/sc.gif&client=summon&freeimage=true