Secure coding practices in Java challenges and vulnerabilities

The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand dev...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE) s. 372 - 383
Hlavní autoři: Meng, Na, Nagy, Stefan, Yao, Danfeng (Daphne), Zhuang, Wenjie, Argoty, Gustavo Arango
Médium: Konferenční příspěvek
Jazyk:angličtina
Vydáno: New York, NY, USA ACM 27.05.2018
Edice:ACM Conferences
Témata:
Authentication
authorization
certificate validation
cryptographic hash functions
Cryptography
CSRF
Encoding
General and reference > Cross-computing tools and techniques > Empirical studies
Java
Libraries
Programming
Secure coding
Spring security
SSL/TLS
StackOverflow
authorization
cryptographic hash functions
spring security
SSL/TLS
secure coding
stackOverflow
certificate validation
cryptography
CSRF
authentication
ISBN:9781450356381, 1450356389
ISSN:1558-1225
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security---a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverfow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.
ISBN:9781450356381
1450356389
ISSN:1558-1225
DOI:10.1145/3180155.3180201