Secure Coding Practices in Java: Challenges and Vulnerabilities
| Title | Secure Coding Practices in Java: Challenges and Vulnerabilities |
| Publication Type | Conference Paper |
| Year of Publication | 2018 |
| Authors | Meng, Na, Nagy, Stefan, Yao, Danfeng, Zhuang, Wenjie, Arango-Argoty, Gustavo |
| Conference Name | 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE) |
| Date Published | may |
| ISBN Number | 978-1-4503-5638-1 |
| Keywords | application program interfaces, authentication, authorisation, Authorization, authorization features, Certificate Validation, coding theory, complex Java-based, complicated cross-language data handling, Computer crime, cross-site request forgery attacks, cryptographic hash functions, cryptography, cryptography API, CSRF, developers time, empirical study, encoding, insecure coding practices, Java, Java platform, Java secure coding, Libraries, multiple security vulnerabilities, Programming, programming challenges, programming obstacles, pubcrawl, resilience, Resiliency, Scalability, Secure Coding, secure coding assistance, secure coding practices, security, Security by Default, Spring security, SSL-TLS security, SSL/TLS, StackOverflow, StackOverflow forum, StackOverflow posts, third-party framework, third-party libraries, XML, XML-based approaches |
| Abstract | The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security - a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverflow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices. |
| URL | https://dl.acm.org/citation.cfm?doid=3180155.3180201 |
| DOI | 10.1145/3180155.3180201 |
| Citation Key | meng_secure_2018 |
- Security by Default
- multiple security vulnerabilities
- programming
- programming challenges
- programming obstacles
- pubcrawl
- resilience
- Resiliency
- Scalability
- Secure Coding
- secure coding assistance
- secure coding practices
- Libraries
- Spring security
- SSL-TLS security
- SSL/TLS
- StackOverflow
- StackOverflow forum
- StackOverflow posts
- third-party framework
- third-party libraries
- XML
- XML-based approaches
- cryptographic hash functions
- security
- application program interfaces
- authentication
- authorisation
- authorization
- authorization features
- Certificate Validation
- complex Java-based
- complicated cross-language data handling
- Computer crime
- cross-site request forgery attacks
- coding theory
- Cryptography
- cryptography API
- CSRF
- developers time
- empirical study
- encoding
- insecure coding practices
- Java
- Java platform
- Java secure coding