Paper Info
Title
Secure Coding Practices in Java: Challenges and Vulnerabilities.
Abstract
The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security---a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverfow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.
Year
DOI
Venue
2018
10.1145/3180155.3180201
ICSE
Keywords
DocType
Volume
Secure coding, Spring Security, CSRF, SSL/TLS, certificate validation, cryptographic hash functions, authentication, authorization, StackOverflow, cryptography
Conference
abs/1709.09970
ISBN
Citations 
PageRank 
978-1-4503-5638-1
17
0.70
References 
Authors
17
5
Name
Order
Citations
PageRank
Na Meng11109.72
Stefan Nagy2221.46
Danfeng Yao396574.85
Wenjie Zhuang4401.78
Gustavo Arango Argoty5170.70