VTechWorks staff will be away for the Thanksgiving holiday beginning at noon on Wednesday, November 27, through Friday, November 29. We will resume normal operations on Monday, December 2. Thank you for your patience.
 

Secure Coding Practices in Java: Challenges and Vulnerabilities

dc.contributor.authorMeng, Naen
dc.contributor.authorNagy, Stefanen
dc.contributor.authorYao, Danfeng (Daphne)en
dc.contributor.authorZhuang, Wenjieen
dc.contributor.authorArango-Argoty, Gustavoen
dc.contributor.departmentComputer Scienceen
dc.date.accessioned2017-11-17T16:11:24Zen
dc.date.available2017-11-17T16:11:24Zen
dc.date.issued2017-09-28en
dc.description.abstractJava platform and third-party libraries provide various security features to facilitate secure coding. However, misusing these features can cost tremendous time and effort of developers or cause security vulnerabilities in software. Prior research was focused on the misuse of cryptography and SSL APIs, but did not explore the key fundamental research question: what are the biggest challenges and vulnerabilities in secure coding practices? In this paper, we conducted a comprehensive empirical study on StackOverflow posts to understand developers’ concerns on Java secure coding, their programming obstacles, and potential vulnerabilities in their code. We observed that developers have shifted their effort to the usage of authentication and authorization features provided by Spring security—a third-party framework designed to secure enterprise applications. Multiple programming challenges are related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring security. More interestingly, we identified security vulnerabilities in the suggested code of accepted answers. The vulnerabilities included using insecure hash functions such as MD5, breaking SSL/TLS security through bypassing certificate validation, and insecurely disabling the default protection against Cross Site Request Forgery (CSRF) attacks. Our findings reveal the insufficiency of secure coding assistance and education, and the gap between security theory and coding practices.en
dc.identifier.doihttps://doi.org/10.475/123_4en
dc.identifier.urihttp://hdl.handle.net/10919/80427en
dc.language.isoen_USen
dc.publisherVirginia Techen
dc.rightsIn Copyrighten
dc.rights.urihttp://rightsstatements.org/vocab/InC/1.0/en
dc.source.urihttps://arxiv.org/abs/1709.09970en
dc.subjectCSRFen
dc.subjectSSL/TLS certificate validationen
dc.subjectcryptographic hash functionsen
dc.subjectauthenticationen
dc.subjectauthorizationen
dc.titleSecure Coding Practices in Java: Challenges and Vulnerabilitiesen
dc.typeArticleen

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
YaoSecureCoding2017.pdf
Size:
1.14 MB
Format:
Adobe Portable Document Format
Description: