Secure coding practices in Java: challenges and vulnerabilities

Authors:
Na Meng

Virginia Tech

Virginia Tech
View Profile

,
Stefan Nagy

Virginia Tech

Virginia Tech
View Profile

,
Danfeng (Daphne) Yao

Virginia Tech

Virginia Tech
View Profile

,
Wenjie Zhuang

Virginia Tech

Virginia Tech
View Profile

,
Gustavo Arango Argoty

Virginia Tech

Virginia Tech
View Profile

ICSE '18: Proceedings of the 40th International Conference on Software EngineeringMay 2018Pages 372–383https://doi.org/10.1145/3180155.3180201

Published:27 May 2018Publication History

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

Pages 372–383

ABSTRACT

The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices.

We observed a wide adoption of the authentication and authorization features provided by Spring Security---a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverfow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.

References

Y. Acar, M. Backes, S. Fahl, D. Kim, M. L. Mazurek, and C. Stransky. You get where you're looking for: The impact of information sources on code security. In 2016 IEEE Symposium on Security and Privacy (SP), pages 289--305, May 2016.Google ScholarCross Ref
AES-256 implementation in GAE. https://stackoverflow.com/questions/12833826/aes-256-implementation-in-gae.Google Scholar
Apache Shiro documentation. https://shiro.apache.org/documentation.html.Google Scholar
Application Server - Oracle WebLogic Server. https://www.oracle.com/middleware/weblogic/index.html.Google Scholar
A. Barua, S. W. Thomas, and A. E.Hassan. What are developers talking about? An analysis of topics and trends in Stack Overflow. Empirical Software Engineering, 19(3):619--654, Jun 2014. Google ScholarDigital Library
Basic Program for encrypt/Decrypt : javax.crypto.BadPaddingException:Decryption error. https://stackoverflow.com/questions/39518979/basic-program-for-encrypt-decrypt-javax-crypto-badpaddingexception-decryption.Google Scholar
BigInteger to Key. https://stackoverflow.com/questions/10271164/biginteger-to-key.Google Scholar
S. Boonkrong. Security of passwords. Information Technology Journal, 8(2):112--117, 2012.Google Scholar
Bouncy castle. https://www.bouncycastle.org.Google Scholar
Can a secret be hidden in a 'safe' Java class offering access credentials? https://stackoverflow.com/questions/5761519/can-a-secret-be-hidden-in-a-safe-java-class-offering-access-credentials.Google Scholar
L. Cerulo, M. D. Penta, A. Bacchelli, M. Ceccarelli, and G. Canfora. Irish: A hidden Markov model to detect coded information islands in free text. Science of Computer Programming, 105(Supplement C):26 -- 43, 2015. Google ScholarDigital Library
A. Chatzikonstantinou, C. Ntantogian, G. Karopoulos, and C. Xenakis. Evaluation of cryptography usage in Android applications. In Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies, pages 83--90, 2015. Google ScholarDigital Library
Communication with server that support SSL in Java. https://stackoverflow.com/questions/21156929/java-class-to-trust-all-for-sending-file-to-https-web-service.Google Scholar
Compare two Public Key values in Java (duplicate). https://stackoverflow.com/questions/37439695/compare-two-public-key-values-in-java.Google Scholar
Configure Spring Security without XML in Spring 4. https://stackoverflow.com/questions/20961600/configure-spring-security-without-xml-in-spring-4.Google Scholar
@Context injection in Stateless EJB used by JAX-RS. https://stackoverflow.com/questions/29132547/context-injection-in-stateless-ejb-used-by-jax-rs.Google Scholar
Converted secret key into bytes, how to convert it back to secret key? https://stackoverflow.com/questions/5364338/converted-secret-key-into-bytes-how-to-convert-it-back-to-secrect-key.Google Scholar
Custom Authentication Filters in multiple HttpSecurity objects using Java Config. https://stackoverflow.com/questions/37304211/custom-authentication-filters-in-multiple-httpsecurity-objects-using-java-config.Google Scholar
CWE-227: Improper fulfillment of API contract (API abuse). https://cwe.mitre.org/data/definitions/227.html.Google Scholar
A. Datta, A. Derek, J. C. Mitchell, and A. Roy. Protocol composition logic (PCL). Electronic Notes in Theoretical Computer Science, 172:311 -- 358, 2007. Google ScholarDigital Library
A. Dey and S. Weis. Keyczar: A Cryptographic Toolkit.Google Scholar
Dictionary Attacks 101. https://blog.codinghorror.com/dictionary-attacks-101/.Google Scholar
M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in Android applications. In Proceedings of the ACM Conference on Computer and Communications Security, CCS, pages 73--84, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
Encryption PHP, Decryption Java. https://stackoverflow.com/questions/15639442/encryption-php-decryption-java.Google Scholar
L. Erkök and J. Matthews. Pragmatic equivalence and safety checking in Cryptol. In Proceedings of the 3rd Workshop on Programming Languages Meets Program Verification, PLPV '09, pages 73--82, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS, pages 50--61, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
F. Fischer, K. Böttinger, H. Xiao, C. Stransky, Y. Acar, M. Backes, and S. Fahl. Stack Overflow considered harmful? The impact of copy&paste on Android application security. In 38th IEEE Symposium on Security and Privacy, 2017.Google ScholarCross Ref
C. Gackenheimer. Implementing security and cryptography. In Node. js Recipes, pages 133--160. Springer, 2013.Google ScholarCross Ref
M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: Validating SSL certificates in non-browser software. In Proceedings of the ACM Conference on Computer and Communications Security, CCS, pages 38--49, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
Get public and private key from ASN1 encrypted pem certificate. https://stackoverflow.com/questions/30392114/get-public-and-private-key-from-asn1-encrypted-pem-certificate.Google Scholar
GlassFish. https://javaee.github.io/glassfish/.Google Scholar
L. Gong and G. Ellison. Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation. Pearson Education, 2nd edition, 2003. Google ScholarDigital Library
Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf.Google Scholar
B. He, V. Rastogi, Y. Cao, Y. Chen, V. N. Venkatakrishnan, R. Yang, and Z. Zhang. Vetting SSL usage in applications with SSLINT. In 2015 IEEE Symposium on Security and Privacy, pages 519--534, May 2015. Google ScholarDigital Library
Hiding my security key from Java reflection. https://stackoverflow.com/questions/14903318/hiding-my-security-key-from-java-reflection.Google Scholar
How can I get a signed Java Applet to perform privileged operations when called from unsigned Javascript? https://stackoverflow.com/questions/1006674/how-can-i-get-a-signed-java-applet-to-perform-privileged-operations-when-called.Google Scholar
How does Java string being immutable increase security? https://stackoverflow.com/questions/15274874/how-does-java-string-being-immutable-increase-security.Google Scholar
How to accept self-signed certificates for JNDI/LDAP connections? https://stackoverflow.com/questions/4615163/how-to-accept-self-signed-certificates-for-jndi-ldap-connections.Google Scholar
How to add MD5 or SHA hash to Spring security? https://stackoverflow.com/questions/18581463/how-to-add-md5-or-sha-hash-to-spring-security.Google Scholar
How to apply spring security filter only on secured end-points? https://stackoverflow.com/questions/36795894/how-to-apply-spring-security-filter-only-on-secured-endpoints.Google Scholar
How to generate secret key using SecureRandom.getInstanceStrong()? https://stackoverflow.com/questions/37244064/how-to-generate-secret-key-using-securerandom-getinstancestrong.Google Scholar
How to override Spring Security default configuration in Spring Boot. https://stackoverflow.com/questions/35600488/how-to-override-spring-security-default-configuration-in-spring-boot.Google Scholar
Implementing a Remote Interface. http://docs.oracle.com/javase/tutorial/rmi/implementing.html.Google Scholar
InvalidKeySpecException : algid parse error, not a sequence. https://stackoverflow.com/questions/31941413/invalidkeyspecexception-algid-parse-error-not-a-sequence.Google Scholar
Java authentication and authorization service (JAAS) reference guide. https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html.Google Scholar
Java class to trust all for sending file to HTTPS web service. https://stackoverflow.com/questions/21156929/java-class-to-trust-all-for-sending-file-to-https-web-service.Google Scholar
Java cryptography architecture. http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html.Google Scholar
Java - Edit code sample to specify DES key value. https://stackoverflow.com/questions/22858497/edit-code-sample-to-specify-des-key-value.Google Scholar
Java EE 7 EJB Security not working. https://stackoverflow.com/questions/30504131/java-ee-7-ejb-security-not-working.Google Scholar
Java Mail get mails with pop3 from exchange server, Exception in thread "main" javax.mail.MessagingException. https://stackoverflow.com/questions/25017050/java-mail-get-mails-with-pop3-from-exchange-server-exception-in-thread-main.Google Scholar
Java RMI / access denied. https://stackoverflow.com/questions/36570012/java-rmi-access-denied.Google Scholar
Java security init Cipher from SecretKeySpec properly. https://stackoverflow.com/questions/14230096/java-security-init-cipher-from-secretkeyspec-properly.Google Scholar
Java Security Manager completely disable reflection. https://stackoverflow.com/questions/40218973/java-security-manager-completely-disable-reflection.Google Scholar
Java security overview. http://docs.oracle.com/javase/8/docs/technotes/guides/security/overview/jsoverview.html.Google Scholar
Java Security - RSA Public Key & Private Key Code Issue. https://stackoverflow.com/questions/18757114/java-security-rsa-public-key-private-key-code-issue.Google Scholar
Java security: Sandboxing plugins loaded via URLClass-Loader. https://stackoverflow.com/questions/3947558/java-security-sandboxing-plugins-loaded-via-urlclassloader.Google Scholar
Java - Simple example of Spring Security with Thymeleaf. https://stackoverflow.com/questions/25692735/simple-example-of-spring-security-with-thymeleaf.Google Scholar
Java SSL - InstallCert recognizes certificate, but still "unable to find valid certification path" error? https://stackoverflow.com/questions/11087121/java-ssl-installcert-recognizes-certificate-but-still-unable-to-find-valid-c.Google Scholar
JSR-000366 Java platform, enterprise edition 8 public review specification. http://download.oracle.com/otndocs/jcp/java_ee-8-pr-spec/.Google Scholar
D. Lazar, H. Chen, X. Wang, and N. Zeldovich. Why does cryptographic software fail? A case study and open problems. In Proceedings of 5th Asia-Pacific Workshop on Systems, APSys '14, pages 7:1--7:7, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
Y. Li, Y. Zhang, J. Li, and D. Gu. iCryptoTracer: Dynamic analysis on misuse of cryptography functions in iOS applications. In M. H. Au, B. Carminati, and C.-C. J. Kuo, editors, Proceedings of the 8th International Conference on Network and System Security, pages 349--362, 2014.Google ScholarCross Ref
Logout call - Spring security logout call. https://stackoverflow.com/questions/ 24530603/spring-security-logout-call.Google Scholar
F. Long. Software vulnerabilities in Java. Technical Report CMU/SEI-2005-TN-044, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2005.Google Scholar
MD5 hashing in Android. https://stackoverflow.com/questions/4846484/md5- hashing- in- android.Google Scholar
A. Mettler, D. Wagner, and T. Close. Joe-E: A security-oriented subset of Java. In Network and Distributed Systems Symposium. Internet Society, 2010.Google Scholar
J. C. Mitchell, M. Mitchell, and U. Stern. Automated analysis of cryptographic protocols using Mur/spl phi/. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, SP '97, pages 141--, Washington, DC, USA, 1997. IEEE Computer Society. Google ScholarDigital Library
B. Möller, T. Duong, and K. Kotowicz. This POODLE bites: exploiting the SSL 3.0 fallback, 2014.Google Scholar
S. Nadi, S. Krüger, M. Mezini, and E. Bodden. Jumping through hoops: Why do Java developers struggle with cryptography APIs? In Proceedings of the 38th International Conference on Software Engineering, ICSE, pages 935--946, New York, NY, USA, 2016. ACM. Google ScholarDigital Library
S. Oaks. Java Security. O'Reilly & Associates, Inc., Sebastopol, CA, USA, 1998. Google ScholarDigital Library
L. Onwuzurike and E. De Cristofaro. Danger is my middle name: Experimenting with SSL vulnerabilities in Android apps. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WiSec '15, pages 15:1--15:6, New York, NY, USA, 2015. ACM. Google ScholarDigital Library
PicketLink / Deltaspike security does not work in SOAP (JAX-WS) layer (CDI vs EJB?). https://stackoverflow.com/questions/32392702/picketlink-deltaspike-security-does-not-work- in-soap-jax-ws-layer-cdi-vs-ej.Google Scholar
S. Rahaman and D. Yao. Program analysis of cryptographic implementations for security. In IEEE Security Development Conference (SecDev), pages 61--68, 2017.Google ScholarCross Ref
M. S. Rahman. An empirical case study on Stack Overflow to explore developers' security challenges. Master's thesis, Kansas State University, 2016.Google Scholar
F. Y. Rashid. Library misuse exposes leading Java platforms to attack. http://www.infoworld.com/article/3003197/security/library-misuse-exposes-leading-java-platforms-to-attack.html, 2017.Google Scholar
Resteasy Authorization design - check a user owns a resource. https://stackoverflow.com/questions/34315838/resteasy-authorization-design-check-a-user-owns-a-resource.Google Scholar
RF 6101 - The Secure Sockets Layer (SSL) Protocol Version 3.0. https://tools.ietf.org/html/rfc6101.Google Scholar
Scrapy - A Fast and Powerful Scraping and Web Crawling Framework. https://scrapy.org.Google Scholar
Security - Allowing Java to use an untrusted certificate for SSL/HTTPS connection. https://stackoverflow.com/questions/1201048/allowing-java-to-use-an-untrusted-certificate-for-ssl-https-connection.Google Scholar
Security exception when loading web image in jar. https://stackoverflow.com/questions/2011407/security-exception-when-loading-web-image-in-jar.Google Scholar
S. Shuai, D. Guowei, G. Tao, Y. Tianchang, and S. Chenjie. Modeling analysis and auto-detection of cryptographic misuse in Android applications. In Proceedings of the IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, DASC, pages 75--80, Washington, DC, USA, 2014. IEEE Computer Society. Google ScholarDigital Library
E. Smith and D. L. Dill. Automatic formal verification of block cipher implementations. In Formal Methods in Computer-Aided Design, pages 1--7, Nov 2008. Google ScholarDigital Library
Spring security. https://projects.spring.io/spring-security/.Google Scholar
Spring Security 4 XML configuration UserDetailsService authentication not working. https://stackoverflow.com/questions/41321176/spring-security-4-xml-configuration-userdetailsservice-authentication-not-workin.Google Scholar
Spring security JDK based proxy issue while using @Secured annotation on Controller method. https://stackoverflow.com/questions/35860442/spring-security-jdk-based-proxy-issue-while-using-secured-annotation-on-control.Google Scholar
Spring Security Reference. http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#jc-httpsecurity.Google Scholar
Spring Security Tutorial. http://www.mkyong.com/tutorials/spring-security-tutorials/.Google Scholar
Spring Security using JBoss <security-domain>. https://stackoverflow.com/questions/28172056/spring-security-using-jboss-security-domain.Google Scholar
SSL Certificate Verification: javax.net.ssl.SSLHandshakeException.https://stackoverflow.com/questions/25079751/ssl-certificate-verification-javax-net-ssl-sslhandshakeexception.Google Scholar
SSL handshake fails with unable to find valid certification path to requested target. https://stackoverflow.com/questions/40977556/ssl-handshake-fails-with-unable-to-find-valid-certification-path-to-requested-ta.Google Scholar
SSL Socket Connection working even though client is not sending certificate? https://stackoverflow.com/questions/26761966/ssl-socket-connection-working-even-though-client-is-not-sending-certificate.Google Scholar
StackOverflow. https://stackoverflow.com.Google Scholar
J. Steven and J. Manico. Password storage cheat sheet. https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet.Google Scholar
M. Stevens, E. Bursztein, P. Karpman, A. Albertini, and Y. Markov. The first collision for full SHA-1. Cryptology ePrint Archive, Report 2017/190, 2017. https://eprint.iacr.org/2017/190.Google Scholar
The Webserver I talk to updated its SSL cert and now my app can't talk to it. https://stackoverflow.com/questions/5758812/the-webserver-i-talk-to-updated-its-ssl-cert-and-now-my-app-cant-talk-to-it.Google Scholar
Trusting all certificates using HttpClient over HTTPS. https://stackoverflow.com/questions/2642777/trusting- all-certificates-using-httpclient-over-https.Google Scholar
Use of ECC in Java SE 1.7. https://stackoverflow.com/questions/24383637/use-of-ecc-in-java-se-1-7.Google Scholar
Using public key from authorized_keys with Java security. https://stackoverflow.com/questions/3531506/using-public-key-from-authorized-keys-with-java-security.Google Scholar
State of software security. https://www.veracode.com/sites/default/files/Resources/Reports/state-of-software-security-volume-7-veracode-report.pdf, 2016. Veracode.Google Scholar
X. Wang, D. Feng, X. Lai, and H. Yu. Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD, 2004. http://eprint.iacr.org/2004/199.Google Scholar
Web Security Samples. https://github.com/spring-projects/spring-security-javaconfig/blob/master/samples-web.md#sample-multi-http-web-configuration.Google Scholar
WebSphere Application Server - IBM. http://www-03.ibm.com/software/products/en/appserv-was.Google Scholar
When a TrustManagerFactory is not a TrustManagerFactory (Java). https://stackoverflow.com/questions/14654639/when-a-trustmanagerfactory-is-not-a-trustmanagerfactory-java.Google Scholar
When I try to convert a string with certificate, exception is raised. https://stackoverflow.com/questions/10594000/when-i- try-to-convert-a-string-with-certificate-exception-is-raised.Google Scholar
WildFly. http://wildfly.org.Google Scholar
Wildfly 9 security domains won't work. https://stackoverflow.com/questions/37425056/wildfly-9-security-domains-wont-work.Google Scholar
X.-L. Yang, D. Lo, X. Xia, Z.-Y. Wan, and J.-L. Sun. What security questions do developers ask? A large-scale study of Stack Overflow posts. Journal of Computer Science and Technology, 31(5):910--924, Sep 2016.Google ScholarCross Ref
W. Zeller and E. W. Felten. Cross-site request forgeries: Exploitation and prevention. https://www.cs.utexas.edu/~shmat/courses/library/zeller.pdf, 2008.Google Scholar

Index Terms

Secure coding practices in Java: challenges and vulnerabilities
1. General and reference
  1. Cross-computing tools and techniques
    1. Empirical studies

Recommendations

IoTVerif: An Automated Tool to Verify SSL/TLS Certificate Validation in Android MQTT Client Applications
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Developing secure Internet of Things (IoT) applications that are free of vulnerabilities and resilient against exploit is desirable for software developers and testers. In this paper, we present IoTVerif, an automated tool that can verify SSL/TLS (...
Read More
Lightweight server support for browser-based CSRF protection
WWW '13: Proceedings of the 22nd international conference on World Wide Web

Cross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today. These attacks exploit ambient authority in browsers (eg cookies, HTTP authentication state), turning them into confused deputies and causing undesired side effects on ...
Read More
The CERT Oracle Secure Coding Standard for Java
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ICSE '18: Proceedings of the 40th International Conference on Software Engineering
May 2018
1307 pages
ISBN:9781450356381
DOI:10.1145/3180155
Conference Chair:
Michel Chaudron
Chalmers University of Technology, University of Gothenburg, Sweden
,
General Chair:
Ivica Crnkovic
Chalmers University of Technology, University of Gothenburg, Sweden
,
Program Chairs:
Marsha Chechik
University of Toronto, Canada
,
Mark Harman
Facebook and University College London, United Kingdom
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 May 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
CSRF
SSL/TLS
authentication
authorization
certificate validation
cryptographic hash functions
cryptography
secure coding
spring security
stackOverflow
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate276of1,856submissions,15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 84
  Total Citations
  View Citations
- 2,774
  Total Downloads
- Downloads (Last 12 months)682
- Downloads (Last 6 weeks)110
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Secure coding practices in Java: challenges and vulnerabilities

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

IoTVerif: An Automated Tool to Verify SSL/TLS Certificate Validation in Android MQTT Client Applications

Lightweight server support for browser-based CSRF protection

The CERT Oracle Secure Coding Standard for Java