ABSTRACT
The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices.
We observed a wide adoption of the authentication and authorization features provided by Spring Security---a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverfow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.
- Y. Acar, M. Backes, S. Fahl, D. Kim, M. L. Mazurek, and C. Stransky. You get where you're looking for: The impact of information sources on code security. In 2016 IEEE Symposium on Security and Privacy (SP), pages 289--305, May 2016.Google ScholarCross Ref
- AES-256 implementation in GAE. https://stackoverflow.com/questions/12833826/aes-256-implementation-in-gae.Google Scholar
- Apache Shiro documentation. https://shiro.apache.org/documentation.html.Google Scholar
- Application Server - Oracle WebLogic Server. https://www.oracle.com/middleware/weblogic/index.html.Google Scholar
- A. Barua, S. W. Thomas, and A. E.Hassan. What are developers talking about? An analysis of topics and trends in Stack Overflow. Empirical Software Engineering, 19(3):619--654, Jun 2014. Google ScholarDigital Library
- Basic Program for encrypt/Decrypt : javax.crypto.BadPaddingException:Decryption error. https://stackoverflow.com/questions/39518979/basic-program-for-encrypt-decrypt-javax-crypto-badpaddingexception-decryption.Google Scholar
- BigInteger to Key. https://stackoverflow.com/questions/10271164/biginteger-to-key.Google Scholar
- S. Boonkrong. Security of passwords. Information Technology Journal, 8(2):112--117, 2012.Google Scholar
- Bouncy castle. https://www.bouncycastle.org.Google Scholar
- Can a secret be hidden in a 'safe' Java class offering access credentials? https://stackoverflow.com/questions/5761519/can-a-secret-be-hidden-in-a-safe-java-class-offering-access-credentials.Google Scholar
- L. Cerulo, M. D. Penta, A. Bacchelli, M. Ceccarelli, and G. Canfora. Irish: A hidden Markov model to detect coded information islands in free text. Science of Computer Programming, 105(Supplement C):26 -- 43, 2015. Google ScholarDigital Library
- A. Chatzikonstantinou, C. Ntantogian, G. Karopoulos, and C. Xenakis. Evaluation of cryptography usage in Android applications. In Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies, pages 83--90, 2015. Google ScholarDigital Library
- Communication with server that support SSL in Java. https://stackoverflow.com/questions/21156929/java-class-to-trust-all-for-sending-file-to-https-web-service.Google Scholar
- Compare two Public Key values in Java (duplicate). https://stackoverflow.com/questions/37439695/compare-two-public-key-values-in-java.Google Scholar
- Configure Spring Security without XML in Spring 4. https://stackoverflow.com/questions/20961600/configure-spring-security-without-xml-in-spring-4.Google Scholar
- @Context injection in Stateless EJB used by JAX-RS. https://stackoverflow.com/questions/29132547/context-injection-in-stateless-ejb-used-by-jax-rs.Google Scholar
- Converted secret key into bytes, how to convert it back to secret key? https://stackoverflow.com/questions/5364338/converted-secret-key-into-bytes-how-to-convert-it-back-to-secrect-key.Google Scholar
- Custom Authentication Filters in multiple HttpSecurity objects using Java Config. https://stackoverflow.com/questions/37304211/custom-authentication-filters-in-multiple-httpsecurity-objects-using-java-config.Google Scholar
- CWE-227: Improper fulfillment of API contract (API abuse). https://cwe.mitre.org/data/definitions/227.html.Google Scholar
- A. Datta, A. Derek, J. C. Mitchell, and A. Roy. Protocol composition logic (PCL). Electronic Notes in Theoretical Computer Science, 172:311 -- 358, 2007. Google ScholarDigital Library
- A. Dey and S. Weis. Keyczar: A Cryptographic Toolkit.Google Scholar
- Dictionary Attacks 101. https://blog.codinghorror.com/dictionary-attacks-101/.Google Scholar
- M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in Android applications. In Proceedings of the ACM Conference on Computer and Communications Security, CCS, pages 73--84, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- Encryption PHP, Decryption Java. https://stackoverflow.com/questions/15639442/encryption-php-decryption-java.Google Scholar
- L. Erkök and J. Matthews. Pragmatic equivalence and safety checking in Cryptol. In Proceedings of the 3rd Workshop on Programming Languages Meets Program Verification, PLPV '09, pages 73--82, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS, pages 50--61, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- F. Fischer, K. Böttinger, H. Xiao, C. Stransky, Y. Acar, M. Backes, and S. Fahl. Stack Overflow considered harmful? The impact of copy&paste on Android application security. In 38th IEEE Symposium on Security and Privacy, 2017.Google ScholarCross Ref
- C. Gackenheimer. Implementing security and cryptography. In Node. js Recipes, pages 133--160. Springer, 2013.Google ScholarCross Ref
- M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: Validating SSL certificates in non-browser software. In Proceedings of the ACM Conference on Computer and Communications Security, CCS, pages 38--49, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- Get public and private key from ASN1 encrypted pem certificate. https://stackoverflow.com/questions/30392114/get-public-and-private-key-from-asn1-encrypted-pem-certificate.Google Scholar
- GlassFish. https://javaee.github.io/glassfish/.Google Scholar
- L. Gong and G. Ellison. Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation. Pearson Education, 2nd edition, 2003. Google ScholarDigital Library
- Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf.Google Scholar
- B. He, V. Rastogi, Y. Cao, Y. Chen, V. N. Venkatakrishnan, R. Yang, and Z. Zhang. Vetting SSL usage in applications with SSLINT. In 2015 IEEE Symposium on Security and Privacy, pages 519--534, May 2015. Google ScholarDigital Library
- Hiding my security key from Java reflection. https://stackoverflow.com/questions/14903318/hiding-my-security-key-from-java-reflection.Google Scholar
- How can I get a signed Java Applet to perform privileged operations when called from unsigned Javascript? https://stackoverflow.com/questions/1006674/how-can-i-get-a-signed-java-applet-to-perform-privileged-operations-when-called.Google Scholar
- How does Java string being immutable increase security? https://stackoverflow.com/questions/15274874/how-does-java-string-being-immutable-increase-security.Google Scholar
- How to accept self-signed certificates for JNDI/LDAP connections? https://stackoverflow.com/questions/4615163/how-to-accept-self-signed-certificates-for-jndi-ldap-connections.Google Scholar
- How to add MD5 or SHA hash to Spring security? https://stackoverflow.com/questions/18581463/how-to-add-md5-or-sha-hash-to-spring-security.Google Scholar
- How to apply spring security filter only on secured end-points? https://stackoverflow.com/questions/36795894/how-to-apply-spring-security-filter-only-on-secured-endpoints.Google Scholar
- How to generate secret key using SecureRandom.getInstanceStrong()? https://stackoverflow.com/questions/37244064/how-to-generate-secret-key-using-securerandom-getinstancestrong.Google Scholar
- How to override Spring Security default configuration in Spring Boot. https://stackoverflow.com/questions/35600488/how-to-override-spring-security-default-configuration-in-spring-boot.Google Scholar
- Implementing a Remote Interface. http://docs.oracle.com/javase/tutorial/rmi/implementing.html.Google Scholar
- InvalidKeySpecException : algid parse error, not a sequence. https://stackoverflow.com/questions/31941413/invalidkeyspecexception-algid-parse-error-not-a-sequence.Google Scholar
- Java authentication and authorization service (JAAS) reference guide. https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html.Google Scholar
- Java class to trust all for sending file to HTTPS web service. https://stackoverflow.com/questions/21156929/java-class-to-trust-all-for-sending-file-to-https-web-service.Google Scholar
- Java cryptography architecture. http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html.Google Scholar
- Java - Edit code sample to specify DES key value. https://stackoverflow.com/questions/22858497/edit-code-sample-to-specify-des-key-value.Google Scholar
- Java EE 7 EJB Security not working. https://stackoverflow.com/questions/30504131/java-ee-7-ejb-security-not-working.Google Scholar
- Java Mail get mails with pop3 from exchange server, Exception in thread "main" javax.mail.MessagingException. https://stackoverflow.com/questions/25017050/java-mail-get-mails-with-pop3-from-exchange-server-exception-in-thread-main.Google Scholar
- Java RMI / access denied. https://stackoverflow.com/questions/36570012/java-rmi-access-denied.Google Scholar
- Java security init Cipher from SecretKeySpec properly. https://stackoverflow.com/questions/14230096/java-security-init-cipher-from-secretkeyspec-properly.Google Scholar
- Java Security Manager completely disable reflection. https://stackoverflow.com/questions/40218973/java-security-manager-completely-disable-reflection.Google Scholar
- Java security overview. http://docs.oracle.com/javase/8/docs/technotes/guides/security/overview/jsoverview.html.Google Scholar
- Java Security - RSA Public Key & Private Key Code Issue. https://stackoverflow.com/questions/18757114/java-security-rsa-public-key-private-key-code-issue.Google Scholar
- Java security: Sandboxing plugins loaded via URLClass-Loader. https://stackoverflow.com/questions/3947558/java-security-sandboxing-plugins-loaded-via-urlclassloader.Google Scholar
- Java - Simple example of Spring Security with Thymeleaf. https://stackoverflow.com/questions/25692735/simple-example-of-spring-security-with-thymeleaf.Google Scholar
- Java SSL - InstallCert recognizes certificate, but still "unable to find valid certification path" error? https://stackoverflow.com/questions/11087121/java-ssl-installcert-recognizes-certificate-but-still-unable-to-find-valid-c.Google Scholar
- JSR-000366 Java platform, enterprise edition 8 public review specification. http://download.oracle.com/otndocs/jcp/java_ee-8-pr-spec/.Google Scholar
- D. Lazar, H. Chen, X. Wang, and N. Zeldovich. Why does cryptographic software fail? A case study and open problems. In Proceedings of 5th Asia-Pacific Workshop on Systems, APSys '14, pages 7:1--7:7, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- Y. Li, Y. Zhang, J. Li, and D. Gu. iCryptoTracer: Dynamic analysis on misuse of cryptography functions in iOS applications. In M. H. Au, B. Carminati, and C.-C. J. Kuo, editors, Proceedings of the 8th International Conference on Network and System Security, pages 349--362, 2014.Google ScholarCross Ref
- Logout call - Spring security logout call. https://stackoverflow.com/questions/ 24530603/spring-security-logout-call.Google Scholar
- F. Long. Software vulnerabilities in Java. Technical Report CMU/SEI-2005-TN-044, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2005.Google Scholar
- MD5 hashing in Android. https://stackoverflow.com/questions/4846484/md5- hashing- in- android.Google Scholar
- A. Mettler, D. Wagner, and T. Close. Joe-E: A security-oriented subset of Java. In Network and Distributed Systems Symposium. Internet Society, 2010.Google Scholar
- J. C. Mitchell, M. Mitchell, and U. Stern. Automated analysis of cryptographic protocols using Mur/spl phi/. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, SP '97, pages 141--, Washington, DC, USA, 1997. IEEE Computer Society. Google ScholarDigital Library
- B. Möller, T. Duong, and K. Kotowicz. This POODLE bites: exploiting the SSL 3.0 fallback, 2014.Google Scholar
- S. Nadi, S. Krüger, M. Mezini, and E. Bodden. Jumping through hoops: Why do Java developers struggle with cryptography APIs? In Proceedings of the 38th International Conference on Software Engineering, ICSE, pages 935--946, New York, NY, USA, 2016. ACM. Google ScholarDigital Library
- S. Oaks. Java Security. O'Reilly & Associates, Inc., Sebastopol, CA, USA, 1998. Google ScholarDigital Library
- L. Onwuzurike and E. De Cristofaro. Danger is my middle name: Experimenting with SSL vulnerabilities in Android apps. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WiSec '15, pages 15:1--15:6, New York, NY, USA, 2015. ACM. Google ScholarDigital Library
- PicketLink / Deltaspike security does not work in SOAP (JAX-WS) layer (CDI vs EJB?). https://stackoverflow.com/questions/32392702/picketlink-deltaspike-security-does-not-work- in-soap-jax-ws-layer-cdi-vs-ej.Google Scholar
- S. Rahaman and D. Yao. Program analysis of cryptographic implementations for security. In IEEE Security Development Conference (SecDev), pages 61--68, 2017.Google ScholarCross Ref
- M. S. Rahman. An empirical case study on Stack Overflow to explore developers' security challenges. Master's thesis, Kansas State University, 2016.Google Scholar
- F. Y. Rashid. Library misuse exposes leading Java platforms to attack. http://www.infoworld.com/article/3003197/security/library-misuse-exposes-leading-java-platforms-to-attack.html, 2017.Google Scholar
- Resteasy Authorization design - check a user owns a resource. https://stackoverflow.com/questions/34315838/resteasy-authorization-design-check-a-user-owns-a-resource.Google Scholar
- RF 6101 - The Secure Sockets Layer (SSL) Protocol Version 3.0. https://tools.ietf.org/html/rfc6101.Google Scholar
- Scrapy - A Fast and Powerful Scraping and Web Crawling Framework. https://scrapy.org.Google Scholar
- Security - Allowing Java to use an untrusted certificate for SSL/HTTPS connection. https://stackoverflow.com/questions/1201048/allowing-java-to-use-an-untrusted-certificate-for-ssl-https-connection.Google Scholar
- Security exception when loading web image in jar. https://stackoverflow.com/questions/2011407/security-exception-when-loading-web-image-in-jar.Google Scholar
- S. Shuai, D. Guowei, G. Tao, Y. Tianchang, and S. Chenjie. Modeling analysis and auto-detection of cryptographic misuse in Android applications. In Proceedings of the IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, DASC, pages 75--80, Washington, DC, USA, 2014. IEEE Computer Society. Google ScholarDigital Library
- E. Smith and D. L. Dill. Automatic formal verification of block cipher implementations. In Formal Methods in Computer-Aided Design, pages 1--7, Nov 2008. Google ScholarDigital Library
- Spring security. https://projects.spring.io/spring-security/.Google Scholar
- Spring Security 4 XML configuration UserDetailsService authentication not working. https://stackoverflow.com/questions/41321176/spring-security-4-xml-configuration-userdetailsservice-authentication-not-workin.Google Scholar
- Spring security JDK based proxy issue while using @Secured annotation on Controller method. https://stackoverflow.com/questions/35860442/spring-security-jdk-based-proxy-issue-while-using-secured-annotation-on-control.Google Scholar
- Spring Security Reference. http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#jc-httpsecurity.Google Scholar
- Spring Security Tutorial. http://www.mkyong.com/tutorials/spring-security-tutorials/.Google Scholar
- Spring Security using JBoss <security-domain>. https://stackoverflow.com/questions/28172056/spring-security-using-jboss-security-domain.Google Scholar
- SSL Certificate Verification: javax.net.ssl.SSLHandshakeException.https://stackoverflow.com/questions/25079751/ssl-certificate-verification-javax-net-ssl-sslhandshakeexception.Google Scholar
- SSL handshake fails with unable to find valid certification path to requested target. https://stackoverflow.com/questions/40977556/ssl-handshake-fails-with-unable-to-find-valid-certification-path-to-requested-ta.Google Scholar
- SSL Socket Connection working even though client is not sending certificate? https://stackoverflow.com/questions/26761966/ssl-socket-connection-working-even-though-client-is-not-sending-certificate.Google Scholar
- StackOverflow. https://stackoverflow.com.Google Scholar
- J. Steven and J. Manico. Password storage cheat sheet. https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet.Google Scholar
- M. Stevens, E. Bursztein, P. Karpman, A. Albertini, and Y. Markov. The first collision for full SHA-1. Cryptology ePrint Archive, Report 2017/190, 2017. https://eprint.iacr.org/2017/190.Google Scholar
- The Webserver I talk to updated its SSL cert and now my app can't talk to it. https://stackoverflow.com/questions/5758812/the-webserver-i-talk-to-updated-its-ssl-cert-and-now-my-app-cant-talk-to-it.Google Scholar
- Trusting all certificates using HttpClient over HTTPS. https://stackoverflow.com/questions/2642777/trusting- all-certificates-using-httpclient-over-https.Google Scholar
- Use of ECC in Java SE 1.7. https://stackoverflow.com/questions/24383637/use-of-ecc-in-java-se-1-7.Google Scholar
- Using public key from authorized_keys with Java security. https://stackoverflow.com/questions/3531506/using-public-key-from-authorized-keys-with-java-security.Google Scholar
- State of software security. https://www.veracode.com/sites/default/files/Resources/Reports/state-of-software-security-volume-7-veracode-report.pdf, 2016. Veracode.Google Scholar
- X. Wang, D. Feng, X. Lai, and H. Yu. Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD, 2004. http://eprint.iacr.org/2004/199.Google Scholar
- Web Security Samples. https://github.com/spring-projects/spring-security-javaconfig/blob/master/samples-web.md#sample-multi-http-web-configuration.Google Scholar
- WebSphere Application Server - IBM. http://www-03.ibm.com/software/products/en/appserv-was.Google Scholar
- When a TrustManagerFactory is not a TrustManagerFactory (Java). https://stackoverflow.com/questions/14654639/when-a-trustmanagerfactory-is-not-a-trustmanagerfactory-java.Google Scholar
- When I try to convert a string with certificate, exception is raised. https://stackoverflow.com/questions/10594000/when-i- try-to-convert-a-string-with-certificate-exception-is-raised.Google Scholar
- WildFly. http://wildfly.org.Google Scholar
- Wildfly 9 security domains won't work. https://stackoverflow.com/questions/37425056/wildfly-9-security-domains-wont-work.Google Scholar
- X.-L. Yang, D. Lo, X. Xia, Z.-Y. Wan, and J.-L. Sun. What security questions do developers ask? A large-scale study of Stack Overflow posts. Journal of Computer Science and Technology, 31(5):910--924, Sep 2016.Google ScholarCross Ref
- W. Zeller and E. W. Felten. Cross-site request forgeries: Exploitation and prevention. https://www.cs.utexas.edu/~shmat/courses/library/zeller.pdf, 2008.Google Scholar
Index Terms
- Secure coding practices in Java: challenges and vulnerabilities
Recommendations
IoTVerif: An Automated Tool to Verify SSL/TLS Certificate Validation in Android MQTT Client Applications
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyDeveloping secure Internet of Things (IoT) applications that are free of vulnerabilities and resilient against exploit is desirable for software developers and testers. In this paper, we present IoTVerif, an automated tool that can verify SSL/TLS (...
Lightweight server support for browser-based CSRF protection
WWW '13: Proceedings of the 22nd international conference on World Wide WebCross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today. These attacks exploit ambient authority in browsers (eg cookies, HTTP authentication state), turning them into confused deputies and causing undesired side effects on ...
Comments