Secure coding in Java: Bad online advice and confusing APIs

For programmers and software developers, the Internet forums provide a great place to exchange knowledge and seek answers to concrete coding conundrums. Alas, they are not always the source of accurate information.

A group of Virginia Tech researchers has analyzed hundreds of posts on Stack Overflow, a popular developer forum/Q&A site, and found that many of the developers who offer answers do not appear to understand the security implications of coding options, showing a lack of cybersecurity training.

Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score.

So, the social dynamics among askers and responders definitely have an impact on people’s security choices.

Getting security right

The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications.

Spring Security is meant to facilitate security coding, but it’s obvious that many coders find its APIs too complicated and poorly documented, and error reports from runtime systems confusing.

“In addition, multi-language support for securing data is rather weak. The multi-language situation is common in security applications, as oftentimes the data is encrypted in one programming language (e.g., Python) and decrypted in another (e.g., Java). These issues can seriously hinder developers’ productivity.”

Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols.

“These poor coding practices, if used in production code, will seriously compromise the security of software products,” the researchers pointed out.

Advice for everyone involved

“The significance of this work is that we provided empirical evidence for a significant number of alarming secure coding issues, which have not been previously reported. These issues are due to a variety of reasons, including the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries,” the researchers noted.

They advise library designers to remove or deprecate the APIs with weak security, to design simplified APIs with strong security defenses implemented by default, and to design clean and helpful error reporting interfaces that will also include possible root causes and solutions.

Developers, on the other hand, should definitely avoid disabling security checks, and conduct security testing to check whether the implemented features work as expected. Popular and accepted answers on Stack Overflow and other similar community sites and forums should be taken with a grain of salt, and their accuracy checked independently (if at all possible).

Recent related research revealed that top-ranked but insufficiently reviewed programming Web tutorials also introduce vulnerabilities into software.

Finally, tool builders should consider making them capable of automatically diagnosing security errors and suggesting security patches or solutions.

“Build vulnerability prevention techniques that compare peer applications that use the same set of APIs to infer and warn potential misuses. Explore approaches that check and enforce the semantic consistency between security-relevant annotations, code, and configurations. Build new approaches to transform between the implementations of declarative security and programmatic security,” the researchers concluded.