Secure Coding Practices in Java 1 Challenges and

  • Slides: 13
Download presentation
Secure Coding Practices in Java: 1 Challenges and Vulnerabilities Present by: Ying Zhang 1

Secure Coding Practices in Java: 1 Challenges and Vulnerabilities Present by: Ying Zhang 1 Meng, Na, et al. "Secure coding practices in java: Challenges and vulnerabilities. " 2018 Conference on Software Engineering (ICSE). IEEE, 2018. IEEE/ACM 40 th International

Background • Stack Overflow • Question & Answers • Security issues • Java platform

Background • Stack Overflow • Question & Answers • Security issues • Java platform security • Java EE security • Third-party frameworks

Background • Java Platform security • Java Cryptography Architecture (JCA) • Java EE security

Background • Java Platform security • Java Cryptography Architecture (JCA) • Java EE security • Third-party security https: //www. google. com/url? sa=i&source=images&cd=&cad=rja&uact=8&ved=2 ah. UKEwjvs. LPmurfg. Ah. VBdt 8 KHW 7 PDSg. Qj. Rx 6 BAg. BEAU&url=http%3 A%2 F%2 Fwww. itcsolutions. eu%2 F 2011%2 F 08%2 F 22%2 Fhow-to-use-bouncy-castle-cryptographic-api-innetbeans-or-eclipse-for-java-jse-projects%2 F&psig=AOv. Vaw 0 TNr. SKrd 1 b. DQGk 9 Ho 11 qt. I&ust=1550104159828120

Methodology • Crawl posts from Stack Overflow • Filtering posts • Characterized relevant posts

Methodology • Crawl posts from Stack Overflow • Filtering posts • Characterized relevant posts based on their security concerns, programming challenges, and security vulnerabilities Figure 1: Taxonomy of Stack. Overflow posts 1

Questions • What are the common security concerns of developers? • What are the

Questions • What are the common security concerns of developers? • What are the common programming challenges? • What are the common security vulnerabilities?

Common Security Concerns-Distribution • Implementation questions • Developers need more help to secure Java

Common Security Concerns-Distribution • Implementation questions • Developers need more help to secure Java enterprise applications Security concerns 3% 12% 30% 55% Spring security Java platform security Java EE security Other

Common Security Concerns - Interests • Security related posts number increased • Developers’ security

Common Security Concerns - Interests • Security related posts number increased • Developers’ security interests shifted to enterprise application security • Secure communication posts received the highest percentage of favorite vote Figure 3: posts distribution during 2008 to 2016, developers’ interests towards the security features 1

Program Challenges • Authentication • Integrate Spring Security with different application servers and frameworks

Program Challenges • Authentication • Integrate Spring Security with different application servers and frameworks • Configure Spring Security using XML or Java • Convert XML-based configurations to Java-based ones

Program Challenges • Cryptography • Poor error messages • Difficult to implement security with

Program Challenges • Cryptography • Poor error messages • Difficult to implement security with multiple programming languages • Implicite constraints on API usage

Program Challenges • Java EE security • Authentication & Authorization • Access control •

Program Challenges • Java EE security • Authentication & Authorization • Access control • Secure Communication • SSL/TLS

Security Vulnerabilities • Spring Security’s csrf() • Disabling CSRF pretection • SSL/TLS • Password

Security Vulnerabilities • Spring Security’s csrf() • Disabling CSRF pretection • SSL/TLS • Password Hashing

Recommendations • Developers should conduct security testing to check whether features work as expected.

Recommendations • Developers should conduct security testing to check whether features work as expected. • Library designers should deprecate APIs not intended to be used anymore • Tool builders can help by creating automatic tools to diagnose security errors

Questions ?

Questions ?

BIG SIX SECURE CODING WAT IS SECURE CODINGBIG SIX SECURE CODING WAT IS SECURE CODING
SECURE INTERNET SECURE GENERATIONS SECURE INTERNET SECURE GENERATIONSSECURE INTERNET SECURE GENERATIONS SECURE INTERNET SECURE GENERATIONS
Beginning Coding CodeaPillars and Beebots Why Coding CodingBeginning Coding CodeaPillars and Beebots Why Coding Coding
Coding in noisy channel Source coding Channel codingCoding in noisy channel Source coding Channel coding
Coding Coding n What is coding In qualitativeCoding Coding n What is coding In qualitative
Coding 101 Taken from Beginning Coding Intermediate CodingCoding 101 Taken from Beginning Coding Intermediate Coding
Intro to Coding What is Coding Coding isIntro to Coding What is Coding Coding is
Coding Coding n What is coding In qualitativeCoding Coding n What is coding In qualitative
CODING E PENSIERO COMPUTAZIONALE Coding Per Coding siCODING E PENSIERO COMPUTAZIONALE Coding Per Coding si
Huffman Coding Slide 1 Huffman Coding Huffman codingHuffman Coding Slide 1 Huffman Coding Huffman coding
Engineering Secure Software DEFENSIVE CODING TECHNIQUES Defensive CodingEngineering Secure Software DEFENSIVE CODING TECHNIQUES Defensive Coding
Secure Coding CSH 6 Chapter 38 Writing SecureSecure Coding CSH 6 Chapter 38 Writing Secure