Web forums provide a great place for programmers and software developers to exchange knowledge and find answers to specific coding puzzles. Unfortunately, they are not always a source of accurate information.
A team of researchers at Virginia Tech analyzed hundreds of articles on Stack Overflow, a popular developer forum or Q&A site, and found that many of the developers who provided answers weren’t aware of the security implications of coding options, And showed a lack of cyber security training.
Another thing they found was that sometimes, the most popular posts or answers contained insecure suggestions that would introduce security holes into the software, and the correct fixes were less popular and less easy to see because they were user-provided and had lower credit scores.
Therefore, the social dynamics between the questioner and the responder must have an impact on people’s safety choices.
Get the security right
The researchers focused on posts related to Java Security, from a software engineering and Security perspective, on issues related to Spring Security, a third-party Java framework that provides authentication, authorization, and other Security features for enterprise applications.
Spring Security was designed to facilitate secure coding, but it was clear that many programmers found its APIs too complex, poorly documented, and error reporting from runtime systems confusing.
“In addition, multilingual support for retrieving data is quite weak. Multilingual situations are common in secure applications, because often data is encrypted in one programming language (e.g. Python) and decrypted in another (e.g. Java). These issues can seriously hamper developer productivity.”
Developers often get frustrated when they spend too much time working out the proper use of APIs, and often opt for completely insecure patches, such as using outdated cryptography hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS authentication, or using outdated communication protocols.
“These poor coding practices, if used in production code, can seriously compromise the security of software products,” the researchers noted.
Everyone is advised to participate
“The significance of this work is that we provide empirical evidence of a large number of worrying security coding issues that have not been previously reported. These problems are due to a variety of reasons, including the rapid growth of enterprise security applications, lack of security training for software developers, and poorly designed security repositories, “the researchers noted.
They recommend that designers remove or deprecate weak security APIs, design simplified APIs, implement strong security defenses by default, and design clean and helpful error reporting interfaces that also include possible root causes and solutions.
Developers, on the other hand, should definitely require security checks and conduct security tests to check that the functionality implemented works as expected. Popular and accepted answers on Stack Overflow and other similar community sites and forums should be like a grain of salt, independent of their accuracy if possible.
Recent studies have shown that highly ranked but inadequate programming Web tutorials also introduce vulnerabilities into software.
Finally, tool generators should consider enabling them to automatically diagnose security errors and suggest security patches or solutions.
“Build vulnerability prevention techniques that compare peer applications using the same set of APIs to infer and warn of potential misuse. Explore ways to check and enforce semantic consistency among security-related annotations, code, and configuration. Build new approaches to transform the implementation of declarative and programmatic security, “the researchers concluded.
Xiaobian summary: When programmers or software developers encounter problems in coding, it is feasible to find network forums, or seek help from god, or explore their own, but we must be aware of the security of coding options, choose the wrong coding, will seriously affect the enterprise software products, therefore, safe coding, everyone’s responsibility.
In this paper, poly security compiled by ali, the original link: https://www.helpnetsecurity.com/2017/10/03/secure-coding-java/
Aleju safety
Aliju security (http://jaq.alibaba.com) produced by The Alibaba Security Department, for enterprises and developers to provide Internet business security solutions, comprehensive coverage of mobile security, data risk control, content security, real person authentication and other dimensions, and the industry took the lead in proposing “business-centric security”, enabling ecology, Alibaba Group and the industry to share years of precipitation of professional security ability.