Security Coding Practices

Secure Coding Practices in Java: Challenges and Vulnerabilities (ICSE18)

The Java platform and its third-party libraries (e.g., BouncyCastle) provide useful features to support secure coding. Developers often use the APIs defined in these libraries to efficiently build security functionalities. However, misusing these libraries and frameworks not only slows down code development but also leads to security vulnerabilities.

We conducted an empirical study on StackOverflow post to understand developers’ concerns on Java secure coding, their programming obstacles, and insecure coding practices. We crawled security-related discussion threads based on keywords "Java" and "security", and manually inspected 503 discussion threads. Our study revealed the following interesting findings:

While the above-mentioned study reveals the significant gap between security theory and coding practices, it is still unclear how seriously developers are misled by insecure coding practices suggested on StackOverflow (SO).

How Reliable is the Crowdsourced Knowledge of Security Implementation? (ICSE19)

We were curious whether insecure coding suggestions popular exist on SO; if so, whether developers can rely on the community's dynamics to choose secure suggestions over insecure ones. Therefore, we conducted a second empirical study. We crawled SO answer posts with code suggestions, and then leveraged Java Baker to extract any security-related implementation. We further applied clone detection to the extracted code data for sampling. Next, we manually inspected the sampled data to decide whether each snippet is implemented in a secure or insecure way. We made our decisions based on the security API misuse patterns revealed by other researchers. We observed the following alarming phenomena: