Security Coding Practices

Coding Practices and Recommendations of Spring Security for Enterprise Applications (SecDev20)

Spring Security has been popularly used by practitioners for its ease of use to secure enterprise applications. In this paper, we study the application framework misconfiguration vulnerabilities in the light of Spring Security, which is relatively understudied in the existing literature. Towards that goal, we identified six types of security anti-patterns and four insecure vulnerable defaults by conducting a measurement-based approach on 28 spring applications. Our analysis shows that the identified security anti-patterns and insecure defaults can leave enterprise applications vulnerable to a wide range of high-risk attacks. To prevent these high-risk attacks, we also provide recommendations for practitioners. So far, our study has contributed one update to the official Spring security documentation; the other security issues identified in this study are being considered for future major releases by the Spring Security community.

DroidCat: Effective Android Malware Detection and Categorization via App-Level Profiling (TIFS19)

Most existing Android malware detection and categorization techniques are static approaches, which suffer from evasion attacks such as obfuscation. By analyzing program behaviors, dynamic approaches are potentially more resilient against these attacks. Yet existing dynamic approaches mostly characterize system calls, which are subject to system-call obfuscation. This paper presents DroidCat, a novel dynamic app classification technique, to complement existing approaches. By using a diverse set of dynamic features based on method calls and inter-component communications (ICC) Intents, DroidCat achieves better robustness than static approaches as well as the dynamic approaches relying on system calls.

The features were distilled from a behavioral characterization study of benign and malicious apps. Through three comprehensive empirical studies with 34,343 apps, we demonstrated that DroidCat stably achieved high classification performance and outperformed two state-of-the-art peer techniques. Overall, DroidCat achieved 97% F1-measurement accuracy for classifying apps. When detecting and categorizing malware, DroidCat obtained 16%--27% higher accuracy than the two baseline techniques. We also investigated the effects of different design choices on DroidCat’s effectiveness. We found that the features that represent distributions of method calls to user-defined APIs and library APIs are more important than other features.

How Reliable is the Crowdsourced Knowledge of Security Implementation? (ICSE19)

We were curious whether insecure coding suggestions popularly exist on SO; if so, whether developers can rely on the community's dynamics to choose secure suggestions over insecure ones. Therefore, we conducted a second empirical study. We crawled SO answer posts with code suggestions, and then leveraged Java Baker to extract any security-related implementation. We further applied clone detection to the extracted code data for sampling. Next, we manually inspected the sampled data to decide whether each snippet is implemented in a secure or insecure way. We made our decisions based on the security API misuse patterns revealed by other researchers. We observed the following alarming phenomena:

Secure Coding Practices in Java: Challenges and Vulnerabilities (ICSE18)

The Java platform and its third-party libraries (e.g., BouncyCastle) provide useful features to support secure coding. Developers often use the APIs defined in these libraries to efficiently build security functionalities. However, misusing these libraries and frameworks not only slows down code development but also leads to security vulnerabilities.

We conducted an empirical study on StackOverflow post to understand developers’ concerns on Java secure coding, their programming obstacles, and insecure coding practices. We crawled security-related discussion threads based on keywords "Java" and "security", and manually inspected 503 discussion threads. Our study revealed the following interesting findings:

While the above-mentioned study reveals the significant gap between security theory and coding practices, it is still unclear how seriously developers were misled by insecure coding practices suggested on StackOverflow (SO). Therefore, we conducted a larger-scale empirical study, which examines the popularity of insecure coding suggestions on StackOverflow, and the community's feedback on those suggestions.