Java Coders Are Getting Bad Security Advice From Stack Overflow

Slashdot reader Orome1 quotes Help Net Security: A group of Virginia Tech researchers has analyzed hundreds of posts on Stack Overflow, a popular developer forum/Q&A site, and found that many of the developers who offer answers do not appear to understand the security implications of coding options, showing a lack of cybersecurity training. Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score...

The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications... Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols. "These poor coding practices, if used in production code, will seriously compromise the security of software products," the researchers pointed out.
The researchers blame "the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries." Among their suggested solutions: new developer tools which can recognize security errors and suggest patches.

Stackoverflow is popular, but PITA

I thought I would try and help people out on Stackoverflow.

I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces. PITA.

I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer. PITA

A questioner added a comment to ask for an extra feature in my answer, and I could not reply to his comment, because new users cannot comment, only answer.

I gave up.
I suspect many people with valuable knowledge to impart will have done likewise, and left Slackoverflow to the anal badge collectors that appear to rule it.

Re:Look at the time investments.

[johannesg]

...harsh treatment of new users...

I decided to help out on stack overflow for a while, answering C++ questions. I stopped doing that after I found that my answers were getting downvoted to minus infinity, and then copied _word for word_ by other people who would receive massive praise for it. It was, by and large, not at all a good experience.

Re:Java is in and of itself bad advice

[zieroh]

Not really the fault of the language....

No. It's the fault of the universities that say "This is a great teaching language! We don't have to waste our time on the fundamentals at all! We can just dive right in and start creating classes without understanding niceties like where my variables are actually stored!"

Java is okay for what it is, but if you make it the foundational language for your students, those students will be shite programmers.

Re:Look at the time investments.

StackExchange is a mob democracy, not a meritocracy. People don't up-vote something because it's correct, they vote it because they think they can understand it.

One such situation is burned into my mind and about when I stopped participating on StackExchange. I had a question about C#, to which I got several people saying what they thought was intuitive, but I said that flew in the face of the definition of the interface. I asked the question on MSDN, got an answer from the lead dev of the .Net framework who said the current implementation was doing exactly what I thought it was and not what the others thought it should be doing. He admitted it was a flaw of following the code contract too strictly.

I then linked the MSDN response to the StackOverflow discussion and immediately got downvoted and everything saying I was incorrect. WTF?! One lone person came to defend me by disassembling the resulting bytecode and showing what I said was true for all current versions of the .Net framework at the time. They also got downvoted into oblivion. MS did eventually change the behavior of the framework to match "expectations", but the way the community responded was a mixture of denial and mob mentality.

I have experienced a few other such situations and eventually just stopped participating. StackOverflow is mostly full of mediocre people voting each-other with a few unicorns that made the place even worth-while.

Re:I trust advice from people who dislike Rust.

[Junta]

I think there's room for "I've looked at rust, it might be a good idea, but not to the extent it is hyped".

I will concur that I see too many folks saying roughly "oh yeah, Java/Javascript/(etc.) are so much less secure than rust". Those people obviously don't understand *why* rust has the claims about security and/or really piss poor understanding of other languages. It also implies a huge misunderstanding about security in general, that a language design can fix the most usual offenders nowadays (it's generally poor design rather than some sort of buffer overflow or use after free) It is over hyped and way too many people champion it without understanding other than hip to be novel. Hype indeed can inspire a healthy wave of skepticism. Particularly after Go went through just about the exact same hype cycle about 5 minutes ago and has much of the same benefits.

Rust has some decent concepts as a "c-like" language, but with far less tedium around making sure you don't go off into undesired places when your code executes. While most security problems stem from design, there are certainly problems that are still caused by careless mistakes with pointers taken at face value.