Java Coders Are Getting Bad Security Advice From Stack Overflow

Slashdot reader Orome1 quotes Help Net Security: A group of Virginia Tech researchers has analyzed hundreds of posts on Stack Overflow, a popular developer forum/Q&A site, and found that many of the developers who offer answers do not appear to understand the security implications of coding options, showing a lack of cybersecurity training. Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score...

The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications... Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols. "These poor coding practices, if used in production code, will seriously compromise the security of software products," the researchers pointed out.
The researchers blame "the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries." Among their suggested solutions: new developer tools which can recognize security errors and suggest patches.

Re:Look at the time investments.

[johannesg]

...harsh treatment of new users...

I decided to help out on stack overflow for a while, answering C++ questions. I stopped doing that after I found that my answers were getting downvoted to minus infinity, and then copied _word for word_ by other people who would receive massive praise for it. It was, by and large, not at all a good experience.

Re:Java is in and of itself bad advice

[zieroh]

Not really the fault of the language....

No. It's the fault of the universities that say "This is a great teaching language! We don't have to waste our time on the fundamentals at all! We can just dive right in and start creating classes without understanding niceties like where my variables are actually stored!"

Java is okay for what it is, but if you make it the foundational language for your students, those students will be shite programmers.

Re:Look at the time investments.

StackExchange is a mob democracy, not a meritocracy. People don't up-vote something because it's correct, they vote it because they think they can understand it.

One such situation is burned into my mind and about when I stopped participating on StackExchange. I had a question about C#, to which I got several people saying what they thought was intuitive, but I said that flew in the face of the definition of the interface. I asked the question on MSDN, got an answer from the lead dev of the .Net framework who said the current implementation was doing exactly what I thought it was and not what the others thought it should be doing. He admitted it was a flaw of following the code contract too strictly.

I then linked the MSDN response to the StackOverflow discussion and immediately got downvoted and everything saying I was incorrect. WTF?! One lone person came to defend me by disassembling the resulting bytecode and showing what I said was true for all current versions of the .Net framework at the time. They also got downvoted into oblivion. MS did eventually change the behavior of the framework to match "expectations", but the way the community responded was a mixture of denial and mob mentality.

I have experienced a few other such situations and eventually just stopped participating. StackOverflow is mostly full of mediocre people voting each-other with a few unicorns that made the place even worth-while.