Slashdot Mirror
Java Coders Are Getting Bad Security Advice From Stack Overflow (helpnetsecurity.com)
Slashdot reader Orome1 quotes Help Net Security:
A group of Virginia Tech researchers has analyzed hundreds of posts on Stack Overflow, a popular developer forum/Q&A site, and found that many of the developers who offer answers do not appear to understand the security implications of coding options, showing a lack of cybersecurity training. Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score...
The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications... Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols. "These poor coding practices, if used in production code, will seriously compromise the security of software products," the researchers pointed out.
The researchers blame "the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries." Among their suggested solutions: new developer tools which can recognize security errors and suggest patches.
The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications... Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols. "These poor coding practices, if used in production code, will seriously compromise the security of software products," the researchers pointed out.
The researchers blame "the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries." Among their suggested solutions: new developer tools which can recognize security errors and suggest patches.
You mean advice from people who spend more time hanging out on Stack Exchange and less time actually writing production code is turning out to be less correct than advice from people who talk less and do more? Color me surprised. (Not.)
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
News flash, heavily simplified programming snippets for the purposes of example and education are probably not suitable for a production environment.
If people simply hired web developers, most web hacking shit would be gone over fucking night.
Thanks for the chuckle.
Not really the fault of the language....
Of course the secure 'solutions' should take note that something is deeply wrong with how they go about providing secure options when this happens so much.
People don't do this because they like being insecure, they do it because it's easier.
Disabling CSRF is popular because it's *generally* implemented in a pain-in-the-ass way. Not only in a pain in the ass way, but it seems every five seconds another framework comes up with a slightly different approach to CSRF that isn't any better or worse than the myriad of approaches already. One massive improvement on that front in general would be to disable all that crap if no referrer is set at all, which would solve 99% of the situations where people feel compelled to weaken CSRF protection (non-browser automation).
There are two accepted approaches for TLS if you are note doing things for internet sites: Maintain a convoluted CA setup or if you can't bring yourself to do that, well, disabling it is the only other easy way provided. In my software I tend to provide option of treating TLS software similar to ssh known hosts if CA verification is not an issue, and users are never bothered, until something does go awry.
Using obsolete communication protocols and hashes is generally the consequence of having to interact with data or equipment or older setups. Sure some of it is just people got taught that specific way once upon a time directly addressing low level crypto functions, but a lot is intentional. Of course this is a problem that propagates, new interface to old setup uses old protocol, new thing to talk to new thing, well might as well use old protocol there.
XML is like violence. If it doesn't solve the problem, use more.
Not really the fault of the language....
No. It's the fault of the universities that say "This is a great teaching language! We don't have to waste our time on the fundamentals at all! We can just dive right in and start creating classes without understanding niceties like where my variables are actually stored!"
Java is okay for what it is, but if you make it the foundational language for your students, those students will be shite programmers.
People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
So, I agree with all the haterade at SO and all the things it does wrong and stuff. But let's take a moment of reflection and see if maybe we as a community also did something wrong.
My opinion is that it's a total lack of actually useful documentation. And by that I mean there's almost always documentation, but it's at a level of specificity that makes it totally useless.
By way of analogy, imagine getting into an airplane and there's tons of man pages for each instrument like "The throttle control the amount of forward thrust generated by the engines. It has three auto-throttle modes for speed, trim and power, you can enable those modes by setting the auto-throttle switch to the ON position and adjusting the rotary dial to the desired mode. The power mode cannot be used while the autopilot for level is set."
And so on there's documentation on every little thing but nowhere does it actually explain how the hell to fly a plane.
There are projects whose documentation is exactly like this. They are full of great (and useful) detail about how the parts work but there is no place that explains how the whole project works at a general level and how to get it off the ground.
There are two ways to view programming, both of which are very important to understand. There is an abstract model view of programming, and that's what Java could be good at. Except that something like Scheme is ever better at this. This is supposed to be a high level view of what what algorithms actually are as a concept, rather than the implementation details at a machine level.
But you also need the low level view, how things actually get done. If your only model of a program is a bunch of magical black box operators that all take 0 time and space, you can't think well about the problem. Big-Oh notation is meaningless if you don't know what you're measuring. Missing this knowledge is a major hindrance, and yet so many don't realize they have this flaw.
You certainly won't be any good at even basic security without having both an abstract and a concrete model.