Secure Coding Practices in Java: Challenges and Vulnerabilities

Java platform and third-party libraries provide functionalities to facilitate secure coding. However, misusing these functionalities can cost developers tremendous time and effort, or introduce security vulnerabilities in software. Prior research focused on the misuse of cryptography and SSL APIs, but did not explore the fundamental research question: what are the biggest challenges and vulnerabilities in secure coding practices? In this paper, we conducted a broader empirical study on StackOverflow posts to understand developers’ concerns on Java secure coding, their programming obstacles, and the potential vulnerabilities in their code. We observed that developers have shifted their effort to the usage of authentication and authorization features provided by Spring Security—a third-party framework designed to secure enterprise applications. The programming challenges are all related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. More interestingly, we identified security vulnerabilities in the suggested code of accepted answers. The vulnerabilities included using insecure hash functions (e.g., MD5), breaking SSL/TLS security through bypassing certificate validation, and insecurely disabling the default protection against Cross Site Request Forgery attacks. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the gap between security theory and coding practices.