Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Java Programming Security The Internet

Java Coders Are Getting Bad Security Advice From Stack Overflow (helpnetsecurity.com) 236

Slashdot reader Orome1 quotes Help Net Security: A group of Virginia Tech researchers has analyzed hundreds of posts on Stack Overflow, a popular developer forum/Q&A site, and found that many of the developers who offer answers do not appear to understand the security implications of coding options, showing a lack of cybersecurity training. Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score...

The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications... Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols. "These poor coding practices, if used in production code, will seriously compromise the security of software products," the researchers pointed out.

The researchers blame "the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries." Among their suggested solutions: new developer tools which can recognize security errors and suggest patches.
This discussion has been archived. No new comments can be posted.

Java Coders Are Getting Bad Security Advice From Stack Overflow

Comments Filter:
  • by Mal-2 ( 675116 ) on Saturday October 07, 2017 @09:42AM (#55327135) Homepage Journal

    You mean advice from people who spend more time hanging out on Stack Exchange and less time actually writing production code is turning out to be less correct than advice from people who talk less and do more? Color me surprised. (Not.)

    • by AmiMoJo ( 196126 ) on Saturday October 07, 2017 @09:51AM (#55327151) Homepage Journal

      Stack Exchange has gone the same way as Wikipedia. Most of the interesting stuff was handled long ago so there is now few interesting questions left, and content is decaying and becoming out of date because no-one can be bothered to keep it current.

      To compound the problem you have the MMORPG element where people build their characters up and create a little empire for themselves, and worse than Wikipedia you actually have stats on SE.

      Throw in a poor interface and harsh treatment of new users and the site is doomed to become a mostly static archive of bad advice. There are better communities on some of the Stack Overflow sites, but they will eventually get the same way unless things change.

      • by johannesg ( 664142 ) on Saturday October 07, 2017 @10:42AM (#55327301)

        ...harsh treatment of new users...

        I decided to help out on stack overflow for a while, answering C++ questions. I stopped doing that after I found that my answers were getting downvoted to minus infinity, and then copied _word for word_ by other people who would receive massive praise for it. It was, by and large, not at all a good experience.

        • by truedfx ( 802492 )
          Please link to one of your copied answers, even if it's been deleted. From my experience, although not all sites on the SE network treat plagiarism equally severely, SO is one of the better ones in this regard.
      • To be fair SO is still the best place to find valuable coding tips. Some snobbish Java pros criticize SO for not answering the way those big Java books are written. A 20 lines answer is not sophisticated enough... well it might actually help a lot someone. The level of an answer corresponds to that of the question. A beginner question will likely get an answer for a beginner (not necessarily written by a beginner). As for the obsolete answers, it seems the search engines gives preferably a newer answer - th
      • It's true, long gone are the days of getting 1000 upvotes for telling that the result of "1 / 2" is 0, not 0.5.

        Still, I started regularly writing answers on SO less than a year ago. I got more than 30000 points, got a golden Ruby badge and I'm close to getting it for Python. After that, I'll finally be able to write some productive code again :D

    • The best way to TRULY understand something is to teach it to someone. I've observed in my field C# that the top stack overflow answered are indeed the real experts - indeed some of them were on the C# team itself and others were given awards for the quality of their help.

    • Re: (Score:3, Interesting)

      by Anonymous Coward
      StackExchange is a mob democracy, not a meritocracy. People don't up-vote something because it's correct, they vote it because they think they can understand it.

      One such situation is burned into my mind and about when I stopped participating on StackExchange. I had a question about C#, to which I got several people saying what they thought was intuitive, but I said that flew in the face of the definition of the interface. I asked the question on MSDN, got an answer from the lead dev of the .Net framework
      • It's a bit like Yelp. The overwhelming urge to pretend to be a serious critic and post nonsense immediately. Is anyone spending a few days to research a correct answer and provide legitimate references to back it up, or do they just have a rush to get an answer in sooner and thus get more points?

        I see answers that have no resemblance to the actual questions. The reason the questions are usually asked is because they're not simple questions that can be answered with a quick google search. And yet the peop

    • >> ...The researchers concentrated on posts relevant to Java security ...

      Java security. Those two words simply do not belong together.
      It should be syntaxically forbidden to write them side by side.

  • No way! (Score:5, Insightful)

    by Anonymous Coward on Saturday October 07, 2017 @09:57AM (#55327173)

    News flash, heavily simplified programming snippets for the purposes of example and education are probably not suitable for a production environment.

    • by hey! ( 33014 )

      This of course is an enormous issue: people imprint on the first solution to a problem they understand.

      But I think more to the point here is Java's long struggle with overengineered frameworks and libraries. They tend to have a "designed by a committee" feel, and impose significant cognitive load on learners. Add to that first-solution-imprinting, and it's a recipe for trouble.

      Ulitmately, though, this is no new thing. There have always been a small number of people who produce elegant, quality code and a

    • It's more than that. The answer to "how do I get past this error" is usually a code hack, such as turning off CRL checking. With no explanation on the impact, or a need to solve it another way.

      I find great advice for solving problems on a disconnected system, but very rarely the obvious caveats. And this is but one example of the kinds of answers that aren't just simplified, but flat out wrong. You need to solve it a different way.

  • by Anonymous Coward

    I thought I would try and help people out on Stackoverflow.

    I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces. PITA.

    I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer. PITA

    A questioner added a comment to ask for an extra feature in my answer, and I could not reply to his comment, because new users cannot comment, only answer

    • Well, you don't seem to be a dev anyway.

      > I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces

      There is a button to indent a selection and display that as code.... what's wrong with that? (the rest is text)

      > I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer

      Many new users don't know how to behave, and spam with c
    • You probably won't see these comments since you've posted anonymously:
      1. You can highlight multiple lines of code at the same time and press the code bracket button to indent.
      2. You can edit an answer to answer a comment. This is not perfect, but the no-comment rule for new accounts is to combat spam
      3. Yes, there are anal people on there. If you find something that works better, do let me know

  • by Anonymous Coward

    Java is [garbage collecting ] very s [gc] e [gc] [gc] cure.

    The garbage collection [gc] algorithm [gc] [gc][gc] ensures that [gc] [gc][gc] you never know [gc] [gc][gc] when it will [gc] [gc] [gc] crash and [gc] [gc] can't explot [gc] [gc] [gc] common stack [gc] [gc] [gc] pointer [gc] [gc] [gc] bugs.

    Also, since java is slow [gc] [gc] [gc]thats another security feature [gc] [gc].

    fast programs crash [gc] [gc] too fast [gc] [gc]. Making exploits [gc] [gc][gc] trivial [gc] [gc].

    All operating systems should [gc] [

  • When he asks for the YouTube people to come in and film him.

    You can hope for good advice but in the long run when it comes to security features, you have to know who you are talking to, what their qualifications are and make sure they're there to support you down the road - which means you are going to pay them. "Gr8CdrGrl427" on Stack Overflow might have an interesting approach as to how to position and code a slider control but taking security advice from them is simply dumb - the worst case is they're m

  • by Anonymous Coward

    Coders today are completely lazy, don't give a fuck about doing anything other than writing code and meeting goals. Management didn't tell them to do it? They don't fuckin' do it. I grew up developing web sites and web apps and learned security the hard way ...getting fucking rooted dozens of times! when I started doing development for money I had to make sure someone couldn't just bypass security controls and hack the customer's sites and when they did, you bet your ass i had to FIX IT. It should be obviou

    • > Now your typical enterprise may have third party security assessment and penetration testing - which is OK, but most of the time it's testing well-known exploits.

      They're typically not allowed, by the company paying them, to probe for the most dangerous vulnerabilities. Passwords sent via github, VPN's that open full access to unencrypted services from poorly secured internal networks, permanent root credentials embedded in source code,and other issues abound.

      I've recently been forced to cope with a sof

  • Many of the Stackoverflow first answers are very poor, as are many followups from people who don't sanitize their inprts. The problem is aggravated for Java, where error reporting is often very poor and where programmers have been taught with object oriented principles to pay no attention to the rest of the system: it's considered outside the scope of their immediate task.

    I do find Stackoverflow useful: there are often extremely useful hooks to start from, and it's well worth thanking the community by follo

    • Yup, I rarely find quality answers on stack overflow, but I do find links to other sources of information that lead to good answers.

  • Well I never!

    Canoncial example of a Stackoverflow exchange:

    Answer: Why in the world would you want to do that? Here do this

    Answer:

    #1 upvote:

    #2 upvote:

    #4 or #5 most upvoted:

    further down:

    Stackoverflow is the best for people that sort of know what the answer should be and can separate the wheat from the chaff.

    I often point to this on as a good canonical example. https://stackoverflow.com/ques... [stackoverflow.com]

    • Eh I should have preview my posted, tags got eaten:
      Answer: Why in the world would you want to do that? Here do this (unhelpful thing that doesn't answer this question)

      Answer: (Complete wrong buggy implementation)

      #1 upvote: (Answer that technically works but completely pedestrian, not generalized, etc)

      #2 upvote: (mostly the same as #1, but with an added glaring bug)

      #4 or #5 most upvoted: (probably the right answer)

      further down: (a number of technically correct but a completely stupid ways to solve the proble

    • That example is good. The whole question is wrong, Stack Overflow shouldn't be a site for brand new programmers. Spend some time learning the language before you ask how to do something that anyone with one month's experience can do. In the early days of Stack Overflow the questions were very interesting questions, about subtleties in a language, mysterious problems to overcome, and so forth. Now the questions are "help me do my homework!"

  • If poor answers are floating to the top because of reputation, then Stack Overflow has effectively automated argument from authority [wikiquote.org].

    This is not too surprising. Automating fallacy is probably easy. Automating security is likely to be hard. Trust me. I'm an expert on this.

  • by Wrath0fb0b ( 302444 ) on Saturday October 07, 2017 @02:18PM (#55328193)

    So, I agree with all the haterade at SO and all the things it does wrong and stuff. But let's take a moment of reflection and see if maybe we as a community also did something wrong.

    My opinion is that it's a total lack of actually useful documentation. And by that I mean there's almost always documentation, but it's at a level of specificity that makes it totally useless.

    By way of analogy, imagine getting into an airplane and there's tons of man pages for each instrument like "The throttle control the amount of forward thrust generated by the engines. It has three auto-throttle modes for speed, trim and power, you can enable those modes by setting the auto-throttle switch to the ON position and adjusting the rotary dial to the desired mode. The power mode cannot be used while the autopilot for level is set."

    And so on there's documentation on every little thing but nowhere does it actually explain how the hell to fly a plane.

    There are projects whose documentation is exactly like this. They are full of great (and useful) detail about how the parts work but there is no place that explains how the whole project works at a general level and how to get it off the ground.

    • by GlennC ( 96879 )

      And so on there's documentation on every little thing but nowhere does it actually explain how the hell to fly a plane.

      There are projects whose documentation is exactly like this. They are full of great (and useful) detail about how the parts work but there is no place that explains how the whole project works at a general level and how to get it off the ground.

      That's because the general assumption, in this case, is that the reader already knows how to fly planes in general, and only needs the specifics for this model.

      Of course, given the number of coders whose training consisted solely of rote memorization, this assumption is provably wrong. That leads to the sorry state the IT industry is in now, and why I'm very glad I'm training to get my CDL and drive a truck.

  • by SCVonSteroids ( 2816091 ) on Saturday October 07, 2017 @02:38PM (#55328289)

    They're Java coders. Easily replaced.

  • You always get bad advice from Stack Overflow.

  • By far the hardest part of security is getting companies to care about it.

  • First off, I hate fucking Java. Second, the data may be correct, but the conclusion is out of reality. The reason this is an issue and the up votes go for the easiest not most secure answer, is 1. Human nature, 2. Companies don't give a flying fuck about security. If a "business" leader in a ecom org can't even be bothered to learn a single thing about how a web page even works, then they certainly don't really understand the impact of a few coding side steps and no budget will be allocated DAY TO DAY,
  • One big problem SO has is reconciling old questions with "best" answers that might no longer be the best -- or even still RELEVANT.

    Suppose that someone posted a message to SO in 2012 asking how to hide the mouse pointer arrow that appears if the user connects a bluetooth or USB mouse to the device when their app (say, an OpenGL ES game) is in the foreground.

    Five years ago, the correct and concise answer would have been, "You can't".

    Today, the proper answer would be, "You can't do it unless the device has An

The opossum is a very sophisticated animal. It doesn't even get up until 5 or 6 PM.

Working...