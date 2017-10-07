Java Coders Are Getting Bad Security Advice From Stack Overflow (helpnetsecurity.com) 64
Slashdot reader Orome1 quotes Help Net Security: A group of Virginia Tech researchers has analyzed hundreds of posts on Stack Overflow, a popular developer forum/Q&A site, and found that many of the developers who offer answers do not appear to understand the security implications of coding options, showing a lack of cybersecurity training. Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score...
The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications... Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols. "These poor coding practices, if used in production code, will seriously compromise the security of software products," the researchers pointed out.
The researchers blame "the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries." Among their suggested solutions: new developer tools which can recognize security errors and suggest patches.
I trust advice from people who dislike Rust. (Score:1, Insightful)
When I've had to make a quick judgment about a programmer's knowledge and competency, I've found that there's one simple question to ask that works wonders:
"What do you think about the Rust programming language?"
Some people will say, "Rust? What's that?". These are typically unskilled people who probably don't know more than elementary JavaScript or PHP. I tend to ignore these people going forward. They're not worth my attention.
Other people will say, "Rust! Rust is fantastic! It's so safe!". These people a
If stack overflow supported nested comments, these "security experts" could post corrections for the insecure code, kinda like how you can correct someone on slashdot. It's pretty stupid to not support nested comments in 2017 (and not the tiny font remarks SO currently uses that make them unsuitable for code).
I've actually studied this at length, and even read a few treatises on the subject. Short answer: nope. Nested comments pretty much suck.
Nested conversations (like those here on slashdot) don't actually make conversations better. They just splinter the conversation into a thousand shards, each of them relatively short, and rarely on topic. They also promote shitty quoting habits and make it difficult to pick up a conversation where you left off without re-reading the whole damn thing.
Flat, linear comments t
Not really the fault of the language....
Of course the secure 'solutions' should take note that something is deeply wrong with how they go about providing secure options when this happens so much.
People don't do this because they like being insecure, they do it because it's easier.
Disabling CSRF is popular because it's *generally* implemented in a pain-in-the-ass way. Not only in a pain in the ass way, but it seems every five seconds another framework comes up with a slightly different approach to CSRF that
Not really the fault of the language....
No. It's the fault of the universities that say "This is a great teaching language! We don't have to waste our time on the fundamentals at all! We can just dive right in and start creating classes without understanding niceties like where my variables are actually stored!"
Java is okay for what it is, but if you make it the foundational language for your students, those students will be shite programmers.
I'm a veteran of the software industry (3 decades, now) and regularly screen, interview, and hire software engineers -- mostly college grads, some with a few years of experience in the industry. I can tell you with absolute certainty that Java programmers -- those who primarily learned Java in college -- are easily the worst programmers I encounter while hiring. And to date, I haven't hired a single one of them, even though I've talked to and interviewed countless numbers of them.
Want to learn to program? S
Look at the time investments. (Score:5, Insightful)
You mean advice from people who spend more time hanging out on Stack Exchange and less time actually writing production code is turning out to be less correct than advice from people who talk less and do more? Color me surprised. (Not.)
Re:Look at the time investments. (Score:5, Insightful)
Stack Exchange has gone the same way as Wikipedia. Most of the interesting stuff was handled long ago so there is now few interesting questions left, and content is decaying and becoming out of date because no-one can be bothered to keep it current.
To compound the problem you have the MMORPG element where people build their characters up and create a little empire for themselves, and worse than Wikipedia you actually have stats on SE.
Throw in a poor interface and harsh treatment of new users and the site is doomed to become a mostly static archive of bad advice. There are better communities on some of the Stack Overflow sites, but they will eventually get the same way unless things change.
Re:Look at the time investments. (Score:4, Interesting)
...harsh treatment of new users...
I decided to help out on stack overflow for a while, answering C++ questions. I stopped doing that after I found that my answers were getting downvoted to minus infinity, and then copied _word for word_ by other people who would receive massive praise for it. It was, by and large, not at all a good experience.
Yeah, that's bollocks. When I do authenticate user java site:stackoverflow.com [google.co.uk], it's not until the third link that I get and answer that looks anything like "store the password in plaintext" and it was on an Android question, where the accepted answer said "use shared preferences". I don't know enough about Android to say whether it is right or wrong, my gut feeling is "wrong".
The best way to TRULY understand something is to teach it to someone. I've observed in my field C# that the top stack overflow answered are indeed the real experts - indeed some of them were on the C# team itself and others were given awards for the quality of their help.
If people simply hired web developers, most web hacking shit would be gone over fucking night.
Thanks for the chuckle.
Smart the OP posed as AC. (Score:2)
Yeah seriously - This is a case where using AC tag is warranted.
It protects the original poster the shame in being labeled a frickin' moron.
If people simply hired web developers, most web hacking shit would be gone over fucking night.
No. Just no. The only thing worse than Java programmers are web developers.
No way! (Score:3, Insightful)
News flash, heavily simplified programming snippets for the purposes of example and education are probably not suitable for a production environment.
This of course is an enormous issue: people imprint on the first solution to a problem they understand.
But I think more to the point here is Java's long struggle with overengineered frameworks and libraries. They tend to have a "designed by a committee" feel, and impose significant cognitive load on learners. Add to that first-solution-imprinting, and it's a recipe for trouble.
Ulitmately, though, this is no new thing. There have always been a small number of people who produce elegant, quality code and a
It's more than that. The answer to "how do I get past this error" is usually a code hack, such as turning off CRL checking. With no explanation on the impact, or a need to solve it another way.
I find great advice for solving problems on a disconnected system, but very rarely the obvious caveats. And this is but one example of the kinds of answers that aren't just simplified, but flat out wrong. You need to solve it a different way.
Stackoverflow is popular, but PITA (Score:3, Interesting)
I thought I would try and help people out on Stackoverflow.
I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces. PITA.
I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer. PITA
A questioner added a comment to ask for an extra feature in my answer, and I could not reply to his comment, because new users cannot comment, only answer.
I gave up.
I suspect many people with valuable knowledge to impart will have done likewise, and left Slackoverflow to the anal badge collectors that appear to rule it.
> I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces
There is a button to indent a selection and display that as code.... what's wrong with that? (the rest is text)
> I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer
Many new users don't know how to behave, and spam with c
Stackoverflow's help does not mention the button
Of course because we're not in 1982 anymore, when you see a bunch of buttons, hover the mouse over the button and it'll tell you what it does.
Java is very secure (Score:1, Funny)
Java is [garbage collecting ] very s [gc] e [gc] [gc] cure.
The garbage collection [gc] algorithm [gc] [gc][gc] ensures that [gc] [gc][gc] you never know [gc] [gc][gc] when it will [gc] [gc] [gc] crash and [gc] [gc] can't explot [gc] [gc] [gc] common stack [gc] [gc] [gc] pointer [gc] [gc] [gc] bugs.
Also, since java is slow [gc] [gc] [gc]thats another security feature [gc] [gc].
fast programs crash [gc] [gc] too fast [gc] [gc]. Making exploits [gc] [gc][gc] trivial [gc] [gc].
All operating systems should [gc] [
Reminds me of Michael Scott in "The Office" (Score:2)
When he asks for the YouTube people to come in and film him.
You can hope for good advice but in the long run when it comes to security features, you have to know who you are talking to, what their qualifications are and make sure they're there to support you down the road - which means you are going to pay them. "Gr8CdrGrl427" on Stack Overflow might have an interesting approach as to how to position and code a slider control but taking security advice from them is simply dumb - the worst case is they're m
Lazy Apathetic Enterprise Coders (Score:1)
Coders today are completely lazy, don't give a fuck about doing anything other than writing code and meeting goals. Management didn't tell them to do it? They don't fuckin' do it. I grew up developing web sites and web apps and learned security the hard way
...getting fucking rooted dozens of times! when I started doing development for money I had to make sure someone couldn't just bypass security controls and hack the customer's sites and when they did, you bet your ass i had to FIX IT. It should be obviou
within 10 minutes the whole filesystem would be 777
Beware that would remove some 's' bits as well
... thus making the system more secure (in that it has less usable features...)
Leave out the words "Java" and "security" (Score:2)
Many of the Stackoverflow first answers are very poor, as are many followups from people who don't sanitize their inprts. The problem is aggravated for Java, where error reporting is often very poor and where programmers have been taught with object oriented principles to pay no attention to the rest of the system: it's considered outside the scope of their immediate task.
I do find Stackoverflow useful: there are often extremely useful hooks to start from, and it's well worth thanking the community by follo