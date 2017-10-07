Follow Slashdot stories on Twitter

 


Java Coders Are Getting Bad Security Advice From Stack Overflow (helpnetsecurity.com) 64

Posted by EditorDavid from the those-who-don't-know-teach dept.
Slashdot reader Orome1 quotes Help Net Security: A group of Virginia Tech researchers has analyzed hundreds of posts on Stack Overflow, a popular developer forum/Q&A site, and found that many of the developers who offer answers do not appear to understand the security implications of coding options, showing a lack of cybersecurity training. Another thing they discovered is that, sometimes, the most upvoted posts/answers contain insecure suggestions that introduce security vulnerabilities in software, while correct fixes are less popular and visible simply because they have been offered by users with a lower reputation score...

The researchers concentrated on posts relevant to Java security, from both software engineering and security perspectives, and on posts addressing questions tied to Spring Security, a third-party Java framework that provides authentication, authorization and other security features for enterprise applications... Developers are frustrated when they have to spend too much time figuring out the correct usage of APIs, and often end up choosing completely insecure-but-easy fixes such as using obsolete cryptographic hash functions, disabling cross-site request forgery protection, trusting all certificates in HTTPS verification, or using obsolete communication protocols. "These poor coding practices, if used in production code, will seriously compromise the security of software products," the researchers pointed out.
The researchers blame "the rapidly increasing need for enterprise security applications, the lack of security training in the software development workforce, and poorly designed security libraries." Among their suggested solutions: new developer tools which can recognize security errors and suggest patches.

  • Look at the time investments. (Score:5, Insightful)

    by Mal-2 ( 675116 ) on Saturday October 07, 2017 @10:42AM (#55327135) Homepage Journal

    You mean advice from people who spend more time hanging out on Stack Exchange and less time actually writing production code is turning out to be less correct than advice from people who talk less and do more? Color me surprised. (Not.)

    • Re:Look at the time investments. (Score:5, Insightful)

      by AmiMoJo ( 196126 ) <(mojo) (at) (world3.net)> on Saturday October 07, 2017 @10:51AM (#55327151) Homepage Journal

      Stack Exchange has gone the same way as Wikipedia. Most of the interesting stuff was handled long ago so there is now few interesting questions left, and content is decaying and becoming out of date because no-one can be bothered to keep it current.

      To compound the problem you have the MMORPG element where people build their characters up and create a little empire for themselves, and worse than Wikipedia you actually have stats on SE.

      Throw in a poor interface and harsh treatment of new users and the site is doomed to become a mostly static archive of bad advice. There are better communities on some of the Stack Overflow sites, but they will eventually get the same way unless things change.

      • Re:Look at the time investments. (Score:4, Interesting)

        by johannesg ( 664142 ) on Saturday October 07, 2017 @11:42AM (#55327301)

        ...harsh treatment of new users...

        I decided to help out on stack overflow for a while, answering C++ questions. I stopped doing that after I found that my answers were getting downvoted to minus infinity, and then copied _word for word_ by other people who would receive massive praise for it. It was, by and large, not at all a good experience.

      • To be fair SO is still the best place to find valuable coding tips. Some snobbish Java pros criticize SO for not answering the way those big Java books are written. A 20 lines answer is not sophisticated enough... well it might actually help a lot someone. The level of an answer corresponds to that of the question. A beginner question will likely get an answer for a beginner (not necessarily written by a beginner). As for the obsolete answers, it seems the search engines gives preferably a newer answer - th

    • The best way to TRULY understand something is to teach it to someone. I've observed in my field C# that the top stack overflow answered are indeed the real experts - indeed some of them were on the C# team itself and others were given awards for the quality of their help.

  • No way! (Score:3, Insightful)

    by Anonymous Coward on Saturday October 07, 2017 @10:57AM (#55327173)

    News flash, heavily simplified programming snippets for the purposes of example and education are probably not suitable for a production environment.

    • Re: (Score:2)

      by hey! ( 33014 )

      This of course is an enormous issue: people imprint on the first solution to a problem they understand.

      But I think more to the point here is Java's long struggle with overengineered frameworks and libraries. They tend to have a "designed by a committee" feel, and impose significant cognitive load on learners. Add to that first-solution-imprinting, and it's a recipe for trouble.

      Ulitmately, though, this is no new thing. There have always been a small number of people who produce elegant, quality code and a

    • It's more than that. The answer to "how do I get past this error" is usually a code hack, such as turning off CRL checking. With no explanation on the impact, or a need to solve it another way.

      I find great advice for solving problems on a disconnected system, but very rarely the obvious caveats. And this is but one example of the kinds of answers that aren't just simplified, but flat out wrong. You need to solve it a different way.

  • Stackoverflow is popular, but PITA (Score:3, Interesting)

    by Anonymous Coward on Saturday October 07, 2017 @11:01AM (#55327183)

    I thought I would try and help people out on Stackoverflow.

    I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces. PITA.

    I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer. PITA

    A questioner added a comment to ask for an extra feature in my answer, and I could not reply to his comment, because new users cannot comment, only answer.

    I gave up.
    I suspect many people with valuable knowledge to impart will have done likewise, and left Slackoverflow to the anal badge collectors that appear to rule it.

    • Well, you don't seem to be a dev anyway.

      > I posted some code, but AFAICT I could not just post it in , I had to indent every line by 4 spaces

      There is a button to indent a selection and display that as code.... what's wrong with that? (the rest is text)

      > I clarified why a user was getting an error message, and my answer was marked down because some anal type thought it was a comment not an answer, and new users cannot comment, only answer

      Many new users don't know how to behave, and spam with c

  • Java is very secure (Score:1, Funny)

    by Anonymous Coward

    Java is [garbage collecting ] very s [gc] e [gc] [gc] cure.

    The garbage collection [gc] algorithm [gc] [gc][gc] ensures that [gc] [gc][gc] you never know [gc] [gc][gc] when it will [gc] [gc] [gc] crash and [gc] [gc] can't explot [gc] [gc] [gc] common stack [gc] [gc] [gc] pointer [gc] [gc] [gc] bugs.

    Also, since java is slow [gc] [gc] [gc]thats another security feature [gc] [gc].

    fast programs crash [gc] [gc] too fast [gc] [gc]. Making exploits [gc] [gc][gc] trivial [gc] [gc].

    All operating systems should [gc] [

  • When he asks for the YouTube people to come in and film him.

    You can hope for good advice but in the long run when it comes to security features, you have to know who you are talking to, what their qualifications are and make sure they're there to support you down the road - which means you are going to pay them. "Gr8CdrGrl427" on Stack Overflow might have an interesting approach as to how to position and code a slider control but taking security advice from them is simply dumb - the worst case is they're m

  • Lazy Apathetic Enterprise Coders (Score:1)

    by Anonymous Coward

    Coders today are completely lazy, don't give a fuck about doing anything other than writing code and meeting goals. Management didn't tell them to do it? They don't fuckin' do it. I grew up developing web sites and web apps and learned security the hard way ...getting fucking rooted dozens of times! when I started doing development for money I had to make sure someone couldn't just bypass security controls and hack the customer's sites and when they did, you bet your ass i had to FIX IT. It should be obviou

  • Many of the Stackoverflow first answers are very poor, as are many followups from people who don't sanitize their inprts. The problem is aggravated for Java, where error reporting is often very poor and where programmers have been taught with object oriented principles to pay no attention to the rest of the system: it's considered outside the scope of their immediate task.

    I do find Stackoverflow useful: there are often extremely useful hooks to start from, and it's well worth thanking the community by follo

