Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Coding Practices in Java: Challenges and Vulnerabilities1

Published byMaarit Hyttinen Modified over 5 years ago

Similar presentations

Presentation on theme: "Secure Coding Practices in Java: Challenges and Vulnerabilities1"— Presentation transcript:

1 Secure Coding Practices in Java: Challenges and Vulnerabilities1
Present by: Ying Zhang 1Meng, Na, et al. "Secure coding practices in java: Challenges and vulnerabilities." 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE). IEEE, 2018.

2 Background Stack Overflow Security issues Question & Answers
Java platform security Java EE security Third-party frameworks

3 Background Java Platform security Java EE security
Java Cryptography Architecture (JCA) Java EE security Third-party security

4 Methodology Crawl posts from Stack Overflow Filtering posts
Characterized relevant posts based on their security concerns, programming challenges, and security vulnerabilities Figure1: Taxonomy of StackOverflow posts1

5 Questions What are the common security concerns of developers?
What are the common programming challenges? What are the common security vulnerabilities?

6 Common Security Concerns-Distribution
Implementation questions Developers need more help to secure Java enterprise applications

7 Common Security Concerns - Interests
Security related posts number increased Developers’ security interests shifted to enterprise application security Secure communication posts received the highest percentage of favorite vote Figure 3: posts distribution during 2008 to 2016, developers’ interests towards the security features 1

8 Program Challenges Authentication
 Integrate Spring Security with different application servers and frameworks Configure Spring Security using XML or Java Convert XML-based configurations to Java-based ones

9 Program Challenges Cryptography Poor error messages
Difficult to implement security with multiple programming languages Implicite constraints on API usage

10 Program Challenges Java EE security Access control
Authentication & Authorization Access control Secure Communication SSL/TLS

11 Security Vulnerabilities
Spring Security’s csrf() Disabling CSRF pretection SSL/TLS Password Hashing

12 Recommendations Developers should conduct security testing to check whether features work as expected. Library designers should deprecate APIs not intended to be used anymore Tool builders can help by creating automatic tools to diagnose security errors

13 Questions ?

Download ppt "Secure Coding Practices in Java: Challenges and Vulnerabilities1"

Similar presentations

Software Engineering Key construction decisions Design challenges.

Software Engineering Key construction decisions Design challenges.
MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.

MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Web Services and AIXM. Introduction Subramanyam “Subbu” Nadavala Contractor, L-3 Communications FAA Air Traffic Organization (ATO) Information Technology.

Web Services and AIXM. Introduction Subramanyam “Subbu” Nadavala Contractor, L-3 Communications FAA Air Traffic Organization (ATO) Information Technology.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Gemplus and OSGI Benjamin Maury 10.23.03. Gemplus Introduction  World Leader for Smart Card Solutions  Smart Solutions in Telecommunications  Beyond.

Gemplus and OSGI Benjamin Maury Gemplus Introduction  World Leader for Smart Card Solutions  Smart Solutions in Telecommunications  Beyond.
Sergio Ferreira MoreData I16 Thursday, October 12, 2006 10:30 a.m. – 11:30 a.m. Platform: Informix How to call Informix 4gl code from J2EE.

Sergio Ferreira MoreData I16 Thursday, October 12, :30 a.m. – 11:30 a.m. Platform: Informix How to call Informix 4gl code from J2EE.
This material is based upon work supported by Science Foundation Ireland under Grant No. 03/IN3/1361 UNIVERSITY COLLEGE DUBLIN DUBLIN CITY UNIVERSITY The.

This material is based upon work supported by Science Foundation Ireland under Grant No. 03/IN3/1361 UNIVERSITY COLLEGE DUBLIN DUBLIN CITY UNIVERSITY The.
Chapter Extension 19 Alternative Development Techniques © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 19 Alternative Development Techniques © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Chapter 13 Web Application Infrastructure. Objectives Explain the components and purpose of a web application platform Describe several common webapp.

Chapter 13 Web Application Infrastructure. Objectives Explain the components and purpose of a web application platform Describe several common webapp.
© 2008 - Internna Technologies 1 IWebMvc Features, Possibilities & Goals.

© Internna Technologies 1 IWebMvc Features, Possibilities & Goals.
Secure Search Engine Ivan Zhou Xinyi Dong. Project Overview  The Secure Search Engine project is a search engine that utilizes special modules to test.

Secure Search Engine Ivan Zhou Xinyi Dong. Project Overview  The Secure Search Engine project is a search engine that utilizes special modules to test.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
SEEM4570: XAMPP, Eclipse, Summary of Html Kangfei Zhao Room 711,ERB

SEEM4570: XAMPP, Eclipse, Summary of Html Kangfei Zhao Room 711,ERB
Spring Roo CS476 Aleksey Bukin Peter Lew. What is Roo? Productivity tool Allows for easy creation of Enterprise Java applications Runs alongside existing.

Spring Roo CS476 Aleksey Bukin Peter Lew. What is Roo? Productivity tool Allows for easy creation of Enterprise Java applications Runs alongside existing.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
Submitted by: Madeeha Khalid Sana Nisar Ambreen Tabassum.

Submitted by: Madeeha Khalid Sana Nisar Ambreen Tabassum.
The powerful capabilities of JBoss Middleware as cloud based services on OpenShift. Build applications. Integrate with other systems Orchestrate using.

The powerful capabilities of JBoss Middleware as cloud based services on OpenShift. Build applications. Integrate with other systems Orchestrate using.

Similar presentations

Ads by Google