Secure Coding Practices in Java: Challenges and Vulnerabilities1

Slides:

Advertisements

Similar presentations

Software Engineering Key construction decisions Design challenges.

Advertisements

MIT Lincoln Laboratory A Service-Oriented Approach to Application Development Robert Darneille & Gary Schorer WPI MQP Presentations ICS Group 10 October.

Chapter 17: WEB COMPONENTS

Web Services and AIXM. Introduction Subramanyam “Subbu” Nadavala Contractor, L-3 Communications FAA Air Traffic Organization (ATO) Information Technology.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Gemplus and OSGI Benjamin Maury Gemplus Introduction  World Leader for Smart Card Solutions  Smart Solutions in Telecommunications  Beyond.

Sergio Ferreira MoreData I16 Thursday, October 12, :30 a.m. – 11:30 a.m. Platform: Informix How to call Informix 4gl code from J2EE.

This material is based upon work supported by Science Foundation Ireland under Grant No. 03/IN3/1361 UNIVERSITY COLLEGE DUBLIN DUBLIN CITY UNIVERSITY The.

Chapter Extension 19 Alternative Development Techniques © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Chapter 13 Web Application Infrastructure. Objectives Explain the components and purpose of a web application platform Describe several common webapp.

© Internna Technologies 1 IWebMvc Features, Possibilities & Goals.

Secure Search Engine Ivan Zhou Xinyi Dong. Project Overview  The Secure Search Engine project is a search engine that utilizes special modules to test.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

SEEM4570: XAMPP, Eclipse, Summary of Html Kangfei Zhao Room 711,ERB

Spring Roo CS476 Aleksey Bukin Peter Lew. What is Roo? Productivity tool Allows for easy creation of Enterprise Java applications Runs alongside existing.

Clinic Security and Policy Enforcement in Windows Server 2008.

Submitted by: Madeeha Khalid Sana Nisar Ambreen Tabassum.

The powerful capabilities of JBoss Middleware as cloud based services on OpenShift. Build applications. Integrate with other systems Orchestrate using.

Copyright © 2006, SAS Institute Inc. All rights reserved. What Is New in SAS Profitability Management (PrM) 2.1? Authors: Jack Zhang Solution & Version:

Smart Phone Laboratory ECEN 489 Srinivas Shakkottai.

Information Security and Computer Systems: An Integrated Approach Mark A. Holliday and Bill Kreahling, Dept of Mathematics and Computer Science Western.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

CHEF II / Sakai Architecture. CHEF II Changes uPortal replaces Jetspeed –jsr 168 portlet, servlet compliant Spring replaces Turbine component framework.

Web Services based e-Commerce System Sandy Liu Jodrey School of Computer Science Acadia University July, 2002.

Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.

AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions.

Electronic data collection system eSTAT in Statistics Estonia: functionality, authentication and further developments issues 4th June 2007 Maia Ennok,

JAVA Programming “When you are willing to make sacrifices for a great cause, you will never be alone.” Instructor: รัฐภูมิ เถื่อนถนอม

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

CSCE 548 Secure Software Development Security Operations.

P ROTOCOL FOR COLLABORATING MOBILE AGENTS IN THE NETWORK INTRUSION DETECTION SYSTEMS. By Olumide Simeon Ogunnusi Shukor Abd Razak.

Notes from Coulouris 5Ed Distributed Systems Notes on Components.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.

Students: Roni Rabin, Eyal Biran Supervisors: Itay Maman, Tali Yatzkar-Haham, Julia Rubin Industrial Project (234313) 1.

How Can I Use This Method? 2015 IEEE/ACM 37TH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING HOW.

1 Session 4 Module 6: Digital signatures. Digital Signatures / Session4 / 2 of 18 Module 4, 5 - Review (1)  Java 2 security model provides a consistent.

Survey of Tools to Support Safe Adaptation with Validation Alain Esteva-Ramirez School of Computing and Information Sciences Florida International University.

Secure Search Engine Ivan Zhou Xinyi Dong. Project Overview  The Secure Search Engine project is a search engine that utilizes special modules to test.

Creating competitive advantage Copyright © 2003 Enterprise Java Beans Presenter: Wickramanayake HMKSK Version:0.1 Last Updated:

Yu, et al.’s “A Model-Driven Development Framework for Enterprise Web Services” In proceedings of the 10 th IEEE Intl Enterprise Distributed Object Computing.

Project Proposal A JML compiler on Eclipse Platform Amritam Sarcar CS5381.

Introduction to JAVA Programming

The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.

Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.

October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.

The Holmes Platform and Applications

Chapter 13 Web Application Infrastructure

J2EE Platform Overview (Application Architecture)

CSC305: COMPUTER PROGRAMMING II (JAVA)

Canberra OWASP Chapter meeting

Obtaining the Required Tools

Project Topic 2: Migration to Java 9

The Improvement of PaaS Platform ZENG Shu-Qing, Xu Jie-Bin 2010 First International Conference on Networking and Distributed Computing SQUARE.

Module 1: Introduction to Business Intelligence and Data Modeling

Distributed System Using Java 2 Enterprise Edition (J2EE)

Security & .NET 12/1/2018.

Building production-ready APIs with ASP.NET Core 2.2

Automated Analysis and Code Generation for Domain-Specific Models

Developing and testing enterprise Java applications

EMFT CDO Ganymede Simultaneous Release

How Reliable is the Crowdsourced Knowledge of Security Implementation?

Recommending Adaptive Changes for Framework Evolution

Impact of snippet codes from Stack Overflow in real projects

Presentation transcript:

Secure Coding Practices in Java: Challenges and Vulnerabilities1 Present by: Ying Zhang 1Meng, Na, et al. "Secure coding practices in java: Challenges and vulnerabilities." 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE). IEEE, 2018.

Background Stack Overflow Security issues Question & Answers Java platform security Java EE security Third-party frameworks

Background Java Platform security Java EE security Java Cryptography Architecture (JCA) Java EE security Third-party security https://www.google.com/url?sa=i&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjvsLPmurfgAhVBdt8KHW7PDSgQjRx6BAgBEAU&url=http%3A%2F%2Fwww.itcsolutions.eu%2F2011%2F08%2F22%2Fhow-to-use-bouncy-castle-cryptographic-api-in-netbeans-or-eclipse-for-java-jse-projects%2F&psig=AOvVaw0TNrSKrd1bDQGk9Ho11qtI&ust=1550104159828120

Methodology Crawl posts from Stack Overflow Filtering posts Characterized relevant posts based on their security concerns, programming challenges, and security vulnerabilities Figure1: Taxonomy of StackOverflow posts1

Questions What are the common security concerns of developers? What are the common programming challenges? What are the common security vulnerabilities?

Common Security Concerns-Distribution Implementation questions Developers need more help to secure Java enterprise applications

Common Security Concerns - Interests Security related posts number increased Developers’ security interests shifted to enterprise application security Secure communication posts received the highest percentage of favorite vote Figure 3: posts distribution during 2008 to 2016, developers’ interests towards the security features 1

Program Challenges Authentication Integrate Spring Security with different application servers and frameworks Configure Spring Security using XML or Java Convert XML-based configurations to Java-based ones

Program Challenges Cryptography Poor error messages Difficult to implement security with multiple programming languages Implicite constraints on API usage

Program Challenges Java EE security Access control Authentication & Authorization Access control Secure Communication SSL/TLS

Security Vulnerabilities Spring Security’s csrf() Disabling CSRF pretection SSL/TLS Password Hashing

Recommendations Developers should conduct security testing to check whether features work as expected. Library designers should deprecate APIs not intended to be used anymore Tool builders can help by creating automatic tools to diagnose security errors

Questions ?