Tutorial: Principles and practices of secure crypto coding in Java

Sazzadur Rahaman, Na Meng, Danfeng Yao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations

Abstract

Various software libraries and frameworks provide a variety of APIs to support secure coding. However, misusing these APIs can cost developers tremendous time and effort, introduce security vulnerabilities to software, and cause serious consequences like data leakage or Denial of Service (DoS) on servers. No prior tutorial educates people on the best practice of secure coding, the pitfalls that should be avoided, and the remediation of insecure code. To increase the security awareness of developers and improve the quality of their software products, we propose a 90-minute tutorial to teach participants the principles and practices of Java secure coding. In this tutorial, we will introduce the principles of using security APIs, analyze typical API misuse cases to explain the causes and effects. We will also introduce a tool that we recently developed to automatically detect API misuse in Java. There are five parts in our tutorial. To reveal the existing status of secure coding practice, we will first introduce the findings in our recent study on StackOverflow posts relevant to Java security. Second, we will discuss the recommended principles of API usage by security experts. Third, to correlate the principles with existing practice, we will also discuss some API misuse examples for the hash digest, message encryption and decryption, key generation, and SSL/TLS connection. Fourth, we will ask participants to examine extra code examples and discuss the security property of each example. Finally, We will give an overview of the available tools and resources, demonstrate a tool named RIGORITYJ that we recently developed to automatically detect API misuse in Java. We will also help participants install and use RIGORITYJ on their own machines and ask them for trials.

Original languageEnglish (US)
Title of host publicationProceedings - 2018 IEEE Cybersecurity Development Conference, SecDev 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages122-123
Number of pages2
ISBN (Electronic)9781538676622
DOIs
StatePublished - Nov 21 2018
Externally publishedYes
Event3rd Annual IEEE Cybersecurity Development Conference, SecDev 2018 - Cambridge, United States
Duration: Sep 30 2018Oct 2 2018

Publication series

NameProceedings - 2018 IEEE Cybersecurity Development Conference, SecDev 2018

Conference

Conference3rd Annual IEEE Cybersecurity Development Conference, SecDev 2018
Country/TerritoryUnited States
CityCambridge
Period9/30/1810/2/18

Keywords

  • Cryptographic API Misuse
  • Cryptographic Program Analysis
  • Java
  • Program Analysis
  • Secure Coding Practices

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Tutorial: Principles and practices of secure crypto coding in Java'. Together they form a unique fingerprint.

Cite this