TY - GEN
T1 - Tutorial
T2 - 2020 IEEE Secure Development, SecDev 2020
AU - Xiao, Ya
AU - Frantz, Miles
AU - Afrose, Sharmin
AU - Rahaman, Sazzadur
AU - Yao, Danfeng Daphne
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/9
Y1 - 2020/9
N2 - Various software libraries and frameworks provide a variety of APIs to support secure coding. However, misusing these APIs can cost developers tremendous time and effort, introduce security vulnerabilities to software, and cause serious consequences like data leakage or Denial of Service (DoS) on servers. Our tutorial aims to educate people on the best practice of secure coding, the pitfalls that should be avoided, and the detection tools and fixing suggestions of insecure code.To increase the security awareness of developers and improve the quality of their software products, we propose a 90-minute tutorial to teach participants the principles and practices of Java secure coding, including the SSL/TLS and Spring Security configuration. In this tutorial, we will introduce the principles of using security APIs, analyze typical API misuse cases to explain the causes and effects. We will also introduce a tool that we recently developed to automatically detect API misuse in Java.There are five parts in our tutorial. To reveal the secure coding practice, we will first introduce the findings in our recent study on StackOverflow posts relevant to Java security. Second, we will discuss the recommended principles of API usage by security experts. Third, to correlate the principles with existing practice, we will discuss some API misuse examples for the SSL/TLS certificate verification, Spring Security authentication, etc. Fourth, we will ask participants to examine extra code examples and discuss the security property. Finally, We will give an overview of the available tools and resources, demonstrate a tool named CryptoGuard that we developed to automatically detect API misuse in Java. We will also help participants install and use CryptoGuard plugins on their own machines and ask them for trials.By actively involving participants in code discussion and tool trial, we aim to raise the security awareness among developers, improve their secure coding capabilities, and equip them with the tools they need for secure coding.
AB - Various software libraries and frameworks provide a variety of APIs to support secure coding. However, misusing these APIs can cost developers tremendous time and effort, introduce security vulnerabilities to software, and cause serious consequences like data leakage or Denial of Service (DoS) on servers. Our tutorial aims to educate people on the best practice of secure coding, the pitfalls that should be avoided, and the detection tools and fixing suggestions of insecure code.To increase the security awareness of developers and improve the quality of their software products, we propose a 90-minute tutorial to teach participants the principles and practices of Java secure coding, including the SSL/TLS and Spring Security configuration. In this tutorial, we will introduce the principles of using security APIs, analyze typical API misuse cases to explain the causes and effects. We will also introduce a tool that we recently developed to automatically detect API misuse in Java.There are five parts in our tutorial. To reveal the secure coding practice, we will first introduce the findings in our recent study on StackOverflow posts relevant to Java security. Second, we will discuss the recommended principles of API usage by security experts. Third, to correlate the principles with existing practice, we will discuss some API misuse examples for the SSL/TLS certificate verification, Spring Security authentication, etc. Fourth, we will ask participants to examine extra code examples and discuss the security property. Finally, We will give an overview of the available tools and resources, demonstrate a tool named CryptoGuard that we developed to automatically detect API misuse in Java. We will also help participants install and use CryptoGuard plugins on their own machines and ask them for trials.By actively involving participants in code discussion and tool trial, we aim to raise the security awareness among developers, improve their secure coding capabilities, and equip them with the tools they need for secure coding.
KW - Cryptographic API misuses
KW - Java secure coding
KW - practices
KW - principles
UR - http://www.scopus.com/inward/record.url?scp=85096640565&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85096640565&partnerID=8YFLogxK
U2 - 10.1109/SecDev45635.2020.00016
DO - 10.1109/SecDev45635.2020.00016
M3 - Conference contribution
AN - SCOPUS:85096640565
T3 - Proceedings - 2020 IEEE Secure Development, SecDev 2020
SP - 5
EP - 6
BT - Proceedings - 2020 IEEE Secure Development, SecDev 2020
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 28 September 2020 through 30 September 2020
ER -