research-article

Public Access

Secure coding practices in Java: challenges and vulnerabilities

Authors:

Danfeng (Daphne) Yao,

Wenjie Zhuang, and

Gustavo Arango ArgotyAuthors Info & Claims

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

May 2018

Pages 372 - 383

https://doi.org/10.1145/3180155.3180201

Published: 27 May 2018 Publication History

Abstract

The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices.

We observed a wide adoption of the authentication and authorization features provided by Spring Security---a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverfow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.

References

[1]

Y. Acar, M. Backes, S. Fahl, D. Kim, M. L. Mazurek, and C. Stransky. You get where you're looking for: The impact of information sources on code security. In 2016 IEEE Symposium on Security and Privacy (SP), pages 289--305, May 2016.

[2]

AES-256 implementation in GAE. https://stackoverflow.com/questions/12833826/aes-256-implementation-in-gae.

[3]

Apache Shiro documentation. https://shiro.apache.org/documentation.html.

[4]

Application Server - Oracle WebLogic Server. https://www.oracle.com/middleware/weblogic/index.html.

[5]

A. Barua, S. W. Thomas, and A. E.Hassan. What are developers talking about? An analysis of topics and trends in Stack Overflow. Empirical Software Engineering, 19(3):619--654, Jun 2014.

Digital Library

[6]

Basic Program for encrypt/Decrypt : javax.crypto.BadPaddingException:Decryption error. https://stackoverflow.com/questions/39518979/basic-program-for-encrypt-decrypt-javax-crypto-badpaddingexception-decryption.

[7]

BigInteger to Key. https://stackoverflow.com/questions/10271164/biginteger-to-key.

[8]

S. Boonkrong. Security of passwords. Information Technology Journal, 8(2):112--117, 2012.

[9]

Bouncy castle. https://www.bouncycastle.org.

[10]

Can a secret be hidden in a 'safe' Java class offering access credentials? https://stackoverflow.com/questions/5761519/can-a-secret-be-hidden-in-a-safe-java-class-offering-access-credentials.

[11]

L. Cerulo, M. D. Penta, A. Bacchelli, M. Ceccarelli, and G. Canfora. Irish: A hidden Markov model to detect coded information islands in free text. Science of Computer Programming, 105(Supplement C):26 -- 43, 2015.

Digital Library

[12]

A. Chatzikonstantinou, C. Ntantogian, G. Karopoulos, and C. Xenakis. Evaluation of cryptography usage in Android applications. In Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies, pages 83--90, 2015.

Digital Library

[13]

Communication with server that support SSL in Java. https://stackoverflow.com/questions/21156929/java-class-to-trust-all-for-sending-file-to-https-web-service.

[14]

Compare two Public Key values in Java (duplicate). https://stackoverflow.com/questions/37439695/compare-two-public-key-values-in-java.

[15]

Configure Spring Security without XML in Spring 4. https://stackoverflow.com/questions/20961600/configure-spring-security-without-xml-in-spring-4.

[16]

@Context injection in Stateless EJB used by JAX-RS. https://stackoverflow.com/questions/29132547/context-injection-in-stateless-ejb-used-by-jax-rs.

[17]

Converted secret key into bytes, how to convert it back to secret key? https://stackoverflow.com/questions/5364338/converted-secret-key-into-bytes-how-to-convert-it-back-to-secrect-key.

[18]

Custom Authentication Filters in multiple HttpSecurity objects using Java Config. https://stackoverflow.com/questions/37304211/custom-authentication-filters-in-multiple-httpsecurity-objects-using-java-config.

[19]

CWE-227: Improper fulfillment of API contract (API abuse). https://cwe.mitre.org/data/definitions/227.html.

[20]

A. Datta, A. Derek, J. C. Mitchell, and A. Roy. Protocol composition logic (PCL). Electronic Notes in Theoretical Computer Science, 172:311 -- 358, 2007.

Digital Library

[21]

A. Dey and S. Weis. Keyczar: A Cryptographic Toolkit.

[22]

Dictionary Attacks 101. https://blog.codinghorror.com/dictionary-attacks-101/.

[23]

M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in Android applications. In Proceedings of the ACM Conference on Computer and Communications Security, CCS, pages 73--84, New York, NY, USA, 2013. ACM.

Digital Library

[24]

Encryption PHP, Decryption Java. https://stackoverflow.com/questions/15639442/encryption-php-decryption-java.

[25]

L. Erkök and J. Matthews. Pragmatic equivalence and safety checking in Cryptol. In Proceedings of the 3rd Workshop on Programming Languages Meets Program Verification, PLPV '09, pages 73--82, New York, NY, USA, 2008. ACM.

Digital Library

[26]

S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS, pages 50--61, New York, NY, USA, 2012. ACM.

Digital Library

[27]

F. Fischer, K. Böttinger, H. Xiao, C. Stransky, Y. Acar, M. Backes, and S. Fahl. Stack Overflow considered harmful? The impact of copy&paste on Android application security. In 38th IEEE Symposium on Security and Privacy, 2017.

[28]

C. Gackenheimer. Implementing security and cryptography. In Node. js Recipes, pages 133--160. Springer, 2013.

[29]

M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: Validating SSL certificates in non-browser software. In Proceedings of the ACM Conference on Computer and Communications Security, CCS, pages 38--49, New York, NY, USA, 2012. ACM.

Digital Library

[30]

Get public and private key from ASN1 encrypted pem certificate. https://stackoverflow.com/questions/30392114/get-public-and-private-key-from-asn1-encrypted-pem-certificate.

[31]

GlassFish. https://javaee.github.io/glassfish/.

[32]

L. Gong and G. Ellison. Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation. Pearson Education, 2nd edition, 2003.

Digital Library

[33]

Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf.

[34]

B. He, V. Rastogi, Y. Cao, Y. Chen, V. N. Venkatakrishnan, R. Yang, and Z. Zhang. Vetting SSL usage in applications with SSLINT. In 2015 IEEE Symposium on Security and Privacy, pages 519--534, May 2015.

Digital Library

[35]

Hiding my security key from Java reflection. https://stackoverflow.com/questions/14903318/hiding-my-security-key-from-java-reflection.

[36]

How can I get a signed Java Applet to perform privileged operations when called from unsigned Javascript? https://stackoverflow.com/questions/1006674/how-can-i-get-a-signed-java-applet-to-perform-privileged-operations-when-called.

[37]

How does Java string being immutable increase security? https://stackoverflow.com/questions/15274874/how-does-java-string-being-immutable-increase-security.

[38]

How to accept self-signed certificates for JNDI/LDAP connections? https://stackoverflow.com/questions/4615163/how-to-accept-self-signed-certificates-for-jndi-ldap-connections.

[39]

How to add MD5 or SHA hash to Spring security? https://stackoverflow.com/questions/18581463/how-to-add-md5-or-sha-hash-to-spring-security.

[40]

How to apply spring security filter only on secured end-points? https://stackoverflow.com/questions/36795894/how-to-apply-spring-security-filter-only-on-secured-endpoints.

[41]

How to generate secret key using SecureRandom.getInstanceStrong()? https://stackoverflow.com/questions/37244064/how-to-generate-secret-key-using-securerandom-getinstancestrong.

[42]

How to override Spring Security default configuration in Spring Boot. https://stackoverflow.com/questions/35600488/how-to-override-spring-security-default-configuration-in-spring-boot.

[43]

Implementing a Remote Interface. http://docs.oracle.com/javase/tutorial/rmi/implementing.html.

[44]

InvalidKeySpecException : algid parse error, not a sequence. https://stackoverflow.com/questions/31941413/invalidkeyspecexception-algid-parse-error-not-a-sequence.

[45]

Java authentication and authorization service (JAAS) reference guide. https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html.

[46]

Java class to trust all for sending file to HTTPS web service. https://stackoverflow.com/questions/21156929/java-class-to-trust-all-for-sending-file-to-https-web-service.

[47]

Java cryptography architecture. http://docs.oracle.com/javase/7/docs/technotes/guides/security/crypto/CryptoSpec.html.

[48]

Java - Edit code sample to specify DES key value. https://stackoverflow.com/questions/22858497/edit-code-sample-to-specify-des-key-value.

[49]

Java EE 7 EJB Security not working. https://stackoverflow.com/questions/30504131/java-ee-7-ejb-security-not-working.

[50]

Java Mail get mails with pop3 from exchange server, Exception in thread "main" javax.mail.MessagingException. https://stackoverflow.com/questions/25017050/java-mail-get-mails-with-pop3-from-exchange-server-exception-in-thread-main.

[51]

Java RMI / access denied. https://stackoverflow.com/questions/36570012/java-rmi-access-denied.

[52]

Java security init Cipher from SecretKeySpec properly. https://stackoverflow.com/questions/14230096/java-security-init-cipher-from-secretkeyspec-properly.

[53]

Java Security Manager completely disable reflection. https://stackoverflow.com/questions/40218973/java-security-manager-completely-disable-reflection.

[54]

Java security overview. http://docs.oracle.com/javase/8/docs/technotes/guides/security/overview/jsoverview.html.

[55]

Java Security - RSA Public Key & Private Key Code Issue. https://stackoverflow.com/questions/18757114/java-security-rsa-public-key-private-key-code-issue.

[56]

Java security: Sandboxing plugins loaded via URLClass-Loader. https://stackoverflow.com/questions/3947558/java-security-sandboxing-plugins-loaded-via-urlclassloader.

[57]

Java - Simple example of Spring Security with Thymeleaf. https://stackoverflow.com/questions/25692735/simple-example-of-spring-security-with-thymeleaf.

[58]

Java SSL - InstallCert recognizes certificate, but still "unable to find valid certification path" error? https://stackoverflow.com/questions/11087121/java-ssl-installcert-recognizes-certificate-but-still-unable-to-find-valid-c.

[59]

JSR-000366 Java platform, enterprise edition 8 public review specification. http://download.oracle.com/otndocs/jcp/java_ee-8-pr-spec/.

[60]

D. Lazar, H. Chen, X. Wang, and N. Zeldovich. Why does cryptographic software fail? A case study and open problems. In Proceedings of 5th Asia-Pacific Workshop on Systems, APSys '14, pages 7:1--7:7, New York, NY, USA, 2014. ACM.

Digital Library

[61]

Y. Li, Y. Zhang, J. Li, and D. Gu. iCryptoTracer: Dynamic analysis on misuse of cryptography functions in iOS applications. In M. H. Au, B. Carminati, and C.-C. J. Kuo, editors, Proceedings of the 8th International Conference on Network and System Security, pages 349--362, 2014.

[62]

Logout call - Spring security logout call. https://stackoverflow.com/questions/ 24530603/spring-security-logout-call.

[63]

F. Long. Software vulnerabilities in Java. Technical Report CMU/SEI-2005-TN-044, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2005.

[64]

MD5 hashing in Android. https://stackoverflow.com/questions/4846484/md5- hashing- in- android.

[65]

A. Mettler, D. Wagner, and T. Close. Joe-E: A security-oriented subset of Java. In Network and Distributed Systems Symposium. Internet Society, 2010.

[66]

J. C. Mitchell, M. Mitchell, and U. Stern. Automated analysis of cryptographic protocols using Mur/spl phi/. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, SP '97, pages 141--, Washington, DC, USA, 1997. IEEE Computer Society.

Digital Library

[67]

B. Möller, T. Duong, and K. Kotowicz. This POODLE bites: exploiting the SSL 3.0 fallback, 2014.

[68]

S. Nadi, S. Krüger, M. Mezini, and E. Bodden. Jumping through hoops: Why do Java developers struggle with cryptography APIs? In Proceedings of the 38th International Conference on Software Engineering, ICSE, pages 935--946, New York, NY, USA, 2016. ACM.

Digital Library

[69]

S. Oaks. Java Security. O'Reilly & Associates, Inc., Sebastopol, CA, USA, 1998.

Digital Library

[70]

L. Onwuzurike and E. De Cristofaro. Danger is my middle name: Experimenting with SSL vulnerabilities in Android apps. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WiSec '15, pages 15:1--15:6, New York, NY, USA, 2015. ACM.

Digital Library

[71]

PicketLink / Deltaspike security does not work in SOAP (JAX-WS) layer (CDI vs EJB?). https://stackoverflow.com/questions/32392702/picketlink-deltaspike-security-does-not-work- in-soap-jax-ws-layer-cdi-vs-ej.

[72]

S. Rahaman and D. Yao. Program analysis of cryptographic implementations for security. In IEEE Security Development Conference (SecDev), pages 61--68, 2017.

[73]

M. S. Rahman. An empirical case study on Stack Overflow to explore developers' security challenges. Master's thesis, Kansas State University, 2016.

[74]

F. Y. Rashid. Library misuse exposes leading Java platforms to attack. http://www.infoworld.com/article/3003197/security/library-misuse-exposes-leading-java-platforms-to-attack.html, 2017.

[75]

Resteasy Authorization design - check a user owns a resource. https://stackoverflow.com/questions/34315838/resteasy-authorization-design-check-a-user-owns-a-resource.

[76]

RF 6101 - The Secure Sockets Layer (SSL) Protocol Version 3.0. https://tools.ietf.org/html/rfc6101.

[77]

Scrapy - A Fast and Powerful Scraping and Web Crawling Framework. https://scrapy.org.

[78]

Security - Allowing Java to use an untrusted certificate for SSL/HTTPS connection. https://stackoverflow.com/questions/1201048/allowing-java-to-use-an-untrusted-certificate-for-ssl-https-connection.

[79]

Security exception when loading web image in jar. https://stackoverflow.com/questions/2011407/security-exception-when-loading-web-image-in-jar.

[80]

S. Shuai, D. Guowei, G. Tao, Y. Tianchang, and S. Chenjie. Modeling analysis and auto-detection of cryptographic misuse in Android applications. In Proceedings of the IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, DASC, pages 75--80, Washington, DC, USA, 2014. IEEE Computer Society.

Digital Library

[81]

E. Smith and D. L. Dill. Automatic formal verification of block cipher implementations. In Formal Methods in Computer-Aided Design, pages 1--7, Nov 2008.

Digital Library

[82]

Spring security. https://projects.spring.io/spring-security/.

[83]

Spring Security 4 XML configuration UserDetailsService authentication not working. https://stackoverflow.com/questions/41321176/spring-security-4-xml-configuration-userdetailsservice-authentication-not-workin.

[84]

Spring security JDK based proxy issue while using @Secured annotation on Controller method. https://stackoverflow.com/questions/35860442/spring-security-jdk-based-proxy-issue-while-using-secured-annotation-on-control.

[85]

Spring Security Reference. http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#jc-httpsecurity.

[86]

Spring Security Tutorial. http://www.mkyong.com/tutorials/spring-security-tutorials/.

[87]

Spring Security using JBoss <security-domain>. https://stackoverflow.com/questions/28172056/spring-security-using-jboss-security-domain.

[88]

SSL Certificate Verification: javax.net.ssl.SSLHandshakeException.https://stackoverflow.com/questions/25079751/ssl-certificate-verification-javax-net-ssl-sslhandshakeexception.

[89]

SSL handshake fails with unable to find valid certification path to requested target. https://stackoverflow.com/questions/40977556/ssl-handshake-fails-with-unable-to-find-valid-certification-path-to-requested-ta.

[90]

SSL Socket Connection working even though client is not sending certificate? https://stackoverflow.com/questions/26761966/ssl-socket-connection-working-even-though-client-is-not-sending-certificate.

[91]

StackOverflow. https://stackoverflow.com.

[92]

J. Steven and J. Manico. Password storage cheat sheet. https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet.

[93]

M. Stevens, E. Bursztein, P. Karpman, A. Albertini, and Y. Markov. The first collision for full SHA-1. Cryptology ePrint Archive, Report 2017/190, 2017. https://eprint.iacr.org/2017/190.

[94]

The Webserver I talk to updated its SSL cert and now my app can't talk to it. https://stackoverflow.com/questions/5758812/the-webserver-i-talk-to-updated-its-ssl-cert-and-now-my-app-cant-talk-to-it.

[95]

Trusting all certificates using HttpClient over HTTPS. https://stackoverflow.com/questions/2642777/trusting- all-certificates-using-httpclient-over-https.

[96]

Use of ECC in Java SE 1.7. https://stackoverflow.com/questions/24383637/use-of-ecc-in-java-se-1-7.

[97]

Using public key from authorized_keys with Java security. https://stackoverflow.com/questions/3531506/using-public-key-from-authorized-keys-with-java-security.

[98]

State of software security. https://www.veracode.com/sites/default/files/Resources/Reports/state-of-software-security-volume-7-veracode-report.pdf, 2016. Veracode.

[99]

X. Wang, D. Feng, X. Lai, and H. Yu. Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD, 2004. http://eprint.iacr.org/2004/199.

[100]

Web Security Samples. https://github.com/spring-projects/spring-security-javaconfig/blob/master/samples-web.md#sample-multi-http-web-configuration.

[101]

WebSphere Application Server - IBM. http://www-03.ibm.com/software/products/en/appserv-was.

[102]

When a TrustManagerFactory is not a TrustManagerFactory (Java). https://stackoverflow.com/questions/14654639/when-a-trustmanagerfactory-is-not-a-trustmanagerfactory-java.

[103]

When I try to convert a string with certificate, exception is raised. https://stackoverflow.com/questions/10594000/when-i- try-to-convert-a-string-with-certificate-exception-is-raised.

[104]

WildFly. http://wildfly.org.

[105]

Wildfly 9 security domains won't work. https://stackoverflow.com/questions/37425056/wildfly-9-security-domains-wont-work.

[106]

X.-L. Yang, D. Lo, X. Xia, Z.-Y. Wan, and J.-L. Sun. What security questions do developers ask? A large-scale study of Stack Overflow posts. Journal of Computer Science and Technology, 31(5):910--924, Sep 2016.

[107]

W. Zeller and E. W. Felten. Cross-site request forgeries: Exploitation and prevention. https://www.cs.utexas.edu/~shmat/courses/library/zeller.pdf, 2008.

Cited By

May RBiermann CZerweck XLudwig KKrüger JLeich T(2024)Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack OverflowProceedings of the 18th International Working Conference on Variability Modelling of Software-Intensive Systems10.1145/3634713.3634729(112-122)Online publication date: 7-Feb-2024
https://dl.acm.org/doi/10.1145/3634713.3634729
Xiao YSong WAhmed SGe XViswanath BMeng NYao D(2024)Measurement of Embedding Choices on Cryptographic API Completion TasksACM Transactions on Software Engineering and Methodology10.1145/362529133:3(1-30)Online publication date: 15-Mar-2024
https://dl.acm.org/doi/10.1145/3625291
Frantz MXiao YPias TMeng NYao D(2024)Methods and Benchmark for Detecting Cryptographic API Misuses in PythonIEEE Transactions on Software Engineering10.1109/TSE.2024.337718250:5(1118-1129)Online publication date: May-2024
https://doi.org/10.1109/TSE.2024.3377182
Show More Cited By

Index Terms

Secure coding practices in Java: challenges and vulnerabilities
1. General and reference
  1. Cross-computing tools and techniques
    1. Empirical studies

Recommendations

IoTVerif: An Automated Tool to Verify SSL/TLS Certificate Validation in Android MQTT Client Applications
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Developing secure Internet of Things (IoT) applications that are free of vulnerabilities and resilient against exploit is desirable for software developers and testers. In this paper, we present IoTVerif, an automated tool that can verify SSL/TLS (...
Read More
Lightweight server support for browser-based CSRF protection
WWW '13: Proceedings of the 22nd international conference on World Wide Web

Cross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today. These attacks exploit ambient authority in browsers (eg cookies, HTTP authentication state), turning them into confused deputies and causing undesired side effects on ...
Read More
The CERT Oracle Secure Coding Standard for Java
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

May 2018

1307 pages

ISBN:9781450356381

DOI:10.1145/3180155

Conference Chair:
Michel Chaudron
Chalmers University of Technology, University of Gothenburg, Sweden
,
General Chair:
Ivica Crnkovic
Chalmers University of Technology, University of Gothenburg, Sweden
,
Program Chairs:
Marsha Chechik
University of Toronto, Canada
,
Mark Harman
Facebook and University College London, United Kingdom

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 May 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Office of Naval Research
National Science Foundation

Conference

ICSE '18

Sponsor:

SIGSOFT
IEEE-CS

ICSE '18: 40th International Conference on Software Engineering

May 27 - June 3, 2018

Gothenburg, Sweden

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

86
Total Citations
View Citations
2,853
Total Downloads

Downloads (Last 12 months)699
Downloads (Last 6 weeks)82

Other Metrics

View Author Metrics

Citations

Cited By

May RBiermann CZerweck XLudwig KKrüger JLeich T(2024)Vulnerably (Mis)Configured? Exploring 10 Years of Developers' Q&As on Stack OverflowProceedings of the 18th International Working Conference on Variability Modelling of Software-Intensive Systems10.1145/3634713.3634729(112-122)Online publication date: 7-Feb-2024
https://dl.acm.org/doi/10.1145/3634713.3634729
Xiao YSong WAhmed SGe XViswanath BMeng NYao D(2024)Measurement of Embedding Choices on Cryptographic API Completion TasksACM Transactions on Software Engineering and Methodology10.1145/362529133:3(1-30)Online publication date: 15-Mar-2024
https://dl.acm.org/doi/10.1145/3625291
Frantz MXiao YPias TMeng NYao D(2024)Methods and Benchmark for Detecting Cryptographic API Misuses in PythonIEEE Transactions on Software Engineering10.1109/TSE.2024.337718250:5(1118-1129)Online publication date: May-2024
https://doi.org/10.1109/TSE.2024.3377182
Yang HNong YWang SCai H(2024)Multi-Language Software Development: Issues, Challenges, and SolutionsIEEE Transactions on Software Engineering10.1109/TSE.2024.335825850:3(512-533)Online publication date: Mar-2024
https://doi.org/10.1109/TSE.2024.3358258
Chen XXu FHuang YZhou XZheng Z(2024)An empirical study of code reuse between GitHub and stack overflow during software developmentJournal of Systems and Software10.1016/j.jss.2024.111964210(111964)Online publication date: Apr-2024
https://doi.org/10.1016/j.jss.2024.111964
Rahman AShamim SBose DPandita R(2023)Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical StudyACM Transactions on Software Engineering and Methodology10.1145/357963932:4(1-36)Online publication date: 26-May-2023
https://dl.acm.org/doi/10.1145/3579639
Patnaik NDwyer AHallett JRashid A(2023)SLR: From Saltzer and Schroeder to 2021…47 Years of Research on the Development and Validation of Security API RecommendationsACM Transactions on Software Engineering and Methodology10.1145/356138332:3(1-31)Online publication date: 27-Apr-2023
https://dl.acm.org/doi/10.1145/3561383
Rocha LSilva GDias Canedo EHong JLanperne MPark JCerny TShahriar H(2023)Privacy Compliance in Software Development: A Guide to Implementing the LGPD PrinciplesProceedings of the 38th ACM/SIGAPP Symposium on Applied Computing10.1145/3555776.3577615(1352-1361)Online publication date: 27-Mar-2023
https://dl.acm.org/doi/10.1145/3555776.3577615
Xiao YZhao YAllen NKeynes NYao DCifuentes C(2023)Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale CodebasesDigital Threats: Research and Practice10.1145/35076824:1(1-18)Online publication date: 7-Mar-2023
https://dl.acm.org/doi/10.1145/3507682
Xiao YSong WQi JViswanath BMcDaniel PYao D(2023)Specializing Neural Networks for Cryptographic Code Completion ApplicationsIEEE Transactions on Software Engineering10.1109/TSE.2023.326536249:6(3524-3535)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3265362
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents