back to article Java security plagued by crappy docs, complex APIs, bad advice

Relying on search engines to find answers to coding problems has become so common that two years ago it was suggested computer programming be renamed "googling Stack Overflow," in reference to the oft-visited coding community website. But researchers from Virginia Tech contend more care needs to be taken when copying code from …

  1. Anonymous Coward
    Anonymous Coward

    I left SO some time ago...

    ... I was tired of people who praised and voted the *wrong* answer just because it was simpler to implement, while ignoring or even downvoting the *correct* one (often demonstrable just RTFM), because it was more complex to code. This attitude increased as more and more lusers discovered SO - which in the beginning was a fairly competent community. I was tired to explain why the most voted and approved "answer" was dangerous or plainly wrong.

    "Popular" vote is not the right approach when there are factual evidences...

  2. Adam 1 Silver badge

    if only

    ... SO provided some mechanism to register the fact that you disagreed with a solution such that the better solution bubbled its way to the top, and a comment box where you could provide a reason for why you disagree.

    1. Richard 12 Silver badge

      Re: if only

      That only works when the voters are competent and experienced in the specific problem field.

      The vast majority of people looking at answered questions on Stack Overflow are not competent and experienced, because if they were they wouldn't need to look.

      Top answers get selected by the incompetent and/or inexperienced majority.

      1. Adam 1 Silver badge

        Re: if only

        Sorry but that argument is pretty flaky and would equally apply to Wikipedia / Reddit / El Reg commentards.

        It solves a different problem to documentation, which tends to focus on classes, constructor overloads, methods and properties. SO does a reasonably good job at pointing back to the official documentation where applicable.

        Two examples from recent experience. I was trying to figure out how to write

        if (old!=null XOR new!=null)

        Obviously for bitwise xor there is ^ but there is nothing for a condition. SO reminded me that XOR is the same thing as !=

        In another example, I had two Hashsets and wanted to know if there were any differences between their contents. The top answer would have worked but it was frankly going to be inefficient. Sure enough the first comment below the answer states that it works but it is going to be O(n^2) whereas the other answer (which was slightly less voted would be O(n). Sure enough, the second answer pointed out the method name and a link to the documentation for it.

        The other thing that SO does much better than the documentation is explain why something was/wasn't done, like why can't youb in c# yield return inside an anonymous method? Is there a fundamental ambiguity around what you are trying to do or is it just not high enough on the backlog because people want other features? The documentation just tells you you can't do that. Maybe that's all some people care for, but I need to know reasons. For the curious, the answer is too much effort and not enough demand especially now local functions can do this.

  3. Anonymous Coward
    Anonymous Coward

    Its one thing to find code...

    Its another to just cut n paste it...

    I can tell you that is prevalent everywhere ... and its done by many lower cost resources.

    This is posted anon for the obvious reasons....

    At one client, I was brought in because of my deep technical expertise.

    I had an offshore team (not in India ) who I told them what I wanted, and how to do it.

    They refused and decided that it was best to search the web to find a solution. (Which worked but didn't scale)..

    At another client, I had a manager ask me to search the web to find an article that covered a topic. I actually offered to write a white paper. (He refused, even though I was brought in for my expertise. )

    At another client, I ended up writing something so that the PM on the project could point to it as justification.

    Now to be fair, I do a lot of searches because I travel and many of my texts that I use for reference or to learn something new. However, I take the time to see what they are doing and to ask why.

    1. Anonymous Coward
      Anonymous Coward

      Re: Its one thing to find code...

      "However, I take the time to see what they are doing and to ask why."

      I do the same thing, SO isn't evil by any stretch, but like any socially driven site you'll always get dodgy answers or incorrect solutions. Normally somebody who knows what they're talking about will answer further down though so it always pays to read further down and follow the links to supporting docs.

      Also, my main issue with offshore development isn't that they are rubbish because many are not, it's that they usually don't care how the code performs past the handing off of the contract... So they're happy adding half-arsed solutions if it just works. They're under pressure to do it quick too usually. Then they get brought in for support for more money. I've left a company because of this sort of thing on a project going into maintenance. Every release just added to the technical debt and require more releases to fix the bugs. I just gave up and left for a company that doesn't outsource their work.

    2. macjules Silver badge

      Re: Its one thing to find code...

      Agree.

      It's like the old Sourceforge keyboard joke: it only has CTRL C V

    3. geekguy

      Re: Its one thing to find code...

      I would have done the comedy of the following:

      Written the white paper, posted it on a wordpress blog that was on the internet under a psuedoname, and referenced that :)

  4. Anonymous Coward
    Anonymous Coward

    General issue

    "They found that many developers don't understand security well enough "

    Shocking news, devs. who copied code didn't understand it enough.

    Seriously though, this is a common issue which can be seen throughout all areas.

    My favorite: Minecraft. "How do I summon a zombie with a wooden sword?". And in come the answers, just too bad that most of them used a so called 'command generator' and said generator hadn't upgraded to the latest version...

    The problem: people take things for granted. They hardly question anything these days!

    How else do you explain people rooting and donating to projects where you can easily establish that the idea will never work by following up on a 1st class degree physics book?

    Coding is no different. Once people find out something works they'll copy it and share it claiming it was their own, even though they have no clue how things work. The worst part:this copying includes flaws.

    But how gullable do you have to be to use this stuff without actual testing?

    1. Allan George Dyer Silver badge

      Re: General issue

      "But how gullable do you have to be to use this stuff without actual testing?"

      Unfortunately, with security problems, just testing isn't enough. Sure, the code does what you and the users expect, but testing your app won't tell you e.g. that md5 is too weak nowadays.

    2. James Anderson

      Re: General issue

      Probably

      "They found that many developers do not understand Spring"

      Problem java EE over engineered complex bloated.

      Solution over engineered, complex bloated framework -- duh.

      1. Mookster
        FAIL

        Re: General issue

        '"They found that many developers do not understand Spring"

        Problem java EE over engineered complex bloated.'

        er, Spring pretty-much replaces java EE. You can use tomcat instead of jBoss...

        1. Aitor 1 Silver badge

          Re: General issue

          Spring is a black box.. cmon, its auto-everything works "most of the time", and makes heavy use of reflection.

          Now, I understand the reasons... and I make heavy use of reflection myself and at times use Spring.. but it is the wrong answer because it just doesnt make sense with Java.

          If I wanted (and I do) something like Spring, I would use a language better suited for it. That includes both Python and javascript. So maybe move on to node eh?

          Also, both Spring and Java EE have CRAP documentation. This documentations should include working examples, etc.. they do not cover the most basic principles and you have to be pretty knowledgeable about the subject to understand what they are saying in the docs. I am, but it was quite an uphill learning experience.

          So the conclusion is that using spring and Java EE is difficult, and even more to use it properly.. so it should be no surprise that the result is crap code.. make it easier and you will have better code.

          I remember my times with VB4-6. You could have very good code and practices, and easy to debug and maintain code.. but it was too easy to create crap compared to having decent practices.

          The expected result was obvious, and the decent ppl moved on/back to Java, C++, etc.

      2. james_smith

        Re: General issue

        Spring is the antithesis of Java EE. The article author seems to have confused Spring Security - an add on for web authentication and authorisation - with the Spring Framework. The Spring Framework is pretty good, although there is a lot of deprecated stuff that is only there for backwards compatibility. Spring Security make difficult stuff easier, but is a bit complex for the simple needs of most people.

    3. Orv Silver badge

      Re: General issue

      Minecraft is a bit of a special case. A lot of people don't run the latest version of Minecraft because repeated breaking API changes have cost many mod writers to give up on new versions. The sweet spot seems to be about 1.7.10, latest is 1.12.something I think?

      1. Pascal Monett Silver badge

        1.12.2 now. I totally agree and understand your point of view.

        it is the very reason why I have abandoned adding mods and community upgrades to my Minecraft server. It's useless, mods are never updated as fast as the core game changes. My little group sticks to vanilla Minecraft and things work out fine like that.

        Going back to the original subject though, I can hardly believe that programmers these days still don't know that MD5 and SHA-1 are not reliable. I'm a Notes developer and don't use either of those functionalities but even I have heard about SHA-1 and how badly it has held up to modern hacking techniques. With all the news that we are bombarded with describing how major companies and been pwned because they did not update their tech to SHA-3. Who am I kidding ? Most of them need to simply stop storing passwords in plaintext and start hashing and salting them in the first place.

        1. David 55

          Did you just say you are a Notes developer? Like Lotus Notes? In 2017?

          1. Pascal Monett Silver badge

            @David 55

            Yes, IBM Notes developer. Domino is still supported until 2022+.

            But I do agree that my list of clients is on a very straight downward incline.

        2. Anonymous Coward
          Anonymous Coward

          They do not

          I can assure you.. I work with a couple of quite talented programmers. They DO know the differences.. but when I worked for a huge company.. well, I was the person to go about security.

          And what happened? they asked me, I told them the right answer, and they implemented the easier one.

          Including the national ID system... the first implementation was wrong, I told them so, they just ignored me.

          Anon, as I dont want to be identified, and should probably not be seen saying these things...

  5. Bluto Nash

    RTFM

    In other news, sky blue, water wet.

    1. Warm Braw Silver badge

      Re: RTFM

      The SO problem mostly results from the fact there isn't an FM to R any more.

      An automatically-generated list of methods and properties doesn't become "documentation" just because that's the title of the link to it - but that seems to be considered the gold standard these days.

      1. Gene Cash Silver badge

        Re: RTFM

        Bingo! Back in the bad 'ol days, you at least had K&R to help get up to speed on C.

        There's no equivalent for Java. I'm sure I don't have to explain to this crowd just how much all the Java books suck.

        1. This post has been deleted by its author

          1. Adam 52 Silver badge

            Re: @Gene Cash RTFM

            Did you mean Joshua Bloch?

            But the problem with Java is not the Java language itself, it's the awful libraries and frameworks bolted on. And the memory management.

            1. Joerg

              Re: @Gene Cash RTFM

              Oh well the lack of proper real Multiple Inheritance support in Java is a programming headache .. you need to use the Java Interfaces to mimic it .. and that is not good at all.

              1. Roo
                Windows

                Re: @Gene Cash RTFM

                "Oh well the lack of proper real Multiple Inheritance support in Java is a programming headache .. you need to use the Java Interfaces to mimic it .. and that is not good at all."

                I can't say that I missed MI in Java that much - but in fairness I do tend to use an "interface" style of coding in C++ - simply because it reduces the chances of Mr & Mrs Cockup paying a visit.

                My top Java headaches are the lack of unsigned int & the total disregard that Java has for the host OS - I see thousands of lines of code to replicate OS calls and JNI bollocks for basic stuff like setting an env var on a daily basis. I get that Java was intentionally ignorant of the OS - but that really is a massive handicap when you are running grown up apps that really do need to talk to the OS to get their work done.

                If I had to choose between proper integration with the host OS or MI, I think I'd choose the former every time. YMMV :)

              2. james_smith

                Re: @Gene Cash RTFM

                Joerg: "Oh well the lack of proper real Multiple Inheritance support in Java is a programming headache .. you need to use the Java Interfaces to mimic it .. and that is not good at all."

                Never found a situation where I needed multiple inheritance, and the interface approach encourages composition over inheritance - which I consider to be a very good thing.

            2. HmmmYes Silver badge

              Re: @Gene Cash RTFM

              Err.

              And the syntax.

              And the 5 or 6 GUI libraries it ships with.

              Oh, RMI - RPC does not work when theres sate.

              And the IDEs.

        2. This post has been deleted by its author

  6. Version 1.0 Silver badge

    Security? Sure, we've heard of it.

    It's not just Java. It seems to me that most programming languages these days make it easy to create code that is riddled with leaks and problems - and often very hard to spot. Our cut 'n paste programming style propagates minor errors and hides them - and we call this a "feature" aka OOPs.

    SO is useful - often as a bad example but there's lot's of good pointers there too if you are looking for a solution. Chances are you won't find the solution but you'll get some good pointers as to where to look.

  7. rmullen0

    Too much reliance on third party open source libraries too

    I think things are way out of hand with a lot of applications. Developers are way too eager to use every third party library under the sun to do things. How about write a few lines of code instead of pulling in another Maven dependency? I think it is ridiculous. The golden rule that I follow is KISS and don't add tons of dependencies to a project. People just blindly trust the dependencies. When it comes down to it, you have no idea how trustworthy the code is. There is no way you are going to completely review it and if you are getting it from something like Maven, it is constantly changing. One of things I hate the most about Java is the fact that everyone is using third party libraries instead of what is just built into the platform. I.e. using Struts, Spring etc. instead of using standard Java EE. If you don't keep things simple and minimal, you are just asking for trouble IMHO.

  8. Sssss

    This is surprising why. I am among professionals, and it is surprising the way they think. Even the engineers I have to squint the proverbial eye and look hard at them, to see if they are right. I know three international engineers each with good reputation and while I would trust them to do a good job, but feel like their minds are sponge. So even among engineers there are great and otherwise engineers. The problem these days are there a lot of not so great people becoming computer programmers, games maybe to blame. Engineers a bit tougher, you do stuff wrong, people die etc. With application programmers you do stuff wrong, it can cause angst to millions of users and waste so much of their time, it is like lifetimes wasted. But as not many people die from the application bug, it slips people's attention of the absurdity of costing $100's millions dollers of peoples 'lives' on a ten million net profit application. By application I should just say consumer side stuff, including OS's, and not really mission critical stuff. Where are the good people getting sucked up to, higher paid not so productive jobs.

    Now, you come along to these professionals, and they give you their 'opinion', based on their experiences and peer impression (a sort of peer pressure I am describing). So, why be surprised when it doesn't turn out right. Much like a doctor that thinks it shines out of his side of the profession, very incomplete competency, but enough to bamboozle other incompetents, and psychologically make the opinion giver feel good, with mistakes transfered to the patient as the source of issues rather than face up to them. But they lack real ability to look into things and think of better solutions. They have formalised memory structures (opinions based on etc) but are not so good at generating new information. It is not as they testify in court, that they did all they knew too, they should know to do more to achieve better (meaning, get off the backside to look into things and establish trurhful extent of certainty). Not being a raving skeptic instead, who just grabs onto things that bolsters his objective, from other people unable to properly analyse them (thinking the sun shines from their crowd and their ideology). (if you see fancy bow ties and suites in an interview, be..warned. There seems to be a certain low grade intellectual psychology at work in these people). Memory of knowledge is not everything, but knowing what to do with it, to also properly understand it. Called wisdom)...

    So, you ask people, and you get in a mirror dully, a part answer that somewhat answers it.

    Now, I've said this to forum moderators before. What is needed, is to start a wiki of structure knowledge and solutions. Rate the solutions and rate for correctness and issues. Then, when somebody looks up a problem, and then the solution, they have it not only clearly laid out, they have the weight of knowledge of how good and how bad it is, and wherever it just is outdated or should be left alone. Combined with a multiple level programming course, people can find their way around with minimal forum time wasted. It takes time, and people to systematically analyse things and old posts.

    1. Orv Silver badge

      Engineers a bit tougher, you do stuff wrong, people die etc. With application programmers you do stuff wrong, it can cause angst to millions of users and waste so much of their time, it is like lifetimes wasted. But as not many people die from the application bug, it slips people's attention of the absurdity of costing $100's millions dollers of peoples 'lives' on a ten million net profit application.

      I think some of the difference in attitude is because when people buy software, they agree to not hold the developers responsible for any failures. People crossing a bridge, say, do not sign similar waivers and are likely to sue if the bridge collapses. There's no legal or financial incentive to make software more reliable.

  9. a_yank_lurker Silver badge

    Source?

    One thing I have noticed about Java is its tendency to bloat by design with needlessly complicated code. Any Java library will suffer from this problem. The bloat makes the code more difficult to understand, maintain, and utilize.

  10. TeeCee Gold badge
    Facepalm

    SO + Java =

    Write once, exploit everywhere.

  11. LeahroyNake Bronze badge

    I know it's wrong

    It's not just Java.... Googling (I haven't signed their Dev agreement; ) for info on php mysql returns a LOT of code that can be copy / paste and work the way you need it to.

    I had to write a service management system as the old one was running on W2K and the upgrade was over £20K. A week later we had a working system. .. I have spent the last several years rewriting it after learning php properly.... slightly more secure now :o

  12. Orv Silver badge

    Stack Overflow answers also recommended trusting all SSL/TLS certificates to bypass cert verification errors, even though this disables SSL security checks.

    This isn't just a Java problem, it's a problem everywhere. A disturbing number of people using the Forge Javascript TLS library, for example, write code that responds to verification error callbacks with "return true;" Likewise almost everyone configuring a WPA2 Enterprise network on Linux turns off certificate verification, because configuring it to work is non-trivial, especially when the connection you'd use to download the cert is the same one you're trying to set up.

    This is really tempting when you're just trying to make things work, especially when your code lacks access to the system's certificate store, but honestly it should be seen as utterly unworkmanlike. It's the sort of coding habit we may just need to shame people out of.

  13. Anonymous Coward
    Anonymous Coward

    Copy and paste Jedi

    I have a couple of coworkers with Jedi grade copy and paste skills. They can create an entire project, with full unit tests, that is copy-n-paste-with-changes from another project. It looks so legit that it passes peer review by others. There were some awesome tricks to faking the unit tests. One coder's unit tests consumed a huge amount of sample data through a source that was, through roundabout means, a singleton iterator with one value. The first unit test validated that data existed. After that, the iterator was depleted and all other very complicated looking unit tests were no-ops. Another coder used a stubbed method to generate a NullPointerException while initializing each test, and then caught that exception in a misleading way using incorrect indentation.

    1. HmmmYes Silver badge

      Re: Copy and paste Jedi

      But with the crap syntax, helpful IDE thats what jave is - a cutnpaste language.

      And the problem is theres so much syntax that it hides what the code is actually doing.

    2. Anonymous Coward
      Anonymous Coward

      Re: Copy and paste Jedi

      Cheating and gaming of systems is what the kids learn at school today!

      Teachers teach the test, students study to do the test, students carefully do only the work / courses that gives good grades, students even cheat to get good grades.

      But, like those PHB's in the private sector, the NPN-plonkers in guvmint likes this easily identifiable progress so even more money is invested in the institutions with the most Wowzerz test scores.

      The robots are coming anyway so as long as the robots do not figure out that there are KPI's to be gamed, we are OK.

  14. John Smith 19 Gold badge
    Holmes

    ""There is always a risk when developers use code they do not fully understand," "

    Which if it's one of the code monkeys who "write" IoS stuff would in fact be all code.

  15. David 55

    Remove MD5?

    Obviously using MD5 for security purposes in a new application isn't a great idea, but it's still a commonly used hash, especially for legacy purposes. Completely removing it will just lead to people using crappy 3rd party implementations, which would be worse for security in the end.

    1. brotherelf

      Re: Remove MD5?

      It's probably worse — there might be some HashFactory abstraction which in absence of explicit settings either is documented or required-by-compatibility-with-Java-1.1 to use md5.

      And nobody will set the hash function explicitly, because setting "SHRMBLFRZ-312-CBC-NSA-712" might not work in the previous or next release, and then it's either a hardcoded magic value or a config setting that must not be changed on pain of invalidating all pre-existing hashes. (Yes, there's probably a IAbstractHashFunction interface implemented by nobody, and a AbstractHashFunctionFactoryFactory that would use it, but since nobody will be able to see what the code is doing between the architectural boilerplate, everybody will just call the static function hidden in a util package somewhere that it boils down to.)

      And also, no, if somebody asks for a general "along what lines do I get this to work", I wouldn't explicitly set a scheme either, or hand-hold them through all the exception handling. Reading comprehension is required.

    2. Aitor 1 Silver badge

      Re: Remove MD5?

      There are plenty of good reasons to use it.. I still use it.

      The main use is to pre-verify if something is what you are looking for.. and THEN properly checking it, as collisions might have occurred.

      The problem is using it to create "secure" channels, etc.

  16. steve11235

    SO Isn't Evil and Java Is Not The Problem

    I agree that SO is not documentation, and that you can't rely on anything someone posted there at face value. However, it provides indispensable advice that is the result of crowdsourcing. I rely heavily on SO simply because I typically find good advice there. I also contribute occasionally and, once in a while, say something stupid. Generally, that gets downvoted in a hurry.

    Java != JEE, and Spring is an independent framework. Java does not have large security issues, apart from browser embedding. JEE is too complex, but I don't hear about security issues. Spring is great, but the documentation is thin, and security is always hard. However, even though I don't work in security, I know enough to check which standards are up-to-date and secure and not to bypass security features in Production.

    The article made some valid points, but, overall, it seems a bit biased.

  17. Anonymous Coward
    Anonymous Coward

    Stackoverflow already have a recommendation on this issue

    How to Warn of Serious Issues in Code Unrelated to Question?

    https://meta.stackoverflow.com/questions/266339/how-to-warn-of-serious-issues-in-code-unrelated-to-question

    Answer: Just leave a big bold Warning comment for future readers

  18. Destroy All Monsters Silver badge
    Windows

    RTFM? No, UTFM-IIE (Understand the effing manual if it exists)

    Currently wading through a horrorshow of Spring JPA (an abstraction (JPA) on an abstraction (Hibernate) to solve a problems that should never have been solved (Mapping Objects holding live references to composable Tuplesets holding keys/names, with Transactions grouping operations on the tuple language but not on the object language), reglued under the Spring Data umbrella, with Spring Boot thrown in, and Annotations everywhere (is there a analysis tool that tells me that the annotated code even makes sense?).

    The code has been put together by previous consultants, apparently cribbed from ancient grimoires, mixed with random thoughts and cooked with fresh coding skills. It gives everything an aura of Bad Juju and the impression that it could blow up anytime outside of (barely present) unit tests.

    Should I throw out everything and just use plain Spring JDBC Templates? Unfortunately, my contract doesn't last that long.

    1. aftermath99

      Re: RTFM? No, UTFM-IIE (Understand the effing manual if it exists)

      Spring autowired annotations are evil!

    2. Anonymous Coward
      Anonymous Coward

      Re: RTFM? No, UTFM-IIE (Understand the effing manual if it exists)

      Unfortunately, my contract doesn't last that long.

      Since you asked and is coming up short - Find a backdoor or two, wait till it goes live and then collect the bug bonus - or - sell it to some TLA. The latter is probably a safer and better business, companies have been known to shoot messengers.

  19. aftermath99

    Having read some of the pdf - why would this article be titled "Java Security ..." ? This is to do with various frameworks like Spring, and libraries like Bouncy Castle, etc. A better title might be "Java libraries have security issues when coupled with bad programming practices" but that is not as sensationalist.

  20. stu 4

    Java plagued by crappy docs, complex APIs, bad advice

    there - ftfy.

  21. Anonymous Coward
    Anonymous Coward

    SO is only as good as we all make it...

    ... so the correct thing to do is add the updated information, explaining why earlier answers are out of date, and let it all sort itself out. The best devs will find the corrections, karma will deal with the rest eventually.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019