Kotlin is short, simple, easy to debug — and, now, far easier to secure with Contrast’s new, Kotlin-tuned AppSec testing.
Kotlin — which originated in 2010 at JetBrains and has been open source since the year 2012 — is a statically typed programming language that runs on the Java Virtual Machine (JVM) and Android and the browser.
The appeal of Kotlin is that it gives you the ability to essentially create a web app with one language on both front and back end.
Here are some unique qualities of Kotlin:
Interoperability — Kotlin is designed with Java interoperability in mind: It can effectively call existing Java code. In many applications, Kotlin and Java are used interchangeably and, as well, coexist.
Readability — Developing software is a complex process. It requires a variety of tasks, including coding, designing and testing. Kotlin has taken a lot of boilerplate code away from developers and put it into classes, which leads to more concise code.
NullSafety — One of the most common pitfalls in many programming languages, including Java, is that accessing a member of a null reference will result in a null reference exception. In Java this would be the equivalent of a NullPointerException, or an NPE for short. Kotlin’s type system aims to eliminate the danger of null references: what have been referred to as The Billion Dollar Mistake.
Generics — Generics can be confusing, even to a developer. Kotlin has improved upon Java: For instance, there is no relation between Car<Int> and Car<Number>, Car<Unique> or Car<Nothing>. This prevents a possible runtime failure, which is one of the issues faced in Java.
Exceptions — Java has a unique concept of checked exceptions that were designed to solve the problem of error-prone error-handling. Kotlin eliminated that problem by assigning every checked exception with a message, stack trace, and an optional cause that extends the same Throwable class.
Smart Casts —The idea of a smart cast is to help you avoid using cast operators (Unsafe cast operator “as” or Safe cast operator “as?”) to explicitly cast something that was already checked. When we perform an “!as” or “as” check on a variable in Kotlin, the compiler will automatically cast the variable to the target type where the “!as” or “as” check is true in the scope rather than using the “instance of” operator and then casting it to the target type in Java.
Singletons — A singleton class is a class that can have only one object (an instance of the class) at a time. In Java, a singleton class is made by making a class named Singleton. But in Kotlin, singleton is made with an object declaration, including companion object. The object class can have functions, properties and the init method.
Best practices to avoid security issues for Kotlin users
- Avoid SQL injections by never building SQL queries using string concatenation. Instead, use a Prepared Statement,Spring JDBCTemplate or frameworks like Hibernate, iBatis, etc. to handle communication with the database.
- Keep Open Web Application Security Project (OWASP) Top 10 vulnerabilities in check.
- Make sure to check against a whitelist of input characters to avoid cross-site scripting (XSS).
- Avoid old versions of software.
- Conduct threat modeling to understand the various security threats posed to the application.
- Use known and tested libraries. For application security, Spring Security is the de facto standard. It offers a wide range of options and the flexibility to fit with any app architecture, and it incorporates a range of security approaches.
- Beware of external Input. SQL injection and XSS are just the most commonly known attacks that can result from mishandling external input. Whenever you receive input, it should be sanity-checked and sanitized. Always use prepared statements to handle SQL parameters. Also, watch out for denial of service (DoS) attacks.
- Keep implementation hidden. Don’t reveal implementation via error messages.
- Keep security releases up to date. Auto-update where possible.
- Scan for dependency vulnerabilities. There are many tools available to automatically scan your codebase and dependencies for vulnerabilities. All you have to do is use them. OWASP, an organization dedicated to improving code security, offers a list of trusted, high-quality, automated code-scanning tools that includes several Java-oriented tools.
In short, Kotlin has come a long way, even if it is still in the early stage of version 1.6. Kotlin code has less security issues, is more concise than Java code, and it does away with the need for a lot of boilerplate code. Kotlin is not just useful for new apps; its files can also coexist with Java files, even for existing applications.
Contrast can help with Kotlin Application Security issues
Kotlin is just getting started. Don’t ignore it!
Contrast Security certainly hasn’t. Given all the Kotlin goodness outlined above, there are plenty of reasons to consider application security testing that’s tuned and optimized for the language. Despite capabilities designed in Kotlin to prevent application developers from getting into trouble, security bugs — including injection vulnerabilities, misconfigurations and other issues that could potentially lead to exploit — will inevitably get into code. Finding and fixing these Kotlin security risks early in the development cycle is critical.
In order to find and fix those security issues, Contrast has provided the first instrumented — inside out — solution for detecting vulnerabilities in Kotlin applications, expanding Contrast’s application security platform capabilities to cover this valuable language and to ease the work of those who use it. Contrast’s new Kotlin application security offering enables AppSec & dev teams to instrument and thus test Kotlin apps during runtime, with higher accuracy and reduced manual intervention.
Contrast provides a suite of products — including Interactive Application Security Testing (IAST), Static Analysis Security Testing (SAST), Runtime Application Self-Protection (RASP), Software Composition Analysis (SCA) and more — that will deal with Kotlin application security issues and help you ship better and more secure applications.
If you’re not yet a Contrast customer, please contact us to discuss participation. If you are an existing Contrast customer, please ask your support or customer success representative for access.
