Developing secure enterprise Java applications

Increasingly Web applications are under attack, which has companies scrambling to make sure their applications...

are secure. Java applications are not immune to this, unfortunately, but there are steps you can take now to ensure application security -- before attackers set their sights on them. These articles offer tips and information specific to Java application security. They'll help you understand the basics of Java application security and then give you details for approaching this issue. If you know of an article, tip, tool or code sample that should be included, send me an e-mail with the information and I'll add it. -- Michelle Davidson, Site Editor.

TABLE OF CONTENTS    Java Security Basics    Java Security Features and Mechanisms    Java Threats and Vulnerabilities    Java and Web Services    Java Security Code Samples    Java Security Tools    Other Useful Resources

Java Security Basics

[Return to Table of Contents]

• Java developers can't afford to ignore application security: Application security is becoming more of a priority for Java developers. This article explains the basics.
• Secure SDLC: Integrating security into your software development life cycle: Expert Anurag Agarwal takes you step-by-step through this crucial security measure.
• Demystifying Java security -- Part 1: Java security expert Ramesh Nagappan explains Java Runtime Environment, Java security tools and Java applet security in this article.
• Demystifying Java security -- Part 2: Nagappan explains Java Web Start, Java extensible security architecture and APIs and and Java platform extensible security architecture and elements.
• Introduction to J2EE security: This chapter exerpt concentrates on authorization of J2EE applications.
• Enterprise Java security fundamentals: Comprehensive exerpt on the building blocks of Java app security.
• Java security evolution and concepts: Be sure to check out all four parts of this series.
• Part 5: J2SE 1.4 offers numerous improvements to Java security.

Java Security Features & Mechanisms

[Return to Table of Contents]

• Secure a Web application, Java-style: This article covers authentication methods, authorization methods and how to use some of the security features of Java apps.
• Enabling HTTPS in J2EE Web components: Ramesh Nagappan on impementing HTTPS (HTTP over SSL) for Web components like JSPs (Java Server Pages) and Java servlets.
• Twelve rules for developing more secure Java code: This 1998 article from Gary McGraw and Edward Felten may be old, but it's always important to write secure code.
• How to create secure Web applications with struts: Alex Smolen is generous with the code examples in this helpful article.
• J2EE security: Container versus custom: Long paper includes container authentication, JAAS, credential authentication and much more.
• Create an anonymous authentication module: Deals with implementing a CAPTCHA authenticaion system.
• OWASP Guide to Building Secure Web Applications and Web Services, Chapter 10: Authorization: These Open Web Application Security Consortium articles offer outstanding security information. Chapter 9 covers authentication and Chapter 11 handles session management.
• Exploring J2EE security for applications using LDAP: There are plenty of screenshots to guide you in this discussion, which includes key LDAP terms and enabling technologies.
• The power of JAAS: Security system alternatives: Charts lay out the architecture of the Java Authentication and Authorization Service.
• What's a good authentication method for Java?: Expert Ramesh Nagappan answers that question and includes information on JAAS, single sign-on (SSO), biometrics and more.
• Professional Java Development with the Spring Framework -- "Chapter 10: Acegi Security System for Spring" is a free chapter download explains in detail how to use Java/J2EE and Spring features within the Acegi security method.

Java Threats & Vulnerabilities

[Return to Table of Contents]

• Top 10 Web application security vulnerabilities: This Learning Guide is based upon the OWASP Top Ten application vulnerabilities.
• Java secure, but developers introduce vulnerabilities, report finds: When Java code is written without security in mind, serious vulnerabilities are much more likely.
• Common security problems in the code of dynamic Web applications
• OWASP Guide to Building Secure Web Applications and Web Services, Chapter 13: Interpreter Injection: Injection flaws are rampant. OWASP offers sound advice for eliminating these flaws form your Web apps.
• How to avoid LDAP injection in J2EE apps: Ramesh Nagappan on preventing LDAP and similar injection attacks in your J2EE applications.
• XSS prevention in Java: How to protect your Web applications from this popular and serious exploit.
• Myth-busting Web application buffer overflows: Jeremiah Grossman explains what causes buffer overflow, what these attacks can do, and how you can prevent them.

Java and Web Services

[Return to Table of Contents]

• OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: Web Services: Web services aren't inherently more vulnerable, but protecting them may require extra or differerent steps.
• Web services security for Java: Advice uniquely tailored to Java.
• Secure Web services in J2EE: Highlights Web services security features in J2EE and offers advice for implementing security.
• Web services security, Part 1: From O'Reilly. This four-part series deals with Web services security and guidelines from W3C and OASIS.
• Java Web services: This is a book by David A. Chappell and Tyler Jewell.
• Yes, you can secure your Web services documents, Part 1: This first part concentrates on XML Encryption.
• Yes, you can secure your Web services documents, Part 2: The second part deals with XML Signature.
• Making sense of Web services security standards: XACML, XKMS, SAML, XML DSIG and other acronyms are explained in this tip.
• Web services security a challenging endeavor: Java security expert Ramesh Nagappan goes over security risks and security methods associated with Web services and Java.

Java Security Code Samples

[Return to Table of Contents]

• The Java Developers Almanac 1.4: Java code for public and private keys, signatures, permissions and more.
• Security code examples: This is a repository of Java code security samples.
• Printing security system trace messages: Code is important for tracking debugging information.
• Trace all debugging messages: More debugging code.
• Generating a secure random number
• Generating a public/private key pair: Algorithm-generating code.
• Generate symmetric keys
• Sample code for encryption and decryption of data
• Simplify enterprise Java authentication with single sign-on: SSO code from IBM developerWorks.
• Cenzic unveils application security assessment tool: Cenzic releases Hailstorm Enterprise ARC (Application Risk Controller).

Java Security Tools

[Return to Table of Contents]

Articles and reviews

• Secure Software Development and Code Analysis Tools: You're bound to find some useful information in the 51 pages of this white paper from SANS.
• JDK security tools: This site offers many tool descriptions, allowing you to get a better picture before you purchase.
• Watchfire's Web app vulnerability scanner boosts automation, communication: Review of Watchfire's AppScan tool.
• SPI Dynamics targets Web 2.0 threats with WebInspect 7: Full descriptiong of this security scanner.
• Review: Series of tools helps shore up faulty coding: This is an assessment of CodeAssure Suite.
• Fortify Tracer fills in the app security blanks: Full description of this tool, which supplements black box testing.
• PreEmptive package helps make obfuscation part of the SDLC: Obfuscation can be a very effective security tool.
• Security in Struts: User delegation made possible: This is a review of the Jakarta Struts framework.
• Rolecall 1.0: Identity management framework: This article offers a full description of the SSO tool.

Tool Web sites

• AppSight for J2EE (Identify Software)
• Fortify Source Code Analysis Suite
• Fortify Application Defense
• Java Authentication and Authorization Service (JAAS)
• Java Cryptography Extension (JCE) : And our definition of JCE.
• Java Secure Socket Extension (JSSE)
• Parasoft Jtest
• Prexis: Automated Software Security Assurance Solution (Ounce Labs)
• Symantec i³ for J2EE

Other Useful Resources

[Return to Table of Contents]

Expert advice on Java security Do you have a question about enterprise Java security that you're having trouble getting answered? Java security expert Ramesh Nagappan can help. Read advice he has given or submit your own questions.

• Discussion Forum: Java Security: Lively discussion board from JavaWorld.
• Web Application Hacking Database: From the Web Application Security Consortium (WASC).
• WebGoat Project (OWASP tool designed to teach Web application security lessons)
• Application security training: Web application hacking
• Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management -- Chapter 8: This sample chapter from Ramesh Nagappan's book is free to SearchSoftwareSecurity.com members.
• Hacking Java: The Java Professional's Resource Kit
• J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed)
• Hacking Exposed: Web Applications
• Web Hacking: Attacks and Defense
• Web application security podcasts: From Mighty Seek.

Send in your suggestions
Are there other topics you'd like to see learning guides on? Send site editor Michelle Davidson an e-mail at mdavidson@techtarget.com and let her know what they are.