Developing secure enterprise Java applications

---

Increasingly Web applications are under attack, which has companies scrambling to make sure their applications are secure. Java applications are not immune to this, unfortunately, but there are steps you can take now to ensure your applications' security -- before attackers set their sights on them.

These articles offer tips and information specific to Java application security. They'll help you understand the basics of Java application security and then give you details for approaching this issue.

If you know of an article, tip, tool or code sample that should be included, send me an e-mail with the information and I'll add it. -- Michelle Davidson, Site Editor.

TABLE OF CONTENTS   Java Security Basics   Java Security Features and Mechanisms   Java Threats and Vulnerabilities   Java vs. .NET    Java and Web Services   Java Security Code Samples   Java Security Tools   Other Useful Resources

Java Security Basics

[Return to Table of Contents]

• Java developers can't afford to ignore app security
• How to integrate security into your SDLC
• Mini-tutorial: The Java security model
• Introduction to J2EE security
• Enterprise Java security fundamentals
• Java insecurity
• Securing your enterprise: Web application and Web services security (PDF)
• Java security evolution and concepts, Part 1: Security nuts and bolts
• Java security evolution and concepts, Part 2: Discover the ins and outs of Java security
• Java security evolution and concepts, Part 3: Applet security
• Java security evolution and concepts, Part 4: Learn how optional packages extend and enhance Java security
• Java security evolution and concepts, Part 5: J2SE 1.4 offers numerous improvements to Java security

Java Security Features & Mechanisms

[Return to Table of Contents]

• Secure a Web application, Java-style
• Twelve rules for developing more secure Java code
• How to create secure Web applications with struts
• J2EE security: Container versus custom
• Create an anonymous authentication module
• OWASP Guide to Building Secure Web Applications and Web Services, Chapter 10: Authorisation
• OWASP Guide to Building Secure Web Applications and Web Services, Chapter 9: Authentication
• OWASP Guide to Building Secure Web Applications and Web Services, Chapter 11: Session Management
• Exploring J2EE security for applications using LDAP
• The power of JAAS: Security system alternatives
• Secure your Java apps from end to end, Part 1
• Secure your Java apps from end to end, Part 2
• A modular approach to data validation in Web applications (PDF)
• Securing your Java applications -- Acegi Security Style
• SSO and identity management
• JSP security for limiting access to application-internal URLs
• J2EE form-based authentication

Java Threats & Vulnerabilities

[Return to Table of Contents]

• Top 10 most critical Web application security vulnerabilities
• Web application protection (PDF)
• Six ways to hack a Web app (PDF)
• Common security problems in the code of dynamic Web applications
• OWASP Guide to Building Secure Web Applications and Web Services, Chapter 13: Interpreter Injection
• Avoid the hazards of unvalidated Web application input
• Handling Java Web application input, Part 1
• Handling Java Web application input, Part 2
• Hacking Web applications using cookie poisoning (PDF)
• Anatomy of a hack: Cross-site scripting
• XSS vulnerabilities -- So underestimated, so dangerous
• Real World XSS
• Client side data validation: A false sense of security
• Smack the stack -- Advanced buffer overflow methods

Java vs. .NET

[Return to Table of Contents]

• No clear winner in .NET/J2EE security race
• Basic security: Java vs .NET
• Java vs. .NET security, Part 1
• Java vs. .NET security, Part 2
• Java vs. .NET security, Part 3
• Java vs .NET security: Epilogue
• JavaServer Faces and ASP.NET: A side by side look, Part 1
• JavaServer Faces and ASP.NET: A side by side look, Part 2
• What about .NET vs. Java security?
• Comparing Java and .NET security
• Rumble in the jungle: J2EE vs. .Net, Part 1
• Rumble in the jungle: J2EE vs. .Net, Part 2

Java and Web Services

[Return to Table of Contents]

• OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: Web Services
• Web services security for Java
• Web services security, Part 1
• Web services security, Part 2
• Web services security, Part 3
• Web services security, Part 4
• Java Web services
• Secure Web services
• Securing your enterprise: Web application and Web services security (PDF)
• Yes, you can secure your Web services documents, Part 1
• Yes, you can secure your Web services documents, Part 2
• Tech Talk: Ted Neward on Web services and security

Java Security Code Samples

[Return to Table of Contents]

• The Java Developers Almanac 1.4
• Security code examples
• Access control context and permission checker
• Printing security system trace messages
• Trace all debugging messages
• Generating a secure random number
• Generating a public/private key pair
• Generate symmetric keys
• Sample code for encryption and decryption of data
• Simplify enterprise Java authentication with single sign-on

Java Security Tools

[Return to Table of Contents]

Articles and reviews

• Secure Software Development and Code Analysis Tools
• JDK security tools
• Review: Series of tools helps shore up faulty coding
• PreEmptive package helps make obfuscation part of the SDLC
• Security in Struts: User delegation made possible
• Rolecall 1.0: Identity management framework

Tool Web sites

• AppSight for J2EE (Identify Software)
• Cenzic Hailstorm
• CodeAssure Suite (Secure Software)
• Fortify Source Code Analysis Suite
• Fortify Security Tester
• Fortify Application Defense
• jManage 0.5.0, a security-focused JMX client
• Java Authentication and Authorisation Service (JAAS)
• Java Cryptography Extension (JCE)
• Java Secure Socket Extension (JSSE)
• Parasoft Jtest
• Parasoft WebKing
• Prexis: Automated Software Security Assurance Solution (Ounce Labs)
• Symantec i³ for J2EE
• Watchfire AppScan
• WebInspect (SPI Dynamics)

Other Useful Resources

[Return to Table of Contents]

Expert advice on Java security Do you have a question about enterprise Java security that you're having trouble getting answered? Java security expert Ramesh Nagappan can help. Read advice he has given or submit your own questions.

• Discussion Forum: Java Security
• Web Application Hacking Database
• Hackers centre
• WebGoat Project (OWASP tool designed to teach web application security lessons)
• Writing secure Web applications: Developer training (July 6-8, 2006)
• Application security training: Web application hacking
• Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management -- Chapter 8
• Hacking Java: The Java Professional's Resource Kit
• J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed)
• Hacking Exposed: Web Applications
• Web Hacking: Attacks and Defense
• Web application security podcasts

Send in your suggestions
Are there other topics you'd like to see learning guides on? Send site editor Michelle Davidson an e-mail at mdavidson@techtarget.com and let her know what they are.