Developing secure enterprise Java applications
Java applications are not immune to web atacks; but there are steps you can take now to ensure your applications' security -- before attackers set their sights on them.
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Step 2 of 2:
Increasingly Web applications are under attack, which has companies scrambling to make sure their applications are secure. Java applications are not immune to this, unfortunately, but there are steps you can take now to ensure your applications' security -- before attackers set their sights on them.
These articles offer tips and information specific to Java application security. They'll help you understand the basics of Java application security and then give you details for approaching this issue.
If you know of an article, tip, tool or code sample that should be included, send me an e-mail with the information and I'll add it. -- Michelle Davidson, Site Editor.
TABLE OF CONTENTS Java Security Basics Java Security Features and Mechanisms Java Threats and Vulnerabilities Java vs. .NET Java and Web Services Java Security Code Samples Java Security Tools
|
 Java Security Basics |
- Java developers can't afford to ignore app security
- How to integrate security into your SDLC
- Mini-tutorial: The Java security model
- Introduction to J2EE security
- Enterprise Java security fundamentals
- Java insecurity
- Securing your enterprise: Web application and Web services security (PDF)
- Java security evolution and concepts, Part 1: Security nuts and bolts
- Java security evolution and concepts, Part 2: Discover the ins and outs of Java security
- Java security evolution and concepts, Part 3: Applet security
- Java security evolution and concepts, Part 4: Learn how optional packages extend and enhance Java security
- Java security evolution and concepts, Part 5: J2SE 1.4 offers numerous improvements to Java security
| Java Security Features & Mechanisms |
- Secure a Web application, Java-style
- Twelve rules for developing more secure Java code
- How to create secure Web applications with struts
- J2EE security: Container versus custom
- Create an anonymous authentication module
- OWASP Guide to Building Secure Web Applications and Web Services, Chapter 10: Authorisation
- OWASP guide to building secure Web applications and Web services, Chapter 9: Authentication
- OWASP Guide to Building Secure Web Applications and Web Services, Chapter 11: Session Management
- Exploring J2EE security for applications using LDAP
- The power of JAAS: Security system alternatives
- Secure your Java apps from end to end, Part 1
- Secure your Java apps from end to end, Part 2
- A modular approach to data validation in Web applications (PDF)
- Securing your Java applications -- Acegi Security Style
- SSO and identity management
- JSP security for limiting access to application-internal URLs
- J2EE form-based authentication
| Java Threats & Vulnerabilities |
- Top 10 most critical Web application security vulnerabilities
- Web application protection (PDF)
- Six ways to hack a Web app (PDF)
- Common security problems in the code of dynamic Web applications
- OWASP Guide to Building Secure Web Applications and Web Services, Chapter 13: Interpreter Injection
- Avoid the hazards of unvalidated Web application input
- Handling Java Web application input, Part 1
- Handling Java Web application input, Part 2
- Hacking Web applications using cookie poisoning (PDF)
- Anatomy of a hack: Cross-site scripting
- XSS vulnerabilities -- So underestimated, so dangerous
- Real World XSS
- Smack the stack -- Advanced buffer overflow methods
| Java vs. .NET |
- No clear winner in .NET/J2EE security race
- Basic security: Java vs .NET
- Java vs. .NET security, Part 1
- Java vs. .NET security, Part 2
- Java vs. .NET security, Part 3
- Java vs .NET security: Epilogue
- JavaServer Faces and ASP.NET: A side by side look, Part 1
- JavaServer Faces and ASP.NET: A side by side look, Part 2
- What about .NET vs. Java security?
- Comparing Java and .NET security
- Rumble in the jungle: J2EE vs. .Net, Part 1
- Rumble in the jungle: J2EE vs. .Net, Part 2
| Java and Web Services |
- OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: Web Services
- Web services security for Java
- Web services security, Part 1
- Web services security, Part 2
- Web services security, Part 3
- Web services security, Part 4
- Java Web services
- Secure Web services
- Securing your enterprise: Web application and Web services security (PDF)
- Yes, you can secure your Web services documents, Part 1
- Yes, you can secure your Web services documents, Part 2
- Tech Talk: Ted Neward on Web services and security
| Java Security Code Samples |
- The Java Developers Almanac 1.4
- Security code examples
- Access control context and permission checker
- Printing security system trace messages
- Trace all debugging messages
- Generating a secure random number
- Generating a public/private key pair
- Generate symmetric keys
- Sample code for encryption and decryption of data
- Simplify enterprise Java authentication with single sign-on
| Java Security Tools |
Articles and reviews
- Secure Software Development and Code Analysis Tools
- JDK security tools
- Review: Series of tools helps shore up faulty coding
- PreEmptive package helps make obfuscation part of the SDLC
- Security in Struts: User delegation made possible
- Rolecall 1.0: Identity management framework
Tool Web sites
- Cenzic Hailstorm
- jManage 0.5.0, a security-focused JMX client
- Java Authentication and Authorisation Service (JAAS)
- Java Cryptography Extension (JCE)
- Java Secure Socket Extension (JSSE)
- Parasoft Jtest
- Parasoft WebKing
- Prexis: Automated Software Security Assurance Solution (Ounce Labs)
- Symantec i³ for J2EE
- Watchfire AppScan
- WebInspect (SPI Dynamics)
| Other Useful Resources |
 Expert advice on Java securityDo you have a question about enterprise Java security that you're having trouble getting answered? Java security expert Ramesh Nagappan can help. Read advice he has given or submit your own questions. |
- Web Application Hacking Database
- Hackers centre
- WebGoat Project (OWASP tool designed to teach web application security lessons)
- Writing secure Web applications: Developer training (July 6-8, 2006)
- Application security training: Web application hacking
- Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management -- Chapter 8
- Hacking Java: The Java Professional's Resource Kit
- J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed)
- Hacking Exposed: Web Applications
- Web Hacking: Attacks and Defense
- Web application security podcasts
Send in your suggestions
Are there other topics you'd like to see learning guides on? Send site editor Michelle Davidson an e-mail at [email protected] and let her know what they are.
