Secure Coding in Java/JEE: Developing Defensible Applications Break Down

Posted on October 20, 2012. Filed under: java/j2EE |


The author created this free Secure Coding in Java/JEE study guide by collecting various free multimedia resources and code examples from the internet.

Do It Yourself (DIY) is the best way of learning Secure Java Coding, therefore, I highly recommend you to setup a virtue machine and experiment the defense techniques you learned here.

Beef up and defend your web!

Data Validation

Common Web App Attacks

Common Web App Defenses

Authentication, Session Management, and Access Control

Authentication, Authorization and Session Control

  • HTTP basic and Form-based Authentication
  • openssl and client-certificate-based Authentication
  • Session Management Basics
  • Cookies
  • request.getSession(true)

Common code vulnerability and attacks

  • password related developer mistakes
  • Dictionary/birthday paradox attacks
  • “forget my password” attacks
  • Hashing and rainbow table attacks
  • Session hijacking
  • Session fixation
  • <web-resource-collection> misconfiguration and Access Control Bypass
  • Unvalidated Redirects and Forwards
  • Pass the Hash Attack

J2EE build-in Authentication and Authorization mechanisms

Spring Security Framework
Java Simplified Encryption (Jasypt)

Java Language & Security APIs

Java Security Manager

Java Exception Handling & Logging

  • Java Exception Overview
  • Checked Exception vs Unchecked Exception
  • Exception Handling Common Pitfalls & Best practices
  • try catch finally block
  • Configure Exception Handling in web.xml <error-page>
  • Logging philosophy
  • Log categories (Perimeter devices, Server, Application, Database)
  • java.util.logging
  • org.apache.log4j
  • org.owasp.esapi.Logger & LogFactory
  • Log Forging

Encryption — JSEE & JCA

Java Language Hardening

Race Conditions

  • Java Threads Overview
  • Attacks related to Race Conditions
  • Three Ways of Preventing Race Conditions in Java
  • deadlock, stale copies
  • Java Vector v.s. ArrayList v.s. CopyOnWriteArrayList (multi-threading)
  • java.util.concurrent overview
  • Java Singleton Common Pitfalls & Best Practices

Secure Development Challenge

References:

https://www.owasp.org/index.php/Cheat_Sheets

http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html

password protected links:

Test 1

Test 2

Advertisements

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: