Thirteen rules for developing secure Java applications

From infoworld

• I did not know that Java had a security package/API.

• and as we are also told we should be thinking about security at every stage.

  • from class level language features

  • to API endpoint authorization

The GIST - The Rules

1. Write clean, strong Java code: keep it simple, use class modifiers (aka private), avoid reflection and introspection, define small possible API

2. Avoid serialization:

3. Never expose unencrypted credentials or PII

4. Use known and tested libraries - don't use your own sec mechanism, Spring Security is the de facto standard - offers a wide range of options. Makes a good point about JSON Web Tokens and using Spring Security.

5. Be paranoid about external input - never trust external input.

6. Always use prepared statements to handle SQL parameters

7. Don't reveal implementation via error messages

8. Keep security releases up to date

9. Look for dependency vulnerabilities ~ the Open Web Application Security Project

10. Monitor and log user activity

11. Watch out for Denial of Service (DoS) attacks

12. Consider using the Java security manager - used to restrict the resources a running process has access to.

13. Consider using an external cloud authentication service

High-level resources for staying abreast of Java security landscape

• OWASP Top 10

• Free for Open Source Application Security Tools

• CWE Top 25

• Oracle's Secure Code Guidelines

• Secure Coding Guidelines for Java SE

• CORBA SECURITY: AN OVERVIEW

• SEI CERT Oracle Coding Standard for Java from Carnegie Mellon University

• Automated code reviews with Checkstyle, Part 1

• Introduction to CheckStyle