Secure Coding
Thirteen rules for developing secure Java applications
From infoworld
-
I did not know that Java had a security package/API.
-
and as we are also told we should be thinking about security at every stage.
-
from class level language features
-
to API endpoint authorization
-
The GIST - The Rules
-
Write clean, strong Java code: keep it simple, use class modifiers (aka private), avoid reflection and introspection, define small possible API
-
Avoid serialization:
-
Never expose unencrypted credentials or PII
-
Use known and tested libraries - don't use your own sec mechanism, Spring Security is the de facto standard - offers a wide range of options. Makes a good point about JSON Web Tokens and using Spring Security.
-
Be paranoid about external input - never trust external input.
-
Always use prepared statements to handle SQL parameters
-
Don't reveal implementation via error messages
-
Keep security releases up to date
-
Look for dependency vulnerabilities ~ the Open Web Application Security Project
-
Monitor and log user activity
-
Watch out for Denial of Service (DoS) attacks
-
Consider using the Java security manager - used to restrict the resources a running process has access to.
-
Consider using an external cloud authentication service