Secure Coding

Thirteen rules for developing secure Java applications

From infoworld

  • I did not know that Java had a security package/API.

  • and as we are also told we should be thinking about security at every stage.

    • from class level language features

    • to API endpoint authorization

The GIST - The Rules

  1. Write clean, strong Java code: keep it simple, use class modifiers (aka private), avoid reflection and introspection, define small possible API

  2. Avoid serialization:

  3. Never expose unencrypted credentials or PII

  4. Use known and tested libraries - don't use your own sec mechanismSpring Security is the de facto standard - offers a wide range of options. Makes a good point about JSON Web Tokens and using Spring Security.

  5. Be paranoid about external input - never trust external input.

  6. Always use prepared statements to handle SQL parameters

  7. Don't reveal implementation via error messages

  8. Keep security releases up to date

  9. Look for dependency vulnerabilities ~ the Open Web Application Security Project

  10. Monitor and log user activity

  11. Watch out for Denial of Service (DoS) attacks

  12. Consider using the Java security manager - used to restrict the resources a running process has access to.

  13. Consider using an external cloud authentication service

High-level resources for staying abreast of Java security landscape