book

Iron-Clad Java

by Jim Manico, August Detlefsen

September 2014

Intermediate to advanced

304 pages

7h 7m

English

McGraw Hill Computing

Read now

Unlock full access

Cover
Title
Copyright Page
Contents
Dedication
Foreword
Acknowledgments
Introduction
1 Web Application Security Basics
What Is Untrusted Data?HTTP Security ConsiderationsHTTPSHTTP/S GET RequestHTTP/S POST RequestHTTP/S ResponseHTTP/S Response HeadersAnti-Patterns and WeaknessesBlacklist Input ValidationLack of Parameterized SQLUse of Weak or Incorrect CiphersSecurity Controls and Positive PatternsVerify Authentication and Authorization with Every RequestProtect Transactions with the Synchronizer Token PatternInput ValidationInput Validation Anti-Patterns: Blacklist Validation OnlyInput Validation Positive Patterns: WhitelistingInput Validation: Apache StrutsBasic Input Validation Considerations: Length of InputValidating Numerical InputValidating Open Text InputInput Validation Positive Patterns: URL ValidationWhere Do We Go from Here?
2 Authentication and Session Management
Registration of New UsersPreventing Automated RegistrationThe Basic Flow of the Login Process and Session ManagementLogin Workflow Step 1: Anonymous Session Created on First HitLogin Workflow Step 2: Starting HTTPS and Encryption in TransitLogin Workflow Step 3: Processing and Verifying CredentialsLogin Workflow Step 4: Start the User’s Authenticated SessionLogin Workflow Step 5: Do Cool ThingsLogin Workflow Step 6: Potential Re-Authentication for Sensitive OperationsLogin Workflow Step 7: Idle TimeoutLogin Workflow Step 8: Absolute TimeoutLogin Workflow Step 9: LogoutAttacks Against AuthenticationSession HijackingSession FixationSecure Cookie Properties for Session ManagementDangers of Storing Sensitive Data in CookiesCredential SecurityPassword PolicyPassword ManagersPassword Storage: Verify but Not RecoverForgot Password WorkflowUsername HarvestingBrute Force Attacks, Account Lockout, and Multi-Factor RevisitedRemember Me FeatureMulti-Factor AuthenticationSeed StorageWhere Do You Send the Token?Federated Identity and SAMLOAuth BasicsAdditional ReadingSummary

3 Access Control
Identity and Access ControlAttacks on Access ControlAccess Control Anti-Patterns and Design FlawsPositive Access Control PatternsRole-Based Access ControlRBAC Struggles: Data-Specific/Contextual Access ControlMultitenancy and Access ControlContextual Access ControlPermission-Based Access Control and Apache ShiroSpring Security 3.0 ACLsABAC Attribute-Based Access ControlRBAC vs. ABACSummary
4 Cross-Site Scripting Defense
Content SpoofingReflected XSSStored XSSDOM-Based XSSDefending Against XSSInput ValidationContextual Output EncodingHTML Validation and SanitizationSecure JSON PatternsjQuery and DOM XSSResourcesOutput EncodingHTML SanitizationJavaScript LibrariesSummary
5 Cross-Site Request Forgery Defense and Clickjacking
How Does CSRF Work?Other Real-World CSRF ExamplesStored CSRFCSRF Against Intranet Web ApplicationsCSRF Against Network Application Web Administration ConsoleUnauthenticated CSRF AttacksHow to Combat CSRFSynchronizer Token PatternUsing the Session ID as a CSRF TokenApache Tomcat 6+ Synchronizer Token Pattern ImplementationStateless CSRF DefenseDefending Against CSRF with the Challenge/Response PatternHTTP Request Referer Header VerificationPOST vs. GETXSS Defense and CSRF ProtectionClickjackingHow to Combat ClickjackingStop Your Site from Being Framed with FramebustingBreak Out of FramesSummary
6 Protecting Sensitive Data
Securing Data in TransitProtocol VersionsCipher SuitesCertificate VerificationTrust ManagersCertificate and Key ManagementCertificate PinningSecuring Data at RestEncryption and SigningSymmetric and Asymmetric CryptographyKeysetsKey Management in KeyczarEncryption and DecryptionSigning and VerifyingKey ManagementSecure Random NumbersSummary
7 SQL Injection and Other Injection Attacks
What Is SQL Injection?Other SQL Injection ExamplesQuery ParameterizationSQL Injection and Stored ProceduresDefense in DepthInput Validation and Type SafetyDAO Pattern and Access Control ConsiderationsSQL Injection and Object Relational MappingReducing the Impact of SQL InjectionOther Forms of InjectionXML and JSON-Based InjectionCommand InjectionDangerous Characters in InputSummary
8 Safe File Upload and File I/O
Anti-Patterns and Design FlawsDesign Flaw 1: File Path InjectionDesign Flaw 2: Null Byte InjectionDesign Flaw 3: Not Properly Closing ResourcesFile I/O SummaryFile Upload SecurityPatterns of AttackAttack 1: Upload of Dangerous ContentAttack 2: Ability to Overwrite Other FilesAttack 3: Quota Overload DoSProcessing Zip, Rar, and Other Archive FormatsPositive Pattern: Object Reference Maps and Storing Upload FilesSummaryResources
9 Logging, Error Handling, and Intrusion Detection
Logging BasicsWhat to LogSecurity-Related Log EventsWhat Not to LogLogging Frameworks for SecurityESAPI LoggingSecurity Logging Using LogbackSafe Error HandlingApp Layer Intrusion DetectionMonitoring and Intrusion DetectionDefending Against Automated AttacksOWASP AppSensorSummary
10 Secure Software Development Lifecycle
Averting Disaster Before It StartsAssetsMotivationsOutcomesTeam Roles for SecurityRole: Security and Software ArchitectRole: Project ManagerRole: DeveloperRole: QA TesterProfessional Security TesterSecurity Throughout the Application LifecycleSecurity in the Software Development LifecycleBusiness RequirementsTechnical Security Requirements for DevelopersImplement Security Controls as Code Is DevelopedTest That Security Controls Have Been Properly ImplementedHave Monitoring and Response/Recovery Plans in PlaceSummaryClosing Thoughts
A Resources
Intercepting ProxiesSecure Coding LibrariesAccess Control/AuthenticationXSS DefenseApplied CryptoStrong Crypto ProviderLogging and Intrusion DetectionWeb MiscDocumentationAwareness DocumentationOWASP Cheat SheetsStandardsAdditional Research
Index

Overview

Proven Methods for Building Secure Java-Based Web Applications

Develop, deploy, and maintain secure Java applications using the expert techniques and open source libraries described in this Oracle Press guide. Iron-Clad Java presents the processes required to build robust and secure applications from the start and explains how to eliminate existing security bugs. Best practices for authentication, access control, data protection, attack prevention, error handling, and much more are included. Using the practical advice and real-world examples provided in this authoritative resource, you'll gain valuable secure software engineering skills.

Establish secure authentication and session management processes
Implement a robust access control design for multi-tenant web applications
Defend against cross-site scripting, cross-site request forgery, and clickjacking
Protect sensitive data while it is stored or in transit
Prevent SQL injection and other injection attacks
Ensure safe file I/O and upload
Use effective logging, error handling, and intrusion detection methods
Follow a comprehensive secure software development lifecycle

"In this book, Jim Manico and August Detlefsen tackle security education from a technical perspective and bring their wealth of industry knowledge and experience to application designers. A significant amount of thought was given to include the most useful and relevant security content for designers to defend their applications. This is not a book about security theories, it’s the hard lessons learned from those who have been exploited, turned into actionable items for application designers, and condensed into print." —From the Foreword by Milton Smith, Oracle Senior Principal Security Product Manager, Java

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780071835886

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills