Java Security Flashcards
What are the different things to consider regarding security of a web application?
User Authentication and Authorization
Web Related Issues
External Interfaces
Infrastructure Related Security
What are the important factors to consider when exposing an application to Internet?
OWASP (Open Web Application Security Project) is normally a great starting point. Important factors to consider are
Validation of user data : Ensure they are validated also in Business Layer.
SQL Injection : Never build sql queries using string concatenation. Use a Prepared Statement. Even better, use Spring JDBCTemplate or frameworks like Hibernate, iBatis to handle communication with database.
XSS - Cross Site Scripting : Ensure you check against a white list of input characters.
Avoid using Old versions of software
What are important security factors to consider in communicating with external interfaces?
Security for web services (over JMS or HTTP) has to be handled at two levels : Transport level and Application level.
For HTTP based services, SSL is used to exchange certificates (HTTPS) to ensure transport level security. This ensures that the server (service producer) and client (service consumer) are mutually authenticated. It is possible to use one way SSL authentication as well.
For JMS based services, transport level security is implemented by controlling access to the Queues.
At the application level (for both JMS and HTTP based services), security is implemented by transferring encrypted information (digital signatures, for example) in the message header (HTTPS endpoints). This helps the server to authenticate the client and be confident that the message has not been tampered with.
What are the Best Practices regarding handling security for a web application?
Best practices are:
Threat Modelling : Do threat modelling and understand the various security threats posed to the application
Static Security Analysis : Use a static security analysis tool like Fortify.
Educate Developers and Testers : Most important part. Developers and Testers should be aware of the latest security threats.
Dynamic Security Tests : Dynamic security tests done by a professional security testing team should be an important part of the release cycle. It is preferable to do this as early as possible.