You are previewing Iron-Clad Java.
O'Reilly logo
Iron-Clad Java

Book Description

Proven Methods for Building Secure Java-Based Web Applications

Develop, deploy, and maintain secure Java applications using the expert techniques and open source libraries described in this Oracle Press guide. Iron-Clad Java presents the processes required to build robust and secure applications from the start and explains how to eliminate existing security bugs. Best practices for authentication, access control, data protection, attack prevention, error handling, and much more are included. Using the practical advice and real-world examples provided in this authoritative resource, you'll gain valuable secure software engineering skills.

  • Establish secure authentication and session management processes
  • Implement a robust access control design for multi-tenant web applications
  • Defend against cross-site scripting, cross-site request forgery, and clickjacking
  • Protect sensitive data while it is stored or in transit
  • Prevent SQL injection and other injection attacks
  • Ensure safe file I/O and upload
  • Use effective logging, error handling, and intrusion detection methods
  • Follow a comprehensive secure software development lifecycle

Table of Contents

  1. Cover
  2. Title
  3. Copyright Page
  4. Contents
  5. Dedication
  6. Acknowledgments
  7. Introduction
  8. 1 Web Application Security Basics
    1. What Is Untrusted Data?
    2. HTTP Security Considerations
      1. HTTPS
      2. HTTP/S GET Request
      3. HTTP/S POST Request
      4. HTTP/S Response
      5. HTTP/S Response Headers
    3. Anti-Patterns and Weaknesses
      1. Blacklist Input Validation
      2. Lack of Parameterized SQL
      3. Use of Weak or Incorrect Ciphers
    4. Security Controls and Positive Patterns
      1. Verify Authentication and Authorization with Every Request
      2. Protect Transactions with the Synchronizer Token Pattern
    5. Input Validation
      1. Input Validation Anti-Patterns: Blacklist Validation Only
      2. Input Validation Positive Patterns: Whitelisting
      3. Input Validation: Apache Struts
      4. Basic Input Validation Considerations: Length of Input
      5. Validating Numerical Input
      6. Validating Open Text Input
      7. Input Validation Positive Patterns: URL Validation
    6. Where Do We Go from Here?
  9. 2 Authentication and Session Management
    1. Registration of New Users
      1. Preventing Automated Registration
    2. The Basic Flow of the Login Process and Session Management
      1. Login Workflow Step 1: Anonymous Session Created on First Hit
      2. Login Workflow Step 2: Starting HTTPS and Encryption in Transit
      3. Login Workflow Step 3: Processing and Verifying Credentials
      4. Login Workflow Step 4: Start the User’s Authenticated Session
      5. Login Workflow Step 5: Do Cool Things
      6. Login Workflow Step 6: Potential Re-Authentication for Sensitive Operations
      7. Login Workflow Step 7: Idle Timeout
      8. Login Workflow Step 8: Absolute Timeout
      9. Login Workflow Step 9: Logout
    3. Attacks Against Authentication
      1. Session Hijacking
      2. Session Fixation
    4. Secure Cookie Properties for Session Management
      1. Dangers of Storing Sensitive Data in Cookies
    5. Credential Security
      1. Password Policy
      2. Password Managers
      3. Password Storage: Verify but Not Recover
      4. Forgot Password Workflow
    6. Username Harvesting
    7. Brute Force Attacks, Account Lockout, and Multi-Factor Revisited
    8. Remember Me Feature
    9. Multi-Factor Authentication
      1. Seed Storage
      2. Where Do You Send the Token?
    10. Federated Identity and SAML
    11. OAuth Basics
    12. Additional Reading
    13. Summary
  10. 3 Access Control
    1. Identity and Access Control
      1. Attacks on Access Control
      2. Access Control Anti-Patterns and Design Flaws
      3. Positive Access Control Patterns
      4. Role-Based Access Control
    2. RBAC Struggles: Data-Specific/Contextual Access Control
    3. Multitenancy and Access Control
    4. Contextual Access Control
      1. Permission-Based Access Control and Apache Shiro
    5. Spring Security 3.0 ACLs
    6. ABAC Attribute-Based Access Control
    7. RBAC vs. ABAC
    8. Summary
  11. 4 Cross-Site Scripting Defense
    1. Content Spoofing
      1. Reflected XSS
      2. Stored XSS
      3. DOM-Based XSS
    2. Defending Against XSS
      1. Input Validation
      2. Contextual Output Encoding
      3. HTML Validation and Sanitization
      4. Secure JSON Patterns
      5. jQuery and DOM XSS
    3. Resources
      1. Output Encoding
      2. HTML Sanitization
      3. JavaScript Libraries
    4. Summary
  12. 5 Cross-Site Request Forgery Defense and Clickjacking
    1. How Does CSRF Work?
      1. Other Real-World CSRF Examples
      2. Stored CSRF
      3. CSRF Against Intranet Web Applications
      4. CSRF Against Network Application Web Administration Console
      5. Unauthenticated CSRF Attacks
    2. How to Combat CSRF
      1. Synchronizer Token Pattern
      2. Using the Session ID as a CSRF Token
      3. Apache Tomcat 6+ Synchronizer Token Pattern Implementation
      4. Stateless CSRF Defense
      5. Defending Against CSRF with the Challenge/Response Pattern
      6. HTTP Request Referer Header Verification
      7. POST vs. GET
      8. XSS Defense and CSRF Protection
    3. Clickjacking
    4. How to Combat Clickjacking
      1. Stop Your Site from Being Framed with Framebusting
      2. Break Out of Frames
    5. Summary
  13. 6 Protecting Sensitive Data
    1. Securing Data in Transit
      1. Protocol Versions
      2. Cipher Suites
      3. Certificate Verification
      4. Trust Managers
      5. Certificate and Key Management
      6. Certificate Pinning
    2. Securing Data at Rest
      1. Encryption and Signing
      2. Symmetric and Asymmetric Cryptography
      3. Keysets
      4. Key Management in Keyczar
      5. Encryption and Decryption
      6. Signing and Verifying
      7. Key Management
    3. Secure Random Numbers
    4. Summary
  14. 7 SQL Injection and Other Injection Attacks
    1. What Is SQL Injection?
    2. Other SQL Injection Examples
    3. Query Parameterization
    4. SQL Injection and Stored Procedures
    5. Defense in Depth
    6. Input Validation and Type Safety
    7. DAO Pattern and Access Control Considerations
    8. SQL Injection and Object Relational Mapping
      1. Reducing the Impact of SQL Injection
    9. Other Forms of Injection
      1. XML and JSON-Based Injection
      2. Command Injection
    10. Dangerous Characters in Input
    11. Summary
  15. 8 Safe File Upload and File I/O
    1. Anti-Patterns and Design Flaws
      1. Design Flaw 1: File Path Injection
      2. Design Flaw 2: Null Byte Injection
      3. Design Flaw 3: Not Properly Closing Resources
      4. File I/O Summary
    2. File Upload Security
    3. Patterns of Attack
      1. Attack 1: Upload of Dangerous Content
      2. Attack 2: Ability to Overwrite Other Files
      3. Attack 3: Quota Overload DoS
      4. Processing Zip, Rar, and Other Archive Formats
      5. Positive Pattern: Object Reference Maps and Storing Upload Files
    4. Summary
    5. Resources
  16. 9 Logging, Error Handling, and Intrusion Detection
    1. Logging Basics
      1. What to Log
      2. Security-Related Log Events
      3. What Not to Log
    2. Logging Frameworks for Security
      1. ESAPI Logging
      2. Security Logging Using Logback
    3. Safe Error Handling
    4. App Layer Intrusion Detection
      1. Monitoring and Intrusion Detection
      2. Defending Against Automated Attacks
      3. OWASP AppSensor
    5. Summary
  17. 10 Secure Software Development Lifecycle
    1. Averting Disaster Before It Starts
      1. Assets
      2. Motivations
      3. Outcomes
    2. Team Roles for Security
      1. Role: Security and Software Architect
      2. Role: Project Manager
      3. Role: Developer
      4. Role: QA Tester
      5. Professional Security Tester
    3. Security Throughout the Application Lifecycle
    4. Security in the Software Development Lifecycle
      1. Business Requirements
      2. Technical Security Requirements for Developers
      3. Implement Security Controls as Code Is Developed
      4. Test That Security Controls Have Been Properly Implemented
      5. Have Monitoring and Response/Recovery Plans in Place
    5. Summary
    6. Closing Thoughts
  18. A Resources
    1. Intercepting Proxies
    2. Secure Coding Libraries
      1. Access Control/Authentication
      2. XSS Defense
      3. Applied Crypto
      4. Strong Crypto Provider
      5. Logging and Intrusion Detection
      6. Web Misc
    3. Documentation
      1. Awareness Documentation
      2. OWASP Cheat Sheets
      3. Standards
      4. Additional Research
  19. Index