Application Security for Java Developers

Security is a top priority item on everyone's checklist nowadays. In this post, I will introduce you to useful reference material that can help you get started with securing applications. I want to focus more on web applications built with Java related technologies.

1. Authentication and Authorization

When it comes to security the most fundamental concepts are Authentication and Authorization. Unless you have a strong reason you should be following a widely accepted framework for this purpose. We have Java EE Authentication and Spring Security to help us out in this context. I have worked with spring security in the past and it can be customized to suit your specific needs. 

2. Security in the Web Layer

In our application stack, the web layer is most vulnerable to attacks. We have many established standard practices and detection mechanisms to minimize these risks. OWASP Top 10 list is a must have a checkpoint for security checks. The Open Web Application Security Project (OWASP) mission is to make software security visible so that individuals and organizations worldwide can make informed decisions about true software security risks.

3. API Security

With the rise of mobile applications and stronger browsers expressing functionalities using the API is more popular day by day. We need to follow the same security practices for the web layer. All the API requests should be authenticated and we should use the principle of least privilege. I found the presentation from Greg Patton in the AppSec EU15 titled The API Assessment Primer is a great start for API security validations. Two major points focused in his talk are,
Do not expose any operations that are not needed
Do not expose any data that is not required
Which is in line with the basic security principle of giving least privilege by default.

To authenticate the services, we can create simple token-based API authentication mechanism based OAuth2 standards. If the services expose any sensitive data, it is better to use https so that man-in-the-middle attacks can be avoided.

4. Validating the User Input

Be aware that any JavaScript input validation performed on the client can be bypassed by an attacker that disables JavaScript or uses a Web Proxy. Ensure that any input validation performed on the client is also performed on the server. Go through the OWASP and WASC checklist to identify the potential validations you need to do in your application.

Other Useful Reference Materials

1. A Security Checklist for Web Application Design

2. Java EE Security