Øredev is just a couple of days away, and I was invited to give two presentations. One of them is about my favorite topic: Security and Java EE. It is designed to fulfill two goals. First, it is to introduce the typical Java EE developer to the overall application security process and main objectives. Second, the presentation looks at the details about what Java EE has to offer when it comes to typical requirements. Those are two different things and the first has been addressed before in my presentation about "Developer Security Awareness". This talk is meant to match today's security requirements and the features available in the platform as of the Java EE 7 release.
Securing Applications Isn't Just About Secure Code
All the common attacks we've known about for a very long time are still out there, and people still regularly make mistakes regarding them. If you want to write secure Java EE code and use the technology securely, you're on the right track. But there is a lot more to learn and know about securing your applications.
Application Security Needs A Holistic Approach
To build a secure Java EE application, a holistic approach to application security is required and security must be applied at all layers and services. Let's start with the layer the farthest away.
Secure applications rely on secure networks first. This includes everything from routers, switches, firewalls or even application level firewalls. They need to be patched and correctly configured. Watch out for standard ports and passwords for admin consoles.
Next is the operating system layer. Every part of your applications runs on a separate host eventually (Application server, Database, Message Brokers), so you will have to watch out for latest patches and updates for all of them. But shared filesystems and possibly risky daemon processes are also something to watch out for.
Next it is time to look at the platform services. This is where the JDK base-install fits in but also the application-server. Check policy files and default passwords for remote connections and web-based admin consoles.
From Here On, Application Security Starts
When the infrastructure is taken care of, we can look into application security. And it is typically divided up into six components: Authentication, Authorization, Auditing, Confidentiality, Integrity, Availability. All those components prevent your system from being exploited. A threat is a potential event that may affect your system. An attack exploits a vulnerability in your system, which ultimately is what we want to prevent. Always adhere to the best practices for designing secure applications:
- Use least privilege
- Apply defense in depth
- Do not trust user input
- Fail securely
- Secure the weakest link
- Create secure defaults
- Reduce your attack surface
Get Started With Java EE Security
Watch the full talk on Vimeo to learn what Java EE has to offer around application security.