Application Security Recipes for JAVA/JEE: A Problem-Solution Approach teaches how to build a highly secure and hack-resistant system using JAVA technology. This book provides end-to-end application security secrets and solutions. It provides a simplified and easy to follow approach to implement core security requirements (confidentiality, integrity, availability, authentication, authorization and accountability). When you start a new application development cycle or are working on existing legacy applications for the security aspects of the process, you can use the book as a catalog of 'Security Best Practices'. The book content is organized in such a way that you feel you are working on system security at every phase of a software development life cycle (SDLC) in keeping with business requirements. This book starts its presentation with risk management terminology because without a fundamental understanding of risk you may fail to define a secure system; then the presentation moves towards the following topics in the process: identify and capture security requirements, transform all the identified requirements to a secure design phase, and then validate the design with threat model concepts. Thereafter we give a detailed presentation of the 'Java built-in Security Model', secure coding guidelines for Java, a presentation of various input injection attacks and web attacks, control injection attacks with input sanitization and output encoding, a detailed presentation of web services (SOAP/REST) security, validation and verification of all the security controls with 'white-box' and 'black-box' testing. Then, how to apply cryptosystem best-practices for application development, a presentation of cloud security and Android security, an introduction to the OWASP TOP 10 Risks for 2014 and the OWASP TOP 10 Mobile Risks for 2014 and finally a discussion of Spring framework's built-in se curity module is explored. The highlights of the book are: * Input injection attacks & Web injection attack * Threat modeling * SOAP and RESTful web services security * OAuth and SAML protocols * Android Security & Cloud Security This book guides you step-by-step through topics using complete and real-world code examples. Instead of theoretical descriptions on complex concepts, you will find live examples in this book. When you start a new project, you can follow the recipes to define end-to-end security aspects of a system.
Chapter 1: Introduction to Application Security
Chapter Goal:
Fundamental aspects of an application security, why application security
importance growing day by day, Basic terminology required to understand
application security aspects. Application Security Importance. * Understand
Risk Management Terminology.* Different Flavors of System Security.* Is
security just a Non-Functional Requirement?* Recent Noteworthy Hacking
Incidents.Chapter 2: Capture Security Requirements
Chapter Goal: To develop
highly secure and hack-resilient system one must have a thorough knowledge on
end-to-end system security requirements. Different types of security
requirements, How to capture security requirements and Sources to capture
these requirements. Classify the business data to define security
requirements. * Data classification to define system security.* Different
types of security requirements.* Sources for capturing Security
Requirements.* Traceability Matrix for security requirements.Chapter 3:
Secure Software Design
Chapter Goal: Define secure design policies, Securing
commonly used architectures, Design considerations for all captured security
requirements. Threat Modeling. Design process. * Secure Design Process.*
Secure commonly used architectures* Design for security requirements* Threat
ModelingChapter 4: Data Validation
Chapter Goal: Data validation helps to
build h ighly secure applications. Server side validation is a key to build
hack-resilient system. What are the various possible ways to bypass
validation controls be explained. * Validate Input from All Sources* How to
Validate Input* Finding and confirming Input Validation Issues* Different
ways to spot Input Validation IssuesChapter 5: Data Validation Best Practices
Chapter Goal: User input should be validated both at client side and server
side. Input validation best practices and output encoding best practices will
be explained. Java API for doing input validation and output encoding will be
introduced. * Blacklisting vs Whitelisting* Normalize Input* Canonicalize
Input* Sanitize data sent to other Systems* Output Encoding* Character
EncodingChapter 6: Implementing Security Requirements
Chapter Goal: How to
implement core security requirements with JAVA,OWASP top 10, OWASP mobile top
10,Defensive coding practices, Anti-tampering Techniques (e.g. code signing,
obfuscation), Source Code and Versioning. * Implementing core security
requirementsChapter 7: Input Injection Attacks
Chapter Goal: Various input
injection attacks will be explained with a simplified and easy to follow
approach like vulnerable usage scenarios and secure usage scenarios for a
given attack. * SQL Injection* Stored Procedure Injection* ORM
Injection - Hibernate* ORM Injection - JPA* LDAP Injection* Command
Injection* Directory Traversal* Parameter Manipulation* File
Inclusion* Log Forging* Format-String Vulnerability* XML Injection* XPath
Injection* XQuery Injection* XSLT Injection* XML Entity Expansion
Injection* XML External Entity Injection* SOAP InjectionChapter 8: Web
Security
Chapter Goal: How to attack client side controls, authentication and
session management controls. Various ways to break web applications will be
explained. * Cross-Site Scripting (XSS)* Cross-Site Request Forgery
(CSRF,XSRF)* Cross-Site Script Inclusion (XSSI)* Header Injection
(Response Splitting)* Open Redirection* Referer Leakage* Mixed
Content* Cache poisoning* Clickjacking* Content and character set
sniffing* Cookie forcing (or cookie injection)* Framebusting* HTTP
downgradeChapter 9: Web Services Security
Chapter Goal: End-to-end web
services security will be explained. Common web service attacks. Importance
of OAuth, SAML and SSO. * SOAP Security* REST Security* OAuth*
SAML* Single Sign OnChapter 10: Security Testing
Chapter Goal:
Verification and validation of a hack-resilient system is very important step
before moving to production so various ways to certify the product will be
explained. * Security Testing (e.g., white box and black box)* Attack
Surface Validation* Types of Testing- Penetration, Scanning (e.g.,
vulnerability, content, privacy),Cryptographic validation (e.g., PRNG)Chapter
11: Threat Modeling
Chapter Goal: Steps to decompose an application
architecture to discover vulnerabilities. How to identify and document
threats that are relevant to your application * Strategies for Threat
Modeling* STRIDE* Processing and Managing Threats* Threat Modeling
ToolsChapter 12: Cryptography
Chapter Goal: The application and use of
cryptography, the cryptographic life cycle (e.g., cryptographic limitations,
algorithm/protocol governance),key management processes, non-repudiation and
Public Key Infrastructure (PKI) * Explain Cryptography* Understand
Cryptographic Keys Management* Symmetric Cryptography* Asymmetric
Cryptography* PKI (Public Key Infrastructure)* HashingChapter 13: Java
Security
Chapter Goal: Java built-in security features will be explained. *
Class Loaders* Bytecode Verification* Security Managers and
Permissions* User Authentication* Digital Signatures* Code
SigningChapter 14: Java Coding Practices
Chapter Goal: Java API level
security coding practices will be explained. * Denial of Service*
Confidential Information* Injection and Inclusion* Accessibility and
Extensibility* Mutability* Object Construction* Serialization and
Deserialization* Access Control*
9. ThreadsChapter 15: Android Security
Chapter Goal: Understand Android security model. Finding vulnerabilities in
android applications . * Android Architecture And Security Model*
Android Application Pen testing and Exploitation* Android's Attack
Surface* Finding Vulnerabilities with Fuzz Testing* Debugging and
Analyzing Vulnerabilities* Android Device And Data SecurityChapter 16:
Cloud Security
Chapter Goal: Basics of cloud security, data security,
compliance and legal issue with cloud. * Security Challenges in the Cloud*
Infrastructure Security in the Cloud* Policy and Governance for Cloud
Computing* Compliance and Legal Considerations* Data Security in the
CloudChapter 16: Spring Security
Chapter Goal: Spring framework security
module will be explained. * Introducing Spring Security* Securing web
applications using servlet filters* Authentication against databases and
LDAP* Transparently securing method invocationsAppendix1 Input validation
RulesAppendix2 Secure Design Check List - Authentication & Password
ManagementAppendix3 Secure Design Check List - Session ManagementAppendix4
Secure Design Check List - Access Control, Error Handling, LoggingAppendix5
Security assessment tools
