Application security is very important, Here let’s look at various ways to implement it.
- Input data validation
- Guarding against XSS attacks
- Guarding against CSRF attacks
- Preventing SQL Injection attacks
- Protecting the file system
- Protecting session data
- Proper error handling
- Guarding included files
Details here : 8-practices-to-secure-your-web-app
2. Open Web Application Security Project
OWASP cheetsheet – https://cheatsheetseries.owasp.org/
3. Package your application in a container, check for vulnerabilities
Details here : 5-best-practices-for-securing-your-applications
4. Application Security For Java developers
1. Authentication and Authorization
The most fundamental concepts of security are Authentication and Authorization.
Use a widely accepted framework for this purpose.
Java EE 5 Tutorial from Oracle – https://docs.oracle.com/javaee/5/tutorial/doc/bnbwk.html
Spring Security Framework – https://spring.io/projects/spring-security
2. Web Layer and API Security
- The web layer of any application is most vulnerable to attacks.
There are many established standard practices and detection mechanisms to minimize these risks.
– OWASP Top 10 list is a must have a checkpoint for security checks.
– The Open Web Application Security Project (OWASP) mission is to make software security visible that enables to take decisions about true software security risks.- Secure your web application – Oracle tips as part of Java EE tutorial
- All the API requests should be authenticated and we should use the principle of least privilege ( give least privilege by default).
Watch this YouTube video for a great start for API security validations. – https://www.youtube.com/watch?v=oPrrFNEasgE
Two major points focused are:-
– Do not expose any operations that are not needed
– Do not expose any data that is not required
To authenticate the services, you can create simple token-based API authentication mechanism based OAuth2 standards.
If the services expose any sensitive data, it is better to use “https” so that man-in-the-middle attacks can be avoided, as the data is encrypted.
3. Validating the User Input
Any input validation performed on the client MUST also be performed on the server.
Go through the OWASP and WASC checklist to identify the potential validations you need to do in your application.
OWASP – https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
WASC – http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling
Other Useful Reference Materials