Application security is very important, Here let’s look at various ways to implement it.

  1. A few best habits  to protect your web application from attack:
  • Input data validation
  • Guarding against XSS attacks
  • Guarding against CSRF attacks
  • Preventing SQL Injection attacks
  • Protecting the file system
  • Protecting session data
  • Proper error handling
  • Guarding included files

Details here : 8-practices-to-secure-your-web-app

2.  Open Web Application Security Project
OWASP cheetsheet – https://cheatsheetseries.owasp.org/

3. Package your application in a container, check for vulnerabilities

Details here : 5-best-practices-for-securing-your-applications 

4. Application Security For Java developers

1. Authentication and Authorization

The most fundamental concepts of security are Authentication and Authorization.
Use a widely accepted framework for this purpose.

Java EE 5 Tutorial from Oracle – https://docs.oracle.com/javaee/5/tutorial/doc/bnbwk.html
Spring Security Framework – https://spring.io/projects/spring-security

2. Web Layer and API Security

  • The web layer of any application  is most vulnerable to attacks.
    There are many established standard practices and detection mechanisms to minimize these risks.
    – OWASP Top 10 list is a must have a checkpoint for security checks.
    – The Open Web Application Security Project (OWASP) mission is to make software security visible that enables to take decisions about true software security risks.- Secure your web application – Oracle tips as part of Java EE tutorial

API Security

  • All the API requests should be authenticated and we should use the principle of least privilege ( give least privilege by default).
    Watch this YouTube video for a great start for API security validations. – https://www.youtube.com/watch?v=oPrrFNEasgE
    Two major points focused are:-
    Do not expose any operations that are not needed
    – Do not expose any data that is not required

To authenticate the services, you can create simple token-based API authentication mechanism based OAuth2 standards.
If the services expose any sensitive data, it is better to use “https” so that man-in-the-middle attacks can be avoided, as the data is encrypted.

3. Validating the User Input

Any JavaScript input validation performed on the client can be bypassed by an attacker that disables JavaScript or uses a Web Proxy.
Any input validation performed on the client MUST also be performed on the server.
Go through the OWASP and WASC checklist to identify the potential validations you need to do in your application.
OWASP – https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
WASC – http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling

Other Useful Reference Materials

1.Java EE Security (oracle)