Skip to main content

Secure Java Coding Practices

Image
By
Quick Snapshot on Threats, Vulnerabilities, Attack and Defense.


This blog focuses on Secure Java Coding standards for the following Vulnerabilities.
  1. Unvalidated Inputs
  2. Cross-Site Scripting (XSS)
  3. SQL Inject flows
  4. Improper Error Handling

Unvalidated Inputs

Attacker can change any value of the input submitted to the Web Server
Re-validate all the inputs at the server
Take only the necessary information (user input) from a for submission

Cross Site Scripting (XSS)

Attacker
Injects code into the input data
Hide malicious code with Unicode

Counter measures
Input validations
Input length check

 SQL Injection
Attacker
Can inject System commands
Can inject other SQL
Can override access checks

Examples
Add more commands “; select * from users;”
Override access “’ OR 1=1;”

Counter Measures
Use prepared statements in SQL
Run with limited privileges
Filter / validate the input


 Improper Error Handling

Attacker
Gets system information
Gets Database information

 Examples
Stack (Thread) Traces
Database dump

 Counter Measures
Sanitize the error message
Avoid sending stack traces to end user.
Customize error pages (HTTP errors 404 etc)


Read more in Slide Share..

Comments

Post a Comment

Popular posts from this blog

Centralized configuration using Spring Cloud Config

By
In this blog we will be focusing on centralized configuration using  Spring Cloud Config  project. For single standalone application we can keep all required configuration bundle with application itself.  However, when we have more than one application, say in a microservice architecture, a better alternative would be to manage the configurations centrally. With the Config Server we have a central place to manage external properties for applications with support for different environments. Configuration files in several formats like YAML or properties are added to a Git repository. Features Spring Cloud Config Server features: HTTP, resource-based API for external configuration (name-value pairs, or equivalent YAML content) Encrypt and decrypt property values (symmetric or asymmetric) Embeddable easily in a Spring Boot application using  @EnableConfigServer Config Client features (for Spring applications): Bind to the Config Server and initialize...
Post a Comment
Read more

Function Point Analysis : ISO/IEC 20926:2009

By
This blog focuses on explaining the Function Point calculations. Software Sizing Background Function Point Rules for Counting FP Deep Dive - Function Point Analysis Case Study General Software Characteristics Details History - Measurement Methodologies Lines of Code (Oldest) Use case based Software Sizing IPFUG Function Point Analysis (ISO) Need for Software Sizing. Estimation and Budgeting Phasing Development Work Prioritization of Work Monitoring the Progress Bidding for Projects Allocating Testing Resources To measure and Manage Productivity Risk Assessment Software Asset Valuation CMMi Level 2 and 3 require that a valid sizing method be used. Software Sizing - Lines of Code The easiest and historically the most common method in Sizing Software project has been counting the number of lines of code and / or the number of screens. Advantages Automation of the counting process can be done Intuitive as the measurements are easily u...
Post a Comment
Read more

CRUD in MongoDB & Spring Data

By Anonymous
Now, since we have already been introduced to mongo and its server is setup. We shall now move on to performing basic CRUD operations. Lets take a use case example of ‘Company’ database that stores employee information.  We wish to store employee name, email address, age and multiple addresses. Traditionally in RDBMS we would create an Employee table and Address Table having foreign key reference to ‘employee id ‘ Incase of NoSQL, we will be creating Employee documnet which will have store employee information like name, email, age and an array of employes address. Following is a snippet of the schema defined { "name" : "", "email" : "", "age" : “”, "address" : [ ... ] } Thus to begin with, we will first define the entities. We have employee as an aggregate root entity that stores list of address having 1-M relatioship. Address Entity is represend as @Embeddable as it is embaded in another aggregate root entity. Employee is...
Post a Comment
Read more