1st Edition

Secure Java For Web Application Development

By Abhay Bhargav, B. V. Kumar Copyright 2010
    308 Pages 69 B/W Illustrations
    by CRC Press

    308 Pages
    by CRC Press

    Most security books on Java focus on cryptography and access control, but exclude key aspects such as coding practices, logging, and web application risk assessment. Encapsulating security requirements for web development with the Java programming platform, Secure Java: For Web Application Development covers secure programming, risk assessment, and threat modeling—explaining how to integrate these practices into a secure software development life cycle.

    From the risk assessment phase to the proof of concept phase, the book details a secure web application development process. The authors provide in-depth implementation guidance and best practices for access control, cryptography, logging, secure coding, and authentication and authorization in web application development. Discussing the latest application exploits and vulnerabilities, they examine various options and protection mechanisms for securing web applications against these multifarious threats. The book is organized into four sections:

    • Provides a clear view of the growing footprint of web applications
    • Explores the foundations of secure web application development and the risk management process
    • Delves into tactical web application security development with Java EE
    • Deals extensively with security testing of web applications

    This complete reference includes a case study of an e-commerce company facing web application security challenges, as well as specific techniques for testing the security of web applications. Highlighting state-of-the-art tools for web application security testing, it supplies valuable insight on how to meet important security compliance requirements, including PCI-DSS, PA-DSS, HIPAA, and GLBA. The book also includes an appendix that covers the application security guidelines for the payment card industry standards.

    The Internet Phenomenon
    Evolution of the Internet and the World Wide Web
         Mainframe Era
         Client/Server Era
         Distributed Computing Architecture
         Internet and World Wide Web Era
         Problems with Web Architecture
    Web Applications and Internet
    Role and Significance of Java Technology in Web Applications
    Security in Java Web Applications

    Introducing Information Security
    Information Security: The Need of the Hour
         The Need for Information Security
         The Motivation for Security
    Some Basic Security Concepts
         The Pillars of SecurityThe CIA Triad
         Risk 101
         Defense-in-Depth
    Internet Security Incidents and Their Evolution
         The 1970s
         The 1980s
         The 1990s
         The 2000sPresent Day
    SecurityMyths and Realities
         There Is No Insider Threat
         Hacking Is Really Difficult
         Geographic Location Is Hacker-Proof
         One Device Protects against All

    Introducing Web Application Security
    Web Applications in the Enterprise
         What Is a Web Application?
         Ubiquity of Web Applications
         Web Application Technologies
         Java as Mainstream Web Application Technology
    Why Web Application Security?
         A Glimpse into Organizational Information Security
         The Need for Web Application Security
    Web Application SecurityThe Challenges 
         Client-Side Control and Trust
         Pangs of the Creator
         Flawed Application Life Cycle
         Awareness
          Legacy Code
         Business Case Issues

    Web Application Security—A Case Study
    The Business NeedAn E-Commerce Application
         The Company
         The Existing Application Environment
         Importance of Security
         Panthera’s Plan for Information Security
    Outlining the Application Requirements
         The Request for Proposal
    An Overview of the Application Development Process
         The Application Development Process

    FOUNDATIONS OF A SECURE JAVA WEB APPLICATION

    Insights into Web Application Security Risk
    The Need for Web Application Security Risk Management
         Risk Management
         The Benefits of Risk Management for Web Applications
         Overview of the Risk Assessment Phase
    System Characterization Process--Risk Assessment
         An Overview of the System Characterization Process
         Understanding Basic Application Architecture
    Developing Security Policies for the Web Application
         A Broad Overview of Security Policies for the Web Application
         Security Compliance and Web Application Security
    Threat Analysis
         Understanding and Categorizing Security Vulnerabilities
         Common Web Application Vulnerabilities
         Basic Understanding of Threats and Associated Concepts
         Threat Profiling and Threat Modeling
    Risk Mitigation StrategyFormulation of Detailed Security Requirements for the Web Application
    Risk Assessment for an Existing Web Application

    Risk Assessment for the Typical E-Commerce Web Application
    System Characterization of Panthera’s E-Commerce Application
         Identification of Critical Information Assets
         Practical Techniques to Identify Critical Information Assets
         Identified Critical Information Assets for Panthera’s Web Application
         User Roles and Access to Critical Information Assets
         Application Deployment Architecture and Environment
    Security Policies for the Web Application and Requirements
         Panthera’s Security Policies
    Threat Analysis
         Threat Profiling
         Threat Modeling
    Risk Mitigation StrategyFormulation of Detailed Security Features for Panthera’s E-Commerce Application
         Authentication and Authorization
         Cryptographic Implementation for Panthera’s E-Commerce Application
          Logging
         Secure Coding Practices

    BUILDING A SECURE JAVA WEB APPLICATION

    Developing a Bulletproof Access Control System for a Java Web Application
    Overview of Access Control Systems
         A Brief History/Evolution of Access Control Mechanisms
         An Overview of Access Control
         Access Control Models
    Developing a Robust Access Control System for Web Applications
         Attacks against Web Application Access Control
         User CredentialsUsernames and Passwords
         SessionMaintaining a Secure State for Web Applications
         AuthorizationEffective Authorization for a Web Application
         Other Best Practices
    Security Compliance and Web Application Access Control
         PCI-DSS
    Implementing a Secure Authentication and Authorization System for a Java Web Application
         Java Security Overview
         Java Authentication and Authorization Services
         JAAS Core
         Process of Authentication
         Process of Authorization

    Application Data Protection Techniques
    Overview of Cryptography
         Evolution of Cryptography
         CryptographyTerminology and Definitions
         Symmetric and Asymmetric Cryptography
         Block Ciphers and Stream Ciphers
         Block Cipher Modes of Encryption
         Crypto Attacks
    Crypto Implementation for Web Applications
         Data Protection with CryptographyA Primer
         A Study of Encryption Algorithms and Hashing Functions
         Implementation Implications of Encryption in Web Applications
         Key ManagementPrinciples and Practical Implementation
         Security Compliance and Cryptography
    Java Implementation for Web Application Cryptography
         Implementation Independence
         Implementation Interoperability
         Algorithm Extensibility and Independence
         Architecture Details
         Core Classes, Interfaces, and Algorithms of JCA
    Protection of Data-in-Transit
         History of Secure Socket Layer/Transport Layer Security
    Java Secure Socket Extensions for Secure Data Transmissions
         Features of the JSSE
         Cryptography and JSSE
         Core Classes and Interfaces of JSSE
         Support Classes and Interfaces

    Effective Application Monitoring: Security Logging for Web Applications
    The Importance of Logging for Web ApplicationsA Primer
         Overview of Logging and Log Management
         Logging for SecurityThe Need of the Hour
         Need for Web Application Security Logging
    Developing a Security Logging Mechanism for a Web Application
         The Constituents of a Web Application Security Log
         Web Application LoggingInformation to Be Logged
         Details to Be Omitted from Web Application Logs
         Application LoggingBest Practices
    Security Compliance and Web Application Logging
    Logging Implementation Using Java
    Control Flow
    The Core Classes and Interfaces

    Secure Coding Practices for Java Web Applications
    Java Secure Coding PracticesAn Overview
         A Case for Secure Coding Practices
         Java Secure Coding PracticesAn Introduction
    Input Validation and Output Encoding
         The need for Input Validation and Output Encoding
         User Input Validation for Java Web Applications
         Java Implementation for Input Validation and Output Encoding
    Secure Database Queries
         Need for Secure Database Access

    TESTING JAVA WEB APPLICATIONS FOR SECURITY

    Security Testing for Web Applications
    Overview of Security Testing for Web Applications
         Security Testing for Web ApplicationsA Primer
         Need for Web Application Security Testing
         Security Testing Web ApplicationsSome Basic Truths
         Integration of Security Testing into Web Application Risk Management
    Designing an Effective Web Application Security Testing Practice
         Approach to Web Application Security Testing
         Threat Models for Effective Security Testing
         Web Application Security TestingCritical Success Factors
         Security Testing for Web Applications and Security Compliance

    Practical Web Application Security Testing
    Web Application Vulnerability Assessment and Penetration Testing
         Approach to Practical Web Application Testing
         Tools and Technologies for Practical Security Testing
    Practical Security Testing for Web Applications
         Information Gathering and Enumeration
         Testing Web Application for Access Control
         Testing Data Validation

    Appendix A: Application Security Guidelines for the Payment Card Industry Standards (PCI-DSS and PA-DSS)

    Index

    Each chapter concludes with a Summary

    Biography

    Abhay Bhargav is the founder and CTO of we45 Solutions India Pvt. Ltd., an information security solutions company. As the CTO of we45, his primary role is to deliver information security consulting solutions for diverse clientele. He also oversees the information security research and application development activities of we45. He has performed security assessments for enterprises in various industires including banking, software development, retail, telecom, and legal. Previously, he was a security assessor for the payment card industry and has led several security assessments for payment card industry compliance. He specializes in Web application security and has performed security testing and consulting engagements for a wide array of enterprises and governmental/quasi-governmental entities. He also possesses security code review, vulnerability assessment, and penetration testing experience. He has been involved in several such assessments for small and large clients from various industries. Abhay is a regular speaker at industry events. He has spoken at the OWASP (Open Web Application Security Project) AppSec Conference in New York. He is a regular speaker at prestigious industry events such as the PCI Summit in Mumbai, December 2008, Business Technology Summit and events organized by the Confederation of Indian Industry (CII). He is also a trainer and has led several public workshops on information security subjects including PCI, PA-DSS, Web application security, and risk assessment. Apart from his professional interests, Abhay is also a trained Carnatic classical flutist and vocalist. He is also a playwright who has an English comedy play to his writing credits. He blogs actively and maintains an information security blog. He writes articles on computer education for the rural youth on a weekly basis for a leading daily. Dr. B. V. Kumar , currently t

    Given that Java is the platform of choice for enterprise application development the world over, this book fills a much-needed gap by thoroughly and clearly outlining the security requirements of such a critical platform. I strongly believe that this work will prove invaluable to a wide audience, including Java developers, architects, and students.
    —Kris Gopalakrishnan, CEO, Infosys Technologies Ltd.

    … a great resource that covers all of the essential topics when building out an application security program.
    —Ed Bellis, CISO, Orbitz Worldwide