Secure Java: For Web Application Development / Edition 1

Secure Java: For Web Application Development / Edition 1

by Abhay Bhargav, B. V. Kumar
     
 

ISBN-10: 1439823510

ISBN-13: 9781439823514

Pub. Date: 09/13/2010

Publisher: Taylor & Francis

Most security books on Java focus on cryptography and access control, but exclude key aspects such as coding practices, logging, and web application risk assessment. Encapsulating security requirements for web development with the Java programming platform, Secure Java: For Web Application Development covers secure programming, risk assessment, and

Overview

Most security books on Java focus on cryptography and access control, but exclude key aspects such as coding practices, logging, and web application risk assessment. Encapsulating security requirements for web development with the Java programming platform, Secure Java: For Web Application Development covers secure programming, risk assessment, and threat modeling—explaining how to integrate these practices into a secure software development life cycle.

From the risk assessment phase to the proof of concept phase, the book details a secure web application development process. The authors provide in-depth implementation guidance and best practices for access control, cryptography, logging, secure coding, and authentication and authorization in web application development. Discussing the latest application exploits and vulnerabilities, they examine various options and protection mechanisms for securing web applications against these multifarious threats. The book is organized into four sections:

  • Provides a clear view of the growing footprint of web applications
  • Explores the foundations of secure web application development and the risk management process
  • Delves into tactical web application security development with Java EE
  • Deals extensively with security testing of web applications

This complete reference includes a case study of an e-commerce company facing web application security challenges, as well as specific techniques for testing the security of web applications. Highlighting state-of-the-art tools for web application security testing, it supplies valuable insight on how to meet important security compliance requirements, including PCI-DSS, PA-DSS, HIPAA, and GLBA. The book also includes an appendix that covers the application security guidelines for the payment card industry standards.

Product Details

ISBN-13:
9781439823514
Publisher:
Taylor & Francis
Publication date:
09/13/2010
Pages:
308
Product dimensions:
7.00(w) x 9.90(h) x 0.70(d)

Table of Contents

The Internet Phenomenon
Evolution of the Internet and the World Wide Web
Mainframe Era
Client/Server Era
Distributed Computing Architecture
Internet and World Wide Web Era
Problems with Web Architecture
Web Applications and Internet
Role and Significance of Java Technology in Web Applications
Security in Java Web Applications

Introducing Information Security
Information Security: The Need of the Hour
The Need for Information Security
The Motivation for Security
Some Basic Security Concepts
The Pillars of SecurityThe CIA Triad
Risk 101
Defense-in-Depth
Internet Security Incidents and Their Evolution
The 1970s
The 1980s
The 1990s
The 2000sPresent Day
SecurityMyths and Realities
There Is No Insider Threat
Hacking Is Really Difficult
Geographic Location Is Hacker-Proof
One Device Protects against All

Introducing Web Application Security
Web Applications in the Enterprise
What Is a Web Application?
Ubiquity of Web Applications
Web Application Technologies
Java as Mainstream Web Application Technology
Why Web Application Security?
A Glimpse into Organizational Information Security
The Need for Web Application Security
Web Application SecurityThe Challenges
Client-Side Control and Trust
Pangs of the Creator
Flawed Application Life Cycle
Awareness
Legacy Code
Business Case Issues

Web Application Security—A Case Study
The Business NeedAn E-Commerce Application
The Company
The Existing Application Environment
Importance of Security
Panthera’s Plan for Information Security
Outlining the Application Requirements
The Request for Proposal
An Overview of the Application Development Process
The Application Development Process

FOUNDATIONS OF A SECURE JAVA WEB APPLICATION

Insights into Web Application Security Risk
The Need for Web Application Security Risk Management
Risk Management
The Benefits of Risk Management for Web Applications
Overview of the Risk Assessment Phase
System Characterization Process—Risk Assessment
An Overview of the System Characterization Process
Understanding Basic Application Architecture
Developing Security Policies for the Web Application
A Broad Overview of Security Policies for the Web Application
Security Compliance and Web Application Security
Threat Analysis
Understanding and Categorizing Security Vulnerabilities
Common Web Application Vulnerabilities
Basic Understanding of Threats and Associated Concepts
Threat Profiling and Threat Modeling
Risk Mitigation StrategyFormulation of Detailed Security Requirements for the Web Application
Risk Assessment for an Existing Web Application

Risk Assessment for the Typical E-Commerce Web Application
System Characterization of Panthera’s E-Commerce Application
Identification of Critical Information Assets
Practical Techniques to Identify Critical Information Assets
Identified Critical Information Assets for Panthera’s Web Application
User Roles and Access to Critical Information Assets
Application Deployment Architecture and Environment
Security Policies for the Web Application and Requirements
Panthera’s Security Policies
Threat Analysis
Threat Profiling
Threat Modeling
Risk Mitigation StrategyFormulation of Detailed Security Features for Panthera’s E-Commerce Application
Authentication and Authorization
Cryptographic Implementation for Panthera’s E-Commerce Application
Logging
Secure Coding Practices

BUILDING A SECURE JAVA WEB APPLICATION

Developing a Bulletproof Access Control System for a Java Web Application
Overview of Access Control Systems
A Brief History/Evolution of Access Control Mechanisms
An Overview of Access Control
Access Control Models
Developing a Robust Access Control System for Web Applications
Attacks against Web Application Access Control
User CredentialsUsernames and Passwords
SessionMaintaining a Secure State for Web Applications
AuthorizationEffective Authorization for a Web Application
Other Best Practices
Security Compliance and Web Application Access Control
PCI-DSS
Implementing a Secure Authentication and Authorization System for a Java Web Application
Java Security Overview
Java Authentication and Authorization Services
JAAS Core
Process of Authentication
Process of Authorization

Application Data Protection Techniques
Overview of Cryptography
Evolution of Cryptography
CryptographyTerminology and Definitions
Symmetric and Asymmetric Cryptography
Block Ciphers and Stream Ciphers
Block Cipher Modes of Encryption
Crypto Attacks
Crypto Implementation for Web Applications
Data Protection with CryptographyA Primer
A Study of Encryption Algorithms and Hashing Functions
Implementation Implications of Encryption in Web Applications
Key ManagementPrinciples and Practical Implementation
Security Compliance and Cryptography
Java Implementation for Web Application Cryptography
Implementation Independence
Implementation Interoperability
Algorithm Extensibility and Independence
Architecture Details
Core Classes, Interfaces, and Algorithms of JCA
Protection of Data-in-Transit
History of Secure Socket Layer/Transport Layer Security
Java Secure Socket Extensions for Secure Data Transmissions
Features of the JSSE
Cryptography and JSSE
Core Classes and Interfaces of JSSE
Support Classes and Interfaces

Effective Application Monitoring: Security Logging for Web Applications
The Importance of Logging for Web ApplicationsA Primer
Overview of Logging and Log Management
Logging for SecurityThe Need of the Hour
Need for Web Application Security Logging
Developing a Security Logging Mechanism for a Web Application
The Constituents of a Web Application Security Log
Web Application LoggingInformation to Be Logged
Details to Be Omitted from Web Application Logs
Application LoggingBest Practices
Security Compliance and Web Application Logging
Logging Implementation Using Java
Control Flow
The Core Classes and Interfaces

Secure Coding Practices for Java Web Applications
Java Secure Coding PracticesAn Overview
A Case for Secure Coding Practices
Java Secure Coding PracticesAn Introduction
Input Validation and Output Encoding
The need for Input Validation and Output Encoding
User Input Validation for Java Web Applications
Java Implementation for Input Validation and Output Encoding
Secure Database Queries
Need for Secure Database Access

TESTING JAVA WEB APPLICATIONS FOR SECURITY

Security Testing for Web Applications
Overview of Security Testing for Web Applications
Security Testing for Web ApplicationsA Primer
Need for Web Application Security Testing
Security Testing Web ApplicationsSome Basic Truths
Integration of Security Testing into Web Application Risk Management
Designing an Effective Web Application Security Testing Practice
Approach to Web Application Security Testing
Threat Models for Effective Security Testing
Web Application Security TestingCritical Success Factors
Security Testing for Web Applications and Security Compliance

Practical Web Application Security Testing
Web Application Vulnerability Assessment and Penetration Testing
Approach to Practical Web Application Testing
Tools and Technologies for Practical Security Testing
Practical Security Testing for Web Applications
Information Gathering and Enumeration
Testing Web Application for Access Control
Testing Data Validation

Appendix A: Application Security Guidelines for the Payment Card Industry Standards (PCI-DSS and PA-DSS)

Index

Each chapter concludes with a Summary

Customer Reviews

Average Review:

Write a Review

and post it to your social network

     

Most Helpful Customer Reviews

See all customer reviews >