Java Reference
In-Depth Information
Chapter
10
Secure Coding Practices for
Java Web Applications
Secure coding practices play a critical role in the development of secure Web applications.
Enterprises need to ensure that the Web applications that process mission-critical or sensitive
information are equipped with robust access control mechanisms, cryptographic implementa-
tions, and logging implementations for ensuring security. However, several attacks against Web
applications are caused by vulnerabilities that manifest in the application by the use of nonsecure
coding practices. We will discuss some of the secure coding practices that are appropriate for Web
applications developed and implemented using the Java platform. We will also highlight the types
of attacks and vulnerabilities that are averted by employing these secure coding practices to best
efect.
10.1 Java Secure Coding Practices—An overview
10.1.1 A Case for Secure Coding Practices
Secure coding practices are those practices that enhance the security of the Web application.
Access control mechanisms, cryptographic implementation, and logging mechanisms are required
to enforce security policies that are imposed on a Web application. However, it is secure coding
practices that ensure that these policies and functionality cannot be tampered with by determined
and knowledgeable attackers. Nonsecure coding practices have rendered around 70% of Web sites
and Web applications vulnerable to attack. Most vulnerabilities that plague Web applications are
the consequence of factors such as ignorance and assumptions coupled with nonsecure coding
practices. Organizations can eliminate a great deal of attack possibilities by creating awareness,
following a secure SDLC, and ensuring that a consistent secure coding practice is implemented,
validated, and subsequently deployed in a production environment.
Secure coding practices include several items, of which the signiicant practices are validation
of input and output, secure methods of database querying for the prevention of injection attacks,
217
Search WWH ::
Custom Search