Java Reference
In-Depth Information
and errors and exception handling. While these practices may sound very simple at the outset, it is
alarming to ind that most Web applications do not follow them or follow an inconsistent method
of applying these practices across the Web application. Organizations tend to work toward serious
and strenuous deadlines for application development and usually focus the most attention to func-
tionality, at the cost of security. his practice is inadvertent, as most organizations are unaware of
optimal secure coding practices for the development of Web applications; consequently, develop-
ers are not provided the impetus to use secure coding practices.
10.1.2 Java Secure Coding Practices—An Introduction
Writing secure code for Java Web applications is perhaps the simplest when compared to any
other development platform. he development environment provides a very rich set of APIs and
libraries that allow the implementation of secure coding practices. Java also has a large array of
third-party libraries and APIs available for security such as the Open Web Application Security
Project-Enterprise Security API (OWASP ESAPI), which makes it extremely simple for security to
be integrated into the Web application from its incipiency. Some frameworks for Java Web applica-
tions, such as Struts, provide several built-in mechanisms necessitating the use of secure coding
practices across the Web application. Furthermore, the support available for developers on the Java
platform is tremendous as the Internet is replete with Java code and code snippets detailing a mul-
titude of secure coding practices, implementation of access control, cryptography, or logging.
10.2 Input Validation and output encoding
10.2.1 The Need for Input Validation and Output Encoding
10.2.1.1 What Is Validation of Input?
Input validation
can be succinctly deined as
the practice of ensuring that a program or an applica-
tion operates on clean and correct data
. Input validation is the practice of making sure that the data
entered by the users, or derived as input from other applications, is clean and is free from security
hazards. here are several attacks in the current day that rely on poorly validated input to carry out
attacks and cause a breach of conidentiality, integrity, and/or availability of critical information
assets. From a consistency standpoint as well, input validation is a recommended practice, because
anomalies in the data processed and stored by the application can result in several errors and prob-
ably hinder the smooth functioning of the Web application—for instance, if there is an input ield
where a user has to supply a credit card number for a system to process. It is natural that allow-
ing a user to enter a phone number or arbitrary string data in the ield would result in errors and
exceptions during the processing of payment. he payment wouldn't be accepted in the irst place
and, in several cases, might even have security implications, as the arbitrary input might contain
crafted queries that may be used to maliciously obtain information from the database.
10.2.1.2 Why Validate Input?
Input validation is one of the most critical secure coding practices that needs to be implemented
for any Web application. Web applications are designed to perform functions or a set of functions
based on user input. Attackers are also users of the Web application. hey are users who use their
Search WWH ::
Custom Search