Java Reference
In-Depth Information
into the application from its inception and carried through its deployment. Among the processes
of risk management, the irst is risk assessment, where a detailed process of understanding criti-
cal application data, threat modeling, and risk mitigation steps provides a set of detailed security
requirements that are to be included in the Web application.
4.3.1.2 Application Design
Once detailed requirements are formulated for the Web application, it is natural that these require-
ments be given some shape. his is the design phase of the application development life cycle. he
Web application design is created for all functional and nonfunctional aspects of the application,
with the help of lowcharts and use cases. As security requirements will be included in the detailed
requirements, and as they are an important consideration for the new application for Panthera,
security use cases and diagrams must be created to develop the design for the security functional-
ity and capability, which is part of Panthera's new e-commerce application.
4.3.1.3 Application Development
Application development is the phase of the application development life cycle during which the
Web application is actually coded. Coding is a comprehensive process, where the application is
developed by developers from scratch and actually brought to life. Section 3 of this topic provides
a detailed insight into the secure coding requirements for a Java Web application, as well as some
insights into code for logging, key management, encryption, and access control.
4.3.1.4 White- and Black-Box Testing
Once the application has been developed, it is imperative that it be tested and reviewed before
deploying it in a live environment, also popularly known as
production environment
. Web appli-
cations are complex entities that are subject to several bugs and coding laws, which would have
crept into the application during development. he aim of black-box and white-box testing is to
ensure that all the functional defects in the application and the coding laws perpetrated by devel-
opers during application development are brought to light and corrected before the application
is deployed in the production environment. White-box testing considers the Web application to
be a white box. White-box testing is carried out to ensure that the code implementation in the
application follows the intended design, to provide evidence of the correct implementation of the
designed security functionality of the application. his process is also popularly known as
code
review
. Individuals who are not the code authors ideally perform code reviews, as this ensures
objectivity and an unbiased opinion to be rendered on the code written by the developers. Code
reviewers usually check the code for incorrect coding practices, like the use of
System.out.
println
statements in Java programs, which are used to test and write the output to the local
console. Another example of a bad coding practice is to not handle exceptions speciically or by
not handling exceptions with the use of a try-catch statement. Security should also be one of the
important considerations for a code review process. Nonsecure coding practices are one of the
prime causes of festering vulnerabilities in Web applications. Code reviewers should ensure that
nonsecure coding practices, like unvalidated input and wrong implementation of cryptography,
are checked during the code review process. Organizations, in the case of high-risk Web appli-
cations like online banking, e-commerce, or online share-trading applications, insist on a code
Search WWH ::
Custom Search