They didn't teach appsec in Comp Sci or in engineering or MIS or however you learned how to program. And they probably still don’t. So how could you be expected to know about XSS filter evasion or clickjacking attacks, or how to really store passwords safely.
Your company can’t afford to send you on expensive appsec training, and you’re too busy coding anyways. Read a book? There hasn't been a good book that explains how to write secure Java in, well… ever.
But all that’s changed. Now you learn how to build a secure Java app at your desk or on the train or on the toilet.
While it is focused on web apps, a lot of the book applies equally to mobile, Cloud, real-time and back-end systems, any kind of online system in Java.
There’s no time wasted on theory. Iron Clad Java explains the most common and most dangerous attacks and how to defend against them, using straight forward patterns and Open Source libraries and free tools from OWASP.
Each chapter is short and easy to read, with practical, up to date (as of Java 8) information and sample code:
- Fundamentals of web app security: HTTP/S, validating input
- Access control: common anti patterns and mistakes, how to design access control for single company or multitenant apps, how to use Apache Shiro and Spring Security
- Authentication and session management: you shouldn’t be writing this code on your own (this is what frameworks are for), but if you have to, here’s how to do it, as well as how to handle remember me and forgot password features, multi-factor authentication and more
- XSS defense: how to use the OWASP Java Encoder, HTML Sanitizer and JSON Sanitizer libraries and JQuery encoding
- CRF defense and Clickjacking: random tokens and framebusting
- Protecting sensitive data: how to do signing and crypto correctly, using Google KeyCzar and Bouncy Castle
- SQL injection and other kinds of injection: prepare your statements
- Safe file upload and file i/o
- Logging and error handling: what to log, what not to log, logging frameworks, safe error handling, using logging for intrusion detection
- Security in the SDLC
So no more excuses.