Buch, Englisch, 400 Seiten, PB, Format (B × H): 178 mm x 254 mm
A Problem Solution Approach (Proven Security Guidelines for JAVA Based Application Development)
Buch, Englisch, 400 Seiten, PB, Format (B × H): 178 mm x 254 mm
ISBN: 978-1-4842-0830-4
Verlag: Apress
Application Security Recipes for JAVA/JEE: A Problem-Solution Approach teaches how to build a highly secure and hack-resistant system using JAVA technology. This book provides end-to-end application security secrets and solutions. It provides a simplified and easy to follow approach to implement core security requirements (confidentiality, integrity, availability, authentication, authorization and accountability). When you start a new application development cycle or are working on existing legacy applications for the security aspects of the process, you can use the book as a catalog of ‘Security Best Practices’. The book content is organized in such a way that you feel you are working on system security at every phase of a software development life cycle (SDLC) in keeping with business requirements. This book starts its presentation with risk management terminology because without a fundamental understanding of risk you may fail to define a secure system; then the presentation moves towards the following topics in the process: identify and capture security requirements, transform all the identified requirements to a secure design phase, and then validate the design with threat model concepts. Thereafter we give a detailed presentation of the ‘Java built-in Security Model’, secure coding guidelines for Java, a presentation of various input injection attacks and web attacks, control injection attacks with input sanitization and output encoding, a detailed presentation of web services (SOAP/REST) security, validation and verification of all the security controls with ‘white-box’ and ‘black-box’ testing. Then, how to apply cryptosystem best-practices for application development, a presentation of cloud security and Android security, an introduction to the OWASP TOP 10 Risks for 2014 and the OWASP TOP 10 Mobile Risks for 2014 and finally a discussion of Spring framework's built-in se
curity module is explored. The highlights of the book are:
• Input injection attacks & Web injection attack
• Threat modeling
• SOAP and RESTful web services security
• OAuth and SAML protocols
• Android Security & Cloud Security
This book guides you step-by-step through topics using complete and real-world code examples. Instead of theoretical descriptions on complex concepts, you will find live examples in this book. When you start a new project, you can follow the recipes to define end-to-end security aspects of a system.
Zielgruppe
Popular/general
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
Chapter 1: Introduction to Application SecurityChapter Goal: Fundamental aspects of an application security, why application security importance growing day by day, Basic terminology required to understand application security aspects.
Application Security Importance.
* Understand Risk Management Terminology.* Different Flavors of System Security.* Is security just a Non-Functional Requirement?* Recent Noteworthy Hacking Incidents.Chapter 2: Capture Security RequirementsChapter Goal: To develop highly secure and hack-resilient system one must have a thorough knowledge on end-to-end system security requirements. Different types of security requirements, How to capture security requirements and Sources to capture these requirements. Classify the business data to define security requirements.
* Data classification to define system security.* Different types of security requirements.* Sources for capturing Security Requirements.* Traceability Matrix for security requirements.Chapter 3: Secure Software DesignChapter Goal: Define secure design policies, Securing commonly used architectures, Design considerations for all captured security requirements. Threat Modeling. Design process.
* Secure Design Process.* Secure commonly used architectures* Design for security requirements* Threat ModelingChapter 4: Data ValidationChapter Goal: Data validation helps to build h
ighly secure applications. Server side validation is a key to build hack-resilient system. What are the various possible ways to bypass validation controls be explained.
* Validate Input from All Sources* How to Validate Input* Finding and confirming Input Validation Issues* Different ways to spot Input Validation IssuesChapter 5: Data Validation Best PracticesChapter Goal: User input should be validated both at client side and server side. Input validation best practices and output encoding best practices will be explained. Java API for doing input validation and output encoding will be introduced.
* Blacklisting vs Whitelisting* Normalize Input* Canonicalize Input* Sanitize data sent to other Systems* Output Encoding* Character EncodingChapter 6: Implementing Security RequirementsChapter Goal: How to implement core security requirements with JAVA,OWASP top 10, OWASP mobile top 10,Defensive coding practices, Anti-tampering Techniques (e.g. code signing, obfuscation), Source Code and Versioning.
* Implementing core security requirementsChapter 7: Input Injection AttacksChapter Goal: Various input injection attacks will be explained with a simplified and easy to follow approach like vulnerable usage scenarios and secure usage scenarios for a given attack.
* SQL Injection* Stored Procedure Injection* ORM Injection - Hibernate* ORM Injection - JPA* LDAP Injection* Command Injection* Directory Traversal* Parameter Manipulation* File Inclusion* Log Forging* Format-String Vulnerability* XML Injection* XPath Injection* XQuery Injection* XSLT Injection* XML Entity Expansion Injection* XML External Entity Injection* SOAP InjectionChapter 8: Web SecurityChapter Goal: How to attack client side controls, authentication and session management controls. Various ways to break web applications will be explained.
* Cross-Site Scripting (XSS)* Cross-Site Request Forgery (CSRF,XSRF)* Cross-Site Script Inclusion (XSSI)* Header Injection (Response Splitting)* Open Redirection* Referer Leakage* Mixed Content* Cache poisoning* Clickjacking* Content and character set sniffing* Cookie forcing (or cookie injection)* Framebusting* HTTP downgradeChapter 9: Web Services SecurityChapter Goal: End-to-end web services security will be explained. Common web service attacks. Importance of OAuth, SAML and SSO.
* SOAP Security* REST Security* OAuth* SAML* Single Sign OnChapter 10: Security TestingChapter Goal: Verification and validation of a hack-resilient system is very important step before moving to production so various ways to certify the product will be explained.
* Security Testing (e.g., white box and black box)* Attack Surface Validation* Types of Testing- Penetration, Scanning (e.g., vulnerability, content, privacy),Cryptographic validation (e.g., PRNG)Chapter 11: Threat ModelingChapter Goal: Steps to decompose an application architecture to discover vulnerabilities. How to identify and document threats that are relevant to your application
* Strategies for Threat Modeling* STRIDE* Processing and Managing Threats* Threat Modeling ToolsChapter 12: CryptographyChapter Goal: The application and use of cryptography, the cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance),key management processes, non-repudiation and Public Key Infrastructure (PKI)
* Explain Cryptography* Understand Cryptographic Keys Management* Symmetric Cryptography* Asymmetric Cryptography* PKI (Public Key Infrastructure)* HashingChapter 13: Java SecurityChapter Goal: Java built-in security features will be explained.
* Class Loaders* Bytecode Verification* Security Managers and Permissions* User Authentication* Digital Signatures* Code SigningChapter 14: Java Coding PracticesChapter Goal: Java API level security coding practices will be explained.
* Denial of Service* Confidential Information* Injection and Inclusion* Accessibility and Extensibility* Mutability* Object Construction* Serialization and Deserialization* Access Control* 9. ThreadsChapter 15: Android SecurityChapter Goal: Understand Android security model. Finding vulnerabilities in android applications.
* Android Architecture And Security Model* Android Application Pen testing and Exploitation* Android’s Attack Surface* Finding Vulnerabilities with Fuzz Testing* Debugging and Analyzing Vulnerabilities* Android Device And Data SecurityChapter 16: Cloud SecurityChapter Goal: Basics of cloud security, data security, compliance and legal issue with cloud.
* Security Challenges in the Cloud* Infrastructure Security in the Cloud* Policy and Governance for Cloud Computing* Compliance and Legal Considerations* Data Security in the CloudChapter 16: Spring SecurityChapter Goal: Spring framework security module will be explained.
* Introducing Spring Security* Securing web applications using servlet filters* Authentication against databases and LDAP* Transparently securing method invocationsAppendix1 Input validation RulesAppendix2 Secure Design Check List - Authentication & Password ManagementAppendix3 Secure Design Check List - Session ManagementAppendix4 Secure Design Check List - Access Control, Error Handling, LoggingAppendix5 Security assessment tools
