• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Java Security Features

 
Ranch Hand
Posts: 117
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All:
I do not know if its the right forum or not for my post so forgive my ignorance. I need to develop a Web Application to access some sensitive data. What possible security features should I implement in my application. Right now I can only think of the following 2.
  • provide access for Authenticated users with username and encrypted passwords.
  • Keep a record of the IPs of users accessing the sensitive data.
  •  
    Bartender
    Posts: 10780
    71
    Hibernate Eclipse IDE Ubuntu
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Fawad Ali wrote:What possible security features should I implement in my application.


    A couple of others off the top of my head:
    3. Use certificates. Thawte and Verisign work on pretty well all browsers, but you have to pay for them and they will require a pre-audit. There are free ones around, but acceptance is patchy (or used to be). Thawte used to be a lot cheaper, but it's been quite a while since I did that stuff, so you might want to read up on it.
    4. Use HTTPS and/or SSL for everything sensitive (and if you don't know what's sensitive and what isn't, assume it's ALL sensitive ).

    Winston

    Tip from an old secAdmin: There are two basic paradigms for security:
    1. That which is not specifically allowed is denied.
    2. That which is not specifically denied is allowed.
    The first won't win you any friends, and may have a few teething troubles, but is MUCH easier to administer - and SAFER.
    The latter is much nicer for your users, but you'll feel like the boy with his finger in the dyke.
     
    Rancher
    Posts: 43081
    77
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Some things that come to mind, in no particular order:

    1) Encrypt any sensitive data that is stored

    2) Store passwords hashed

    3) Limit access by IP address if possible

    4) Require strong passwords, and deal with failed login attempts (maybe by limiting the number of attempts, or by increasing exponentially the time until a further attempt can be made)

    5) Defend against XSS, SQL injection and other typical attacks on web apps

    6) As much as possible use pre-existing libraries, such as Apache Shiro, instead of developing all this yourself

    7) Think about where you host this, who has access to the host system, and how to safeguard against people inside of your organization doing inappropriate things with the systems and the data

    8) Make frequent backups of everything that you keep both onsite and offsite

     
    Winston Gutkowski
    Bartender
    Posts: 10780
    71
    Hibernate Eclipse IDE Ubuntu
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    Ulf Dittmer wrote:1) Encrypt any sensitive data that is stored


    Absolutely.

    @Fawad: If you have some good techies in your shop (or who you can call on for advice), this can actually be done at the kernel level on some *xes (Debian springs to mind).

    Winston
     
    Greenhorn
    Posts: 2
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Hi Everybody,
    Dont know whether this is exact place to post my questions or not, but my problem is quite serious so hope to get some good answers from the expert. My question is as :-
    Is there way to check via Java/JSP if my self-signed certificate is installed in my browser or not?

    Thanks in advance.
     
    This guy is skipping without a rope. At least, that's what this tiny ad said:
    a bit of art, as a gift, that will fit in a stocking
    https://gardener-gift.com
    reply
      Bookmark Topic Watch Topic
    • New Topic