Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Java Security Features

 
Fawad Ali
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All:
I do not know if its the right forum or not for my post so forgive my ignorance. I need to develop a Web Application to access some sensitive data. What possible security features should I implement in my application. Right now I can only think of the following 2.
  • provide access for Authenticated users with username and encrypted passwords.
  • Keep a record of the IPs of users accessing the sensitive data.
  •  
    Winston Gutkowski
    Bartender
    Pie
    Posts: 10109
    56
    Eclipse IDE Hibernate Ubuntu
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Fawad Ali wrote:What possible security features should I implement in my application.

    A couple of others off the top of my head:
    3. Use certificates. Thawte and Verisign work on pretty well all browsers, but you have to pay for them and they will require a pre-audit. There are free ones around, but acceptance is patchy (or used to be). Thawte used to be a lot cheaper, but it's been quite a while since I did that stuff, so you might want to read up on it.
    4. Use HTTPS and/or SSL for everything sensitive (and if you don't know what's sensitive and what isn't, assume it's ALL sensitive ).

    Winston

    Tip from an old secAdmin: There are two basic paradigms for security:
    1. That which is not specifically allowed is denied.
    2. That which is not specifically denied is allowed.
    The first won't win you any friends, and may have a few teething troubles, but is MUCH easier to administer - and SAFER.
    The latter is much nicer for your users, but you'll feel like the boy with his finger in the dyke.
     
    Ulf Dittmer
    Rancher
    Pie
    Posts: 42967
    73
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Some things that come to mind, in no particular order:

    1) Encrypt any sensitive data that is stored

    2) Store passwords hashed

    3) Limit access by IP address if possible

    4) Require strong passwords, and deal with failed login attempts (maybe by limiting the number of attempts, or by increasing exponentially the time until a further attempt can be made)

    5) Defend against XSS, SQL injection and other typical attacks on web apps

    6) As much as possible use pre-existing libraries, such as Apache Shiro, instead of developing all this yourself

    7) Think about where you host this, who has access to the host system, and how to safeguard against people inside of your organization doing inappropriate things with the systems and the data

    8) Make frequent backups of everything that you keep both onsite and offsite

     
    Winston Gutkowski
    Bartender
    Pie
    Posts: 10109
    56
    Eclipse IDE Hibernate Ubuntu
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Ulf Dittmer wrote:1) Encrypt any sensitive data that is stored

    Absolutely.

    @Fawad: If you have some good techies in your shop (or who you can call on for advice), this can actually be done at the kernel level on some *xes (Debian springs to mind).

    Winston
     
    Diwas Pathak
    Greenhorn
    Posts: 2
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Hi Everybody,
    Dont know whether this is exact place to post my questions or not, but my problem is quite serious so hope to get some good answers from the expert. My question is as :-
    Is there way to check via Java/JSP if my self-signed certificate is installed in my browser or not?

    Thanks in advance.
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic