Does someone know of a good book/tutorial to get started with Java Security? Currently I have only a basic idea of things like SSL/Digital Signatures/Keystores/Classloaders/Security Managers/Encryption/Decryption/OAuth/OpenId etc. Basically what I know is what I had studied during my engineering course. Apart from that I have browsed a little bit on how SSL and OAuth 2.0 works. But that is all.
I feel I should invest some more time into studying these things from scratch. Also the feature I'm working on currently might need to use OAuth authentication. So knowing the basics before hand will be helpful. Also that'll help me get a more comprehensive picture of the associated stuff.
So does someone have a book recommendation?
I'm considering to buy the book "Java Security Edition 2" by Scott Oaks, but it was written in 2001. So it doesn't cover things like OpenId and OAuth 1.0 and OAuth 2.0. But I was still considering that book, cause I thought once I have a grasp on how the basic things work, other tutorials I see online will probably start making more sense. But does someone know of a better book? Is there a book/tutorial you found really helpful?
A subject dear to my heart. I added lots of resources I found useful to the http://www.coderanch.com/how-to/java/SecurityFaq. If you work through the stuff linked under "general remarks" you should have a good overview of the Java-related stuff. Most importantly, start with the podcast by Bruce Schneier. There's little value delving into specifics before you understand how security is a process, not one or more technologies. Also, that security can't be "added" to a system later on (at least not without great cost), but needs to be an integral part of it from the beginning. And lastly, that it's important to do a risk analysis of any system, so that likely attacks and their costs (both in guarding against them, and if they're successful) are known - only then can informed decisions be made on what needs to be protected, and how.
A somewhat newer book than the one you mention is "Core Security Patterns" from 2006. At 1000 pages it's pretty comprehensive (but keep in mind its publication date), but you will probably never finish reading it. I didn't :-)
I liked Schneier's "Secrets and Lies". While it's now also dated (from 2004), it's about fundamentals, and thus more broadly applicable than technology-specific books. I recommend to start with that, and then pick up the language-specific stuff from the resources in the FAQ.
Joined: Sep 06, 2012
The Security FAQ is really good -- it covers most of the topics that I need to know about. So for now, this is exactly what I need.
Once I'll know what is what with more details, I'll probably order Secrets and Lies.
Sorry I couldn't respond earlier than this but thanks a lot.