HackDig : Dig high-quality web security articles for hacker

How to Train Secure Java Developers

2015-04-29 00:10

secure-javaJava is one of the world’s most popular programming languages, with Java applications run on an estimated three billion devices. Unfortunately, this popularity is also responsible for its status as one of the most common sources of serious security vulnerabilities.

According to research by Kaspersky Lab, Java vulnerabilities were responsible for 50% of all cyber-attacks in 2013. The company identified 161 vulnerabilities over the course of the year, but just 51 of these vulnerabilities were published and publically recognised. Of those 161 issues, six were deemed to be critical in nature – and it was these six exploits that accounted for the majority of Java security breaches.

With so few of these vulnerabilities publically recognised, the importance of pro-active developer security training is especially important within Java development. Java developers need to be well-versed in the best practices of securing Java applications, and familiar with the idiosyncrasies of the language’s security.

Java Authentication and Authorisation Service (JAAS)

Authentication issues pose some of the most common threats to Java development. In order to reduce the problems associated with authentication, developers need to understand Java’s APIs, including the Java Authentication and Authorisation Service (or JAAS).

JAAS is a Java-specific security framework, designed to extend the security architecture of Java’s existing authentication processes. JAAS adds an authorisation process to determine the identity of any user attempting to run the Java code, in addition to the existing authentication system that verifies the code’s origin and digital signature.  This allows Java developers to improve security by ensuring that only privileged users can successfully execute the functions requested.

Mobile Development

Most Android development tools rely on the Android platform, with many Android applications making use of Java memory. Whilst Android applications are unlikely to fall victim to the same exact vulnerabilities as those faced by web applications, it’s still important for mobile application developers to be well-versed in the best practices of secure Java development – and vice versa.

Java Cryptography Architecture (JCE)

JCE is another API extension for the Java platform, designed to provide developers with a framework for encryption and key generation. It’s essential for Java developers to be comfortable and well-versed in the JCE API, especially given the platform’s particular need for effective password encryption.

Password Encryption

Secure management of user data should always be one of the primary concerns of a software developer. Given the popularity of Java’s browser plug-in, and its track-record for contributing to some of the biggest and most high-profile data thefts of recent years, this concern is amplified for Java developers.  

In addition to a developer’s familiarity with the JCE API, it’s essential for Java developers to be aware of the best practices of secure password encryption.  For example, Java’s authentication process makes it possible to avoid two-way encryption, and implement a more secure one-way encryption process. This minimises the likelihood of third-parties obtaining a user’s clear-text password. If this encryption process is then slowed down to the limits of an application’s tolerance, the likelihood of a significant brute-force attack can be minimised. biggest information security mistakes


Source: srepoleved-avaj-eruces-niart-ot-woh/golb/moc.eporuenoitavonniytiruces.www

Read:1886 | Comments:0 | Tags:No Tag

“How to Train Secure Java Developers”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud