Enterprise Java

Theft-Proof Java EE – Securing Your Java EE Enterprise Applications

holistic_security Øredev is just a couple of days away, and I was invited to give two presentations. One of them is about my favorite topic: Security and Java EE. It is designed to fulfill two goals. On the one side to introduce the typical Java EE developer to the overall application security process and main objectives. But also to look at the details about what Java EE has to offer when it comes to typical requirements. Those are two different things and the first has been addressed before in my presentation about “Developer Security Awareness“. This talk is meant to do a match between today’s security requirements and the features available in the platform as of the Java EE 7 release.

Securing Applications Isn’t Just About Secure Code

All the common attacks we’ve known about for a very long time are still out there, and people still regularly make mistakes regarding them. If you want to write secure Java EE code and use the technology securely, you’re on the right track. But there is a lot more to learn and know about securing your applications. There are also people and processes and how they best work together to build a suitable secure system. Derived from practice for use with everyday development such a system can make the Java EE space a little more secure.

Application Security Needs A Holistic Approach

To build a secure Java EE application, a holistic approach to application security is required and security must be applied at all layers and services. Even if everything else beside our own applications typically does not bother developers at all it becomes more important. Last but not least with the advent of DevOps. So, it doesn’t hurt to be at least aware of everything that is going on around us. Let’s start with the layer the farthest away. Secure applications rely on secure networks first of all. This includes everything from routeres, switches, firewalls or even application level firewalls. They need to be patched and correctly configured. Watch out for standard ports and passwords for admin consoles. Next is the operating system layer. Every part of your applications runs on a separate host eventually (Applicationserver, Database, Message Brokers), so you will have to watch out for latest patches and updates for all of them. But shared filesystems and possibly risky daemon processes are also something to watch out for. When you’re done with that it is time to look at the platform services. This is where the JDK base-install fits in but also the application-server. Check policy files and default passwords for remote connections and web-based admin consoles.

From Here On, Application Security Starts

When the infrastructure is taken care of, we can look into application security. And it is typically divided up into six components: Authentication, Authorization, Auditing, Confidentiality, Integrity, Availability. All those components prevent your system from being exploited. A threat is a potential event that may affect your system. An attack exploits a vulnerability in your system. And ultimately this is what we want to prevent. Always adhere to the best practices for designing secure applications:

  • Compartmentalize
  • Use least privilege
  • Apply defense in depth
  • Do not trust user input
  • heck at the gate
  • Fail securely
  • Secure the weakest link
  • Create secure defaults
  • Reduce your attack surface

Get Started With Java EE Security

Watch the full talk on Vimeo to learn what Java EE has to offer around application security. And make sure to provide feedback in the comments and let me know, if there is anything else, you’d like me to talk about in the future.

Further Reading

Markus Eisele

Markus is a Developer Advocate at Red Hat and focuses on JBoss Middleware. He is working with Java EE servers from different vendors since more than 14 years and talks about his favorite topics around Java EE on conferences all over the world. He has been a principle consultant and worked with different customers on all kinds of Java EE related applications and solutions. Beside that he has always been a prolific blogger, writer and tech editor for different Java EE related books. He is an active member of the German DOAG e.V. and it's representative on the iJUG e.V. As a Java Champion and former ACE Director he is well known in the community. Follow him on Twitter @myfear.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Back to top button