Home>Groups>Java User Group (MaineJUG)>Forums>General discussion - MaineJUG

Secure Coding In Java/JEE

4 replies [Last post]
Wed, 08/19/2009 - 8:35am
kriskleva
Offline
Joined: 08/06/2009

As a Java user, what secure coding concepts / expliots are you most interested in learning about?

- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- SQL Injection
- Parameter Manipulation
- HTTP Response Splitting
- Other Types of input attacks (null character injection, LDAP injection, OS injection, Log injection, directory traversal, XML injection, Buffer overflows)

Top
Thu, 08/20/2009 - 9:19am
#1
dleland
Offline
Joined: 07/17/2009
RE: TechMaine - Java User Group (MaineJUG) - Secure Coding In Ja

The first three on the list would be of the most interest to me.
Thanks for asking.
Doug.

-----Original Message-----
From: kriskleva [mailto:admin@techmaine.com]
Sent: Wednesday, August 19, 2009 9:35 AM
To: Doug Leland
Subject: TechMaine - Java User Group (MaineJUG) - Secure Coding In Java/JEE

Top
Thu, 08/20/2009 - 8:03pm
#2
kriskleva
Offline
Joined: 08/06/2009
CWE/SANS TOP 25 Most Dangerous Programming Errors

An impressing list of experts from Purdue University, University of California, Symantec Corporation, Microsoft, Oracle Corporation, Red Hat Inc., Fortify Software, and the National Security Agency (NSA) Information Assurance Division announce agreement on the 25 Most Dangerous Programming Errors

.... And How to Fix Them!

Should this change how organizations develop Java software?

More information can be obtained from Bob Martin, MITRE top25@sans.org

What errors are included in the top 25?

They are listed below in three categories:
* Insecure Interaction Between Components (9 errors)
* Risky Resource Management (9 errors)
* Porous Defenses (7 errors)

The MITRE CWE web site provides the following information regarding each error.

Exploit Summary
This includes the weakness prevalence, remediation cost, attack frequency, attacker awareness, consequences and ease of detection.

Prevention and Mitigation
Includes information regarding architecture and design, requirements, implementation and testing.

Related CWEs and related attack patterns

Out of the top 25 errors what are you the most interested in learning about?

Insecure Interaction Between Components (9 errors)
CWE-20: Improper Input Validation
CWE-116: Improper Encoding or Escaping of Output
CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
CWE-319: Cleartext Transmission of Sensitive Information
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-362: Race Condition
CWE-209: Error Message Information Leak

Risky Resource Management (9 errors)
CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642: External Control of Critical State Data
CWE-73: External Control of File Name or Path
CWE-426: Untrusted Search Path
CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
CWE-494: Download of Code Without Integrity Check
CWE-404: Improper Resource Shutdown or Release
CWE-665: Improper Initialization
CWE-682: Incorrect Calculation

Porous Defenses (7 errors)
CWE-285: Improper Access Control (Authorization)
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-259: Hard-Coded Password
CWE-732: Insecure Permission Assignment for Critical Resource
CWE-330: Use of Insufficiently Random Values
CWE-250: Execution with Unnecessary Privileges
CWE-602: Client-Side Enforcement of Server-Side Security

Top
Wed, 09/23/2009 - 7:53am
#3
dhartford
Offline
Joined: 01/09/2009
Practical JAAS, and other

Practical JAAS, and other alternatives for Authentication/Authorization/ACL.

Effective detection/identification techniques for weaknesses that can not be detected through automation tools (correct authorization to certain areas, such as Directory Traversal, across things like REST/AJAX/etc).

Basic DoS or memory/resource starvation detection and prevention techniques for web applications and SOA services (SOAP, REST, etc).

Top
Wed, 09/23/2009 - 8:03am
#4
dhartford
Offline
Joined: 01/09/2009
Code signing

What are the real gains/downsides to jar signing, byte code obfuscation, etc.

Top