All geek questions in one place

Web Application Protection

What steps can be taken to make sure that a web application using Hibernate, Spring, and JSF is safe? What vulnerabilities can exist and what security frameworks, if any, are standard?

+4
source share
3 answers

Security is not solved only with the help of a framework. It requires a lot of education, understanding, creativity and risk assessment to avoid mistakes.

Start by reading these urls

And you definitely need to speed up work on the most common vulnerabilities, etc. An introduction to security, including the article "Without a silver bullet."

+3
source

A good set of practices noted by Joel Kochorn and a number of others, answering a similar question here :

  • This is a lot to digest, but the OWASP development guide covers the top-down security website
  • Know about SQL injection and how to prevent it
  • Never trust user input (cookies are also counted as user input)
  • Encrypt Hash and salt passwords, rather than save them as plain text.
  • Do not try to come up with your own authentication system: it is such an easy thing to get - wrong in subtle and untested ways, and you donโ€™t even know it until you are hacked.
  • Know the rules for processing credit cards. See also this question:
  • Payment processors. What do I need to know if I want to accept credit cards on my website?
  • Use SSL / HTTPS to log in and any pages that enter sensitive data (for example, credit card information)
  • How to counter session capture
  • Avoid Cross Site Scripting (XSS)
  • Avoid Bogus Fakes (XSRF)
  • Update your system with the latest fixes
  • Verify that the database connection information is secure.
  • Stay tuned for the latest attack techniques and platform vulnerabilities.
  • Read the Google Browser Security Guide.
+2
source

I agree with the other answers that there is no silver bullet for security or a simple structure that you just plug in, and tada, you enable security. Browse the OWASP site, which is an excellent resource for learning security.

And a complete understanding of security (rather than security delegation for frameworks) will ultimately make your application more secure. For example, JSF prevents most (if not all?) Attacks of the XSS type by default, but you can override this function, perhaps without realizing the security implications, and suddenly your JSF code opens.

Since no one mentioned this, static code analysis can help. Check out things like Findbugs, PMD, and checkstyle among others for easy and free code analysis. Or go to something more difficult, like Fortify , which is designed specifically to detect security vulnerabilities in your application.

+2
source

Source: https://habr.com/ru/post/1307166/

More articles:


All Articles