Secure Java For Web Application Development (Abhay Bhargav, B. V. Kumar) (Z-Library)

📄 File Format: PDF

💾 File Size: 3.5 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

Secure Java For Web Application Development

📄 Page 3

CAD and GIS Integration Hassan A. Karimi and Burcu Akinci ISBN: 978-1-4200-6805-4 Applied Software Product-Line Engineering Kyo C. Kang, Vijayan Sugumaran, and Sooyong Park, eds. ISBN: 978-1-4200-6841-2 Enterprise-Scale Agile Software Development James Schiel ISBN: 978-1-4398-0321-9 Handbook of Enterprise Integration Mostafa Hashem Sherif, ed. ISBN: 978-1-4200-7821-3 Architecture and Principles of Systems Engineering Charles Dickerson, Dimitri N. Mavris, Paul R. Garvey, and Brian E. White ISBN: 978-1-4200-7253-2 Theory of Science and Technology Transfer and Applications Sifeng Liu, Zhigeng Fang, Hongxing Shi, and Benhai Guo ISBN: 978-1-4200-8741-3 The SIM Guide to Enterprise Architecture Leon Kappelman, ed. ISBN: 978-1-4398-1113-9 Getting Design Right: A Systems Approach Peter L. Jackson ISBN: 978-1-4398-1115-3 Software Testing as a Service Ashfaque Ahmed ISBN: 978-1-4200-9956-0 Grey Game Theory and Its Applications in Economic Decision-Making Zhigeng Fang, Sifeng Liu, Hongxing Shi, and Yi LinYi Lin ISBN: 978-1-4200-8739-0 Quality Assurance of Agent-Based and Self-Managed Systems Reiner Dumke, Steffen Mencke, and Cornelius Wille ISBN: 978-1-4398-1266-2 Modeling Software Behavior: A Craftsman’s Approach Paul C. Jorgensen ISBN: 978-1-4200-8075-9 Design and Implementation of Data Mining Tools Bhavani Thuraisingham, Latifur Khan, Mamoun Awad, and Lei Wang ISBN: 978-1-4200-4590-1 Model-Oriented Systems Engineering Science: A Unifying Framework for Traditional and Complex Systems Duane W. Hybertson ISBN: 978-1-4200-7251-8 Requirements Engineering for Software and Systems Phillip A. Laplante ISBN: 978-1-4200-6467-4 Software Testing and Continuous Quality Improvement, Third Edition William E. Lewis ISBN: 978-1-4200-8073-5 Systemic Yoyos: Some Impacts of the Second Dimension Yi Lin ISBN: 978-1-4200-8820-5 Architecting Secure Software Systems Asoke K. Talukder and Manish Chaitanya ISBN: 978-1-4200-8784-0 Delivering Successful Projects with TSPSM and Six Sigma: A Practical Guide to Implementing Team Software ProcessSM Mukesh Jain ISBN: 978-1-4200-6143-7 BOOkS On SOFTwARE AnD SYSTEMS DEvELOPMEnT AnD EnGInEERInG FROM AUERBACH PUBLICATIOnS AnD CRC PRESS

📄 Page 4

Secure Java For Web Application Development Abhay Bhargav and B.V. Kumar

📄 Page 5

CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor and Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed in the United States of America on acid-free paper 10 9 8 7 6 5 4 3 2 1 International Standard Book Number-13: 978-1-4398-2356-9 (Ebook-PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the valid- ity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti- lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy- ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http:// www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com

📄 Page 6

v Contents Foreword ...........................................................................................................................xvii Preface ................................................................................................................................xix Acknowledgments .......................................................................................................... xxiii About the Authors ............................................................................................................. xxv ISeCtIon oVeRVIeW 1 The Internet Phenomenon ............................................................................................3 1.1 Evolution of the Internet and the World Wide Web ................................................ 3 1.1.1 Mainframe Era ........................................................................................... 3 1.1.1.1 Initial Mainframe Systems .......................................................... 3 1.1.1.2 Mainframe Systems Today.......................................................... 5 1.1.2 Client/Server Era ........................................................................................ 5 1.1.2.1 Server ......................................................................................... 5 1.1.2.2 Client ......................................................................................... 5 1.1.2.3 Client/Server Architecture .......................................................... 6 1.1.3 Distributed Computing Architecture.......................................................... 6 1.1.3.1 Remote Procedure Call ............................................................... 7 1.1.3.2 Messaging ................................................................................... 8 1.1.4 Internet and World Wide Web Era ............................................................. 8 1.1.4.1 B2B E-Commerce .....................................................................10 1.1.4.2 B2C E-Commerce .....................................................................10 1.1.5 Problems with Web Architecture ...............................................................10 1.2 Web Applications and Internet ...............................................................................11 1.3 Role and Significance of Java Technology in Web Applications ..............................11 1.3.1 Applets ..................................................................................................... 12 1.3.2 Java Servlet ............................................................................................... 12 1.3.3 JavaServer Pages Technology .....................................................................13 1.3.4 JavaServer Pages Standard Tag Library ......................................................13 1.3.5 JavaServer Faces Technology......................................................................13 1.3.6 Java Message Service ..................................................................................14 1.3.7 JavaMail API and the JavaBeans Activation Framework ............................14 1.3.8 Java Naming and Directory Interface ........................................................14

📄 Page 7

vi  ◾  Contents 1.3.9 Miscellaneous ............................................................................................14 1.4 Security in Java Web Applications ..........................................................................15 1.5 Summary ................................................................................................................16 2 Introducing Information Security ..............................................................................19 2.1 Information Security: The Need of the Hour .........................................................19 2.1.1 The Need for Information Security ............................................................19 2.1.1.1 Internet ..................................................................................... 20 2.1.1.2 Hackers and Their Backers ....................................................... 20 2.1.1.3 Digitization ...............................................................................21 2.1.1.4 Legal and Compliance Requirements ........................................21 2.1.2 The Motivation for Security ...................................................................... 22 2.1.2.1 Reputation ................................................................................ 22 2.1.2.2 Business Value .......................................................................... 22 2.1.2.3 Financial Impact ....................................................................... 23 2.1.2.4 Legal and Compliance .............................................................. 23 2.2 Some Basic Security Concepts ............................................................................... 24 2.2.1 The Pillars of Security—The CIA Triad .................................................... 24 2.2.1.1 Confidentiality ......................................................................... 24 2.2.1.2 Integrity .....................................................................................25 2.2.1.3 Availability ................................................................................25 2.2.2 Risk 101 ....................................................................................................25 2.2.2.1 Vulnerability ............................................................................. 26 2.2.2.2 Threat ....................................................................................... 26 2.2.2.3 Risk .......................................................................................... 26 2.2.3 Defense-in-Depth ..................................................................................... 27 2.2.3.1 Network Security ..................................................................... 27 2.2.3.2 Host Security ............................................................................ 28 2.2.3.3 Application Security ................................................................. 29 2.2.3.4 Physical Security ....................................................................... 29 2.3 Internet Security Incidents and Their Evolution .................................................... 30 2.3.1 The 1970s ..................................................................................................31 2.3.2 The 1980s ..................................................................................................31 2.3.3 The 1990s ................................................................................................. 32 2.3.4 The 2000s–Present Day ............................................................................ 32 2.4 Security—Myths and Realities ...............................................................................33 2.4.1 There Is No Insider Threat ........................................................................ 34 2.4.2 Hacking Is Really Difficult ....................................................................... 34 2.4.3 Geographic Location Is Hacker-Proof........................................................35 2.4.4 One Device Protects against All ................................................................35 2.5 Summary ............................................................................................................... 36 3 Introducing Web Application Security ......................................................................37 3.1 Web Applications in the Enterprise ....................................................................... 37 3.1.1 What Is a Web Application? ..................................................................... 37 3.1.2 Ubiquity of Web Applications .................................................................. 38 3.1.3 Web Application Technologies ................................................................. 39

📄 Page 8

Contents  ◾  vii 3.1.4 Java as Mainstream Web Application Technology .................................... 39 3.2 Why Web Application Security? ............................................................................ 39 3.2.1 A Glimpse into Organizational Information Security ............................... 40 3.2.1.1 Physical Security ....................................................................... 40 3.2.1.2 Network Security ..................................................................... 40 3.2.1.3 Host Security .............................................................................41 3.2.1.4 Application Security ................................................................. 42 3.2.2 The Need for Web Application Security ................................................... 43 3.2.2.1 Ubiquity of Web Applications in the Enterprise Scenario ......... 43 3.2.2.2 Web Application Development Diversity .................................. 44 3.2.2.3 Cost Savings ............................................................................. 44 3.2.2.4 Reputation and Customer Protection ........................................45 3.3 Web Application Incidents .................................................................................... 46 3.4 Web Application Security—The Challenges .......................................................... 48 3.4.1 Client-Side Control and Trust .................................................................. 49 3.4.2 Pangs of the Creator ................................................................................. 50 3.4.3 Flawed Application Development Life Cycle ............................................ 50 3.4.4 Awareness ..................................................................................................52 3.4.5 Legacy Code ..............................................................................................52 3.4.6 Business Case Issues ..................................................................................53 3.5 Summary ................................................................................................................53 4 Web Application Security—A Case Study ..................................................................55 4.1 The Business Need—An E-Commerce Application ................................................55 4.1.1 The Company ............................................................................................55 4.1.1.1 Proprietary Solution ................................................................. 56 4.1.1.2 Vendor Lock-In ........................................................................ 56 4.1.1.3 Security Vulnerabilities ............................................................. 56 4.1.1.4 Lack of Support for Security Compliance ................................. 56 4.1.1.5 Integration Issues ...................................................................... 56 4.1.1.6 Capacity Issues ..........................................................................57 4.1.2 The Existing Application Environment ......................................................57 4.1.2.1 Web Server ................................................................................57 4.1.2.2 Database Server ........................................................................ 58 4.1.2.3 Email and Messaging Server ..................................................... 58 4.1.3 Importance of Security ............................................................................. 58 4.1.3.1 Security Incidents ..................................................................... 58 4.1.3.2 Security Compliance and Regulation ........................................59 4.1.4 Panthera’s Plan for Information Security ...................................................59 4.1.4.1 Physical Security ........................................................................59 4.1.4.2 Network Security ..................................................................... 60 4.1.4.3 Host Security ............................................................................ 60 4.1.4.4 Application Security ..................................................................61 4.2 Outlining the Application Requirements ................................................................61 4.2.1 The Request for Proposal ...........................................................................61 4.2.1.1 Purpose......................................................................................61 4.2.1.2 Users ..........................................................................................61

📄 Page 9

viii  ◾  Contents 4.2.1.3 Communication Interfaces ........................................................61 4.2.1.4 Security Requirements in the Request for Proposal .................. 63 4.3 An Overview of the Application Development Process .......................................... 63 4.3.1 The Application Development Process ...................................................... 63 4.3.1.1 Detailed Application Requirements .......................................... 63 4.3.1.2 Application Design ....................................................................65 4.3.1.3 Application Development ..........................................................65 4.3.1.4 White- and Black-Box Testing ...................................................65 4.3.1.5 User Acceptance Testing ........................................................... 66 4.3.1.6 Deployment .............................................................................. 66 4.4 Summary ................................................................................................................67 ISeCtIon I FoUnDAtIonS oF A SeCURe JAVA WeB APPLICAtIon 5 Insights into Web Application Security Risk .............................................................71 5.1 The Need for Web Application Security Risk Management ................................... 71 5.1.1 Risk Management .................................................................................... 72 5.1.1.1 Risk Assessment ........................................................................ 72 5.1.1.2 Risk Mitigation ........................................................................ 72 5.1.1.3 Continuous Evaluation ............................................................. 72 5.1.2 The Benefits of Risk Management for Web Applications .......................... 73 5.1.2.1 Clarity on Security Functionality ............................................. 73 5.1.2.2 Software Development Life Cycle ............................................. 75 5.1.2.3 Compliance .............................................................................. 75 5.1.2.4 Cost Savings ..............................................................................76 5.1.2.5 Security Awareness ....................................................................76 5.1.2.6 Facilitates Security Testing ....................................................... 77 5.1.3 Overview of the Risk Assessment Phase .................................................... 77 5.2 System Characterization Process—Risk Assessment .............................................. 78 5.2.1 An Overview of the System Characterization Process ............................... 78 5.2.2 Identifying Critical Information Assets ...................................................... 79 5.2.2.1 Developing a List of Critical Information Assets ...................... 80 5.2.3 User Roles and Access to Critical Information Assets ................................81 5.2.4 Understanding Basic Application Architecture ......................................... 82 5.2.4.1 Deployment Topology .............................................................. 82 5.2.4.2 System Interfaces ...................................................................... 82 5.3 Developing Security Policies for the Web Application ........................................... 83 5.3.1 A Broad Overview of Security Policies for the Web Application ............... 83 5.3.1.1 Financial Risk and Impact ........................................................ 83 5.3.1.2 Regulatory and Compliance ..................................................... 84 5.3.1.3 Contractual Obligations ........................................................... 84 5.3.1.4 Reputation and Goodwill ......................................................... 84 5.3.2 Security Compliance and Web Application Security ................................ 84 5.3.2.1 PCI-DSS....................................................................................85 5.3.2.2 PA-DSS .................................................................................... 86 5.3.2.3 SOX .......................................................................................... 87 5.3.2.4 HIPAA ..................................................................................... 88

📄 Page 10

Contents  ◾  ix 5.3.2.5 GLBA ....................................................................................... 89 5.4 Threat Analysis ...................................................................................................... 89 5.4.1 Understanding and Categorizing Security Vulnerabilities ........................ 89 5.4.1.1 Design Vulnerabilities .............................................................. 90 5.4.1.2 Development Vulnerabilities ......................................................91 5.4.1.3 Configuration Vulnerabilities ....................................................91 5.4.2 Common Web Application Vulnerabilities ................................................91 5.4.2.1 Cross-Site Scripting .................................................................. 92 5.4.2.2 SQL Injection ........................................................................... 95 5.4.2.3 Malicious File Execution .......................................................... 96 5.4.2.4 Cross-Site Request Forgery ....................................................... 97 5.4.2.5 Cryptographic Flaws ................................................................. 97 5.4.2.6 Flawed Error Handling and Information Disclosure ................ 98 5.4.2.7 Authentication and Session Management Flaws ....................... 99 5.4.2.8 Unrestricted URL Access ....................................................... 100 5.4.3 Basic Understanding of Threats and Associated Concepts ...................... 100 5.4.3.1 Threat Actor ............................................................................101 5.4.3.2 Threat Motive ..........................................................................101 5.4.3.3 Threat Access ...........................................................................101 5.4.3.4 Threat Outcome ......................................................................102 5.4.4 Threat Profiling and Threat Modeling .....................................................102 5.4.4.1 Threat Profiling .......................................................................103 5.4.4.2 Threat Modeling ......................................................................104 5.5 Risk Mitigation Strategy—Formulation of Detailed Security Requirements for the Web Application .......................................................................................104 5.6 Risk Assessment for an Existing Web Application ................................................107 5.7 Summary ..............................................................................................................107 6 Risk Assessment for the Typical E-Commerce Web Application .............................109 6.1 System Characterization of Panthera’s E-Commerce Application .........................109 6.1.1 Identification of Critical Information Assets ............................................109 6.1.2 Practical Techniques to Identify Critical Information Assets ...................109 6.1.3 Identified Critical Information Assets for Panthera’s Web Application ....110 6.1.3.1 Customer Credit Card Information .........................................111 6.1.3.2 Customer Information .............................................................111 6.1.3.3 Gift Card Information .............................................................112 6.1.3.4 Stock/Inventory Information ...................................................112 6.1.4 User Roles and Access to Critical Information Assets ..............................112 6.1.5 Application Deployment Architecture and Environment .........................113 6.1.5.1 Network Diagram of the Deployment Environment ...............113 6.1.5.2 Application Architecture Overview .........................................113 6.2 Security Policies for the Web Application and Requirements ................................ 115 6.2.1 Panthera’s Security Policies ......................................................................116 6.2.1.1 Critical Information Assets ......................................................116 6.2.1.2 Financial Impact ......................................................................117 6.2.1.3 Security Compliance and Regulations .....................................117 6.3 Threat Analysis .....................................................................................................117

📄 Page 11

x  ◾  Contents 6.3.1 Threat Profiling .......................................................................................117 6.3.2 Threat Modeling ..................................................................................... 120 6.4 Risk Mitigation Strategy—Formulation of Detailed Security Features for Panthera’s E-Commerce Application ................................................................... 120 6.4.1 Authentication and Authorization .......................................................... 120 6.4.1.1 Role-Based Access Control ......................................................121 6.4.1.2 Password Management and Policy .......................................... 123 6.4.1.3 Session Management .............................................................. 124 6.4.1.4 Storage of User Credentials ..................................................... 124 6.4.1.5 Other Measures ...................................................................... 124 6.4.2 Cryptographic Implementation for Panthera’s E-Commerce Application ..............................................................................................125 6.4.2.1 Encryption for Data at Rest .....................................................125 6.4.2.2 Encryption for Data in Transit ............................................... 126 6.4.2.3 Encryption Key Management ................................................. 126 6.4.3 Logging .................................................................................................. 126 6.4.4 Secure Coding Practices ......................................................................... 127 6.4.4.1 Input Validation and Output Encoding .................................. 128 6.4.4.2 Secure Database Access .......................................................... 128 6.4.4.3 Error Handling ....................................................................... 128 6.5 Summary ............................................................................................................. 128 IISeCtIon I BUILDInG A SeCURe JAVA WeB APPLICAtIon 7 Developing a Bulletproof Access Control System for a Java Web Application .........131 7.1 Overview of Access Control Systems ....................................................................131 7.1.1 A Brief History/Evolution of Access Control Mechanisms .......................131 7.1.2 An Overview of Access Control ...............................................................132 7.1.2.1 Authentication .........................................................................132 7.1.2.2 Authorization ..........................................................................133 7.1.2.3 Accountability ........................................................................ 134 7.1.3 Access Control Models ........................................................................... 134 7.1.3.1 Discretionary Access Control ................................................. 134 7.1.3.2 Mandatory Access Control ..................................................... 134 7.1.3.3 Role-Based Access Control ......................................................135 7.2 Developing a Robust Access Control System for Web Applications ......................135 7.2.1 Attacks against Web Application Access Control .....................................135 7.2.1.1 Session Hijacking ................................................................... 136 7.2.1.2 Cross-Site Request Forgery ..................................................... 136 7.2.1.3 Session Fixation ...................................................................... 136 7.2.1.4 Man-in-the-Middle .................................................................137 7.2.1.5 Forceful Browsing ....................................................................137 7.2.2 User Credentials—Usernames and Passwords .........................................137 7.2.3 Session—Maintaining a Secure State for Web Applications ....................140 7.2.4 Authorization—Effective Authorization for a Web Application ...............142 7.2.5 Other Best Practices ................................................................................142 7.3 Security Compliance and Web Application Access Control ..................................143

📄 Page 12

Contents  ◾  xi 7.3.1 PCI-DSS..................................................................................................143 7.3.1.1 Requirement 7: Restrict Access to Cardholder Information by Business Need-to-Know ......................................................143 7.3.1.2 Requirement 8: Assign a Unique ID to Each Person with Computer Access .....................................................................143 7.4 Implementing a Secure Authentication and Authorization System for a Java Web Application ...................................................................................................145 7.4.1 Java Security Overview ............................................................................145 7.4.2 Java Authentication and Authorization Services.......................................146 7.4.3 JAAS Core ...............................................................................................147 7.4.3.1 Common Classes .....................................................................147 7.4.3.2 Authentication Classes and Interfaces ......................................150 7.4.3.3 Authorization Classes and Interfaces .......................................152 7.4.4 Process of Authentication ........................................................................153 7.4.5 Process of Authorization ..........................................................................153 7.4.5.1 Privileged Block of Code for Authorized Subject: doAsPrivileged() ............................................................154 7.5 Summary ..............................................................................................................155 8 Application Data Protection Techniques .................................................................157 8.1 Overview of Cryptography ...................................................................................157 8.1.1 Evolution of Cryptography ......................................................................157 8.1.2 Cryptography—Terminology and Definitions .........................................158 8.1.2.1 Encryption and Decryption .....................................................159 8.1.2.2 Cryptosystem ..........................................................................160 8.1.2.3 Key and Keyspace ....................................................................160 8.1.2.4 Substitution and Transposition ................................................160 8.1.2.5 Initialization Vector .................................................................160 8.1.2.6 One-Way Hash Functions .......................................................161 8.1.2.7 MAC/HMAC .........................................................................162 8.1.3 Symmetric and Asymmetric Cryptography..............................................162 8.1.4 Block Ciphers and Stream Ciphers ..........................................................165 8.1.5 Block Cipher Modes of Encryption .........................................................165 8.1.5.1 Electronic Code Book (ECB)...................................................165 8.1.5.2 Cipher Block Chaining ............................................................166 8.1.5.3 Cipher Feedback ......................................................................167 8.1.5.4 Output Feedback .....................................................................167 8.1.5.5 Counter ...................................................................................168 8.1.6 Crypto Attacks ........................................................................................168 8.1.6.1 Brute-Force Attack ..................................................................169 8.1.6.2 Known Plaintext ......................................................................169 8.1.6.3 Ciphertext Only ......................................................................169 8.1.6.4 Chosen Plaintext and Chosen Ciphertext ................................170 8.1.6.5 Meet-in-the-Middle Attack ......................................................170 8.1.6.6 Side-Channel Attacks ..............................................................171 8.1.6.7 Linear and Differential Cryptanalysis ......................................171 8.1.6.8 Birthday Attack .......................................................................171

📄 Page 13

xii  ◾  Contents 8.2 Crypto Implementation for Web Applications ......................................................171 8.2.1 Data Protection with Cryptography—A Primer ......................................171 8.2.1.1 Necessity for Storage of Data ...................................................172 8.2.1.2 Varied Data Protection Techniques .........................................172 8.2.2 A Study of Encryption Algorithms and Hashing Functions ....................173 8.2.2.1 DES/Triple DES ......................................................................173 8.2.2.2 AES .........................................................................................174 8.2.2.3 Blowfish ...................................................................................174 8.2.2.4 RC4 .........................................................................................174 8.2.2.5 RSA .........................................................................................175 8.2.2.6 MD5 .......................................................................................175 8.2.2.7 SHA ........................................................................................176 8.2.3 Implementation Implications of Encryption in Web Applications ...........176 8.2.3.1 Homegrown Crypto ................................................................176 8.2.3.2 Weak Ciphers ..........................................................................177 8.2.3.3 Insecure Implementation of Strong Ciphers .............................177 8.2.3.4 Weak or Nonexistent Transport Layer Security .......................177 8.2.4 Key Management—Principles and Practical Implementation ..................178 8.2.4.1 General Guidelines for Key Usage ...........................................178 8.2.4.2 Generation of Keys ..................................................................179 8.2.4.3 Storage of Keys ........................................................................179 8.2.4.4 Period of Key Usage .................................................................180 8.2.4.5 Revocation of Keys ..................................................................180 8.2.5 Security Compliance and Cryptography ..................................................181 8.2.5.1 PCI Standards .........................................................................181 8.2.5.2 SB-1386 ...................................................................................182 8.3 Java Implementation for Web Application Cryptography .....................................182 8.3.1 Implementation Independence ................................................................183 8.3.2 Implementation Interoperability ..............................................................183 8.3.3 Algorithm Extensibility and Independence ..............................................183 8.3.4 Architecture Details ................................................................................184 8.3.4.1 Cryptographic Service Providers (CSP) ...................................184 8.3.5 Core Classes, Interfaces, and Algorithms of JCA .....................................185 8.3.5.1 The Provider and Security Classes ..............................186 8.3.5.2 Engine Classes and Algorithms ...............................................186 8.3.5.3 Key Interfaces and Classes .......................................................191 8.4 Protection of Data in Transit ................................................................................192 8.4.1 History of Secure Socket Layer/Transport Layer Security ........................192 8.4.1.1 The SSL/TLS Handshake Process ...........................................192 8.4.1.2 Implementation Best Practices for Secure Transmission— Web Applications ....................................................................195 8.5 Java Secure Socket Extensions for Secure Data Transmissions ..............................195 8.5.1 Features of the JSSE .................................................................................196 8.5.2 Cryptography and JSSE ...........................................................................197 8.5.3 Core Classes and Interfaces of JSSE .........................................................197

📄 Page 14

Contents  ◾  xiii 8.5.3.1 SocketFactory and ServerSocketFactory Classes .....................................................................................197 8.5.3.2 SSLSocketFactory and SSLServerSocketFactory Classes ................................197 8.5.3.3 SSLSocket and SSLServerSocket Classes ....................198 8.5.3.4 The SSLEngine Class ...........................................................199 8.5.4 Support Classes and Interfaces ................................................................ 200 8.5.4.1 SSLContext Class............................................................... 200 8.5.4.2 TrustManager Interface .................................................... 200 8.5.4.3 TrustManagerFactory Class ..........................................201 8.5.4.4 KeyManager Interface..........................................................201 8.5.4.5 KeyManagerFactory Class ...............................................201 8.6 Summary ..............................................................................................................201 9 Effective Application Monitoring: Security Logging for Web Applications ............203 9.1 The Importance of Logging for Web Applications—A Primer ............................. 203 9.1.1 Overview of Logging and Log Management........................................... 203 9.1.2 Logging for Security—The Need of the Hour ........................................ 204 9.1.3 Need for Web Application Security Logging .......................................... 205 9.2 Developing a Security Logging Mechanism for a Web Application ..................... 206 9.2.1 The Constituents of a Web Application Security Log ............................. 206 9.2.1.1 Request and Response Information ........................................ 206 9.2.1.2 Access Control Information .................................................... 206 9.2.1.3 Administrative Actions ........................................................... 207 9.2.1.4 Errors and Exceptions ............................................................. 208 9.2.1.5 Access to Sensitive Information .............................................. 208 9.2.2 Web Application Logging—Information to Be Logged .......................... 208 9.2.2.1 Username/IP Details .............................................................. 209 9.2.2.2 Timestamp ............................................................................. 209 9.2.2.3 Type of Event .......................................................................... 209 9.2.2.4 Success/Failure Indication ...................................................... 209 9.2.2.5 Name/Path of Affected Resource or Asset .............................. 209 9.2.3 Details to Be Omitted from Web Application Logs .................................210 9.2.4 Application Logging—Best Practices ......................................................210 9.2.4.1 Storage of Application Logs .....................................................210 9.2.4.2 Security for Application Logs ..................................................210 9.3 Security Compliance and Web Application Logging ............................................211 9.4 Logging Implementation Using Java .....................................................................212 9.4.1 Control Flow ...........................................................................................212 9.4.2 The Core Classes and Interfaces ...............................................................213 9.4.2.1 The Logger Class ..................................................................213 9.4.2.2 The Level Class ....................................................................213 9.4.2.3 The LogManager Class ........................................................214 9.4.2.4 The LogRecord Class ...........................................................214 9.4.2.5 The Handler Class ................................................................214 9.4.2.6 The Formatter Class ...........................................................214 9.5 Summary ..............................................................................................................215

📄 Page 15

xiv  ◾  Contents 10 Secure Coding Practices for Java Web Applications .................................................217 10.1 Java Secure Coding Practices—An Overview .......................................................217 10.1.1 A Case for Secure Coding Practices .........................................................217 10.1.2 Java Secure Coding Practices—An Introduction .....................................218 10.2 Input Validation and Output Encoding................................................................218 10.2.1 The Need for Input Validation and Output Encoding .............................218 10.2.1.1 What Is Validation of Input? ...................................................218 10.2.1.2 Why Validate Input? ................................................................218 10.2.1.3 Output Encoding ....................................................................219 10.2.2 User Input Validation for Java Web Applications .................................... 220 10.2.2.1 Success Factors for Input Validation ....................................... 220 10.2.2.2 The Use of Regular Expressions .............................................. 222 10.2.2.3 Whitelist vs. Blacklist Validation ............................................ 222 10.2.3 Java Implementation for Input Validation and Output Encoding ........... 224 10.2.3.1 Regex ................................................................................... 224 10.2.3.2 StringEscapeUtils ........................................................ 224 10.2.3.3 URLEncode/URLDecode .................................................. 225 10.3 Secure Database Queries ..................................................................................... 226 10.3.1 Need for Secure Database Access ............................................................ 226 10.3.1.1 Dynamic Use of Data to Construct SQL Query ..................... 227 10.3.1.2 Use of PreparedStatement for Parameterizing SQL Queries.... 228 10.3.1.3 Lack of Input Validation ......................................................... 228 10.3.1.4 Flawed Error Handling ........................................................... 228 10.4 Errors and Exceptions in Java .............................................................................. 229 10.4.1 Relevance................................................................................................ 229 10.4.2 Encapsulating Exception ........................................................................ 229 10.4.3 Reason .................................................................................................... 229 10.4.4 Naming the Exceptions .......................................................................... 230 10.4.5 Balancing the Catch ............................................................................... 230 10.4.6 Using Finally .......................................................................................... 230 10.4.7 Throw Early and Catch Late ....................................................................231 10.5 Summary ..............................................................................................................231 ISeCtIon V teStInG JAVA WeB APPLICAtIonS FoR SeCURItY 11 Security Testing for Web Applications .....................................................................235 11.1 Overview of Security Testing for Web Applications .............................................235 11.1.1 Security Testing for Web Applications—A Primer ..................................235 11.1.1.1 Black-Box Testing ................................................................... 236 11.1.1.2 White-Box Testing ................................................................. 237 11.1.2 Need for Web Application Security Testing ............................................ 237 11.1.2.1 Cost Savings ........................................................................... 237 11.1.2.2 Reputation .............................................................................. 237 11.1.3 Security Testing Web Applications—Some Basic Truths ........................ 238 11.1.3.1 Reliance on Automated Vulnerability Assessment Tools ......... 238 11.1.3.2 Segregation of Duties .............................................................. 239 11.1.3.3 Knowledge of Testers .............................................................. 239

📄 Page 16

Contents  ◾  xv 11.1.3.4 Defense-in-Depth for Security Testing ................................... 240 11.1.4 Integration of Security Testing into Web Application Risk Management ........................................................................................... 240 11.2 Designing an Effective Web Application Security Testing Practice .......................241 11.2.1 Approach to Web Application Security Testing .......................................241 11.2.1.1 Risk Assessment—During Requirements and Design Phase ... 242 11.2.1.2 Code Overviews—During the Development Phase ................ 243 11.2.1.3 Code Reviews—During the Development Phase ................... 243 11.2.1.4 Vulnerability Assessment and Penetration Testing—During the Testing Phase .................................................................... 243 11.2.1.5 Configuration Management Testing—During Testing and Deployment ............................................................................ 244 11.2.1.6 Change Management and Verification—During Maintenance ............................................................................245 11.2.1.7 Periodic Health Checks—During Maintenance ......................245 11.2.2 Threat Models for Effective Security Testing ...........................................245 11.2.2.1 Basic Use Case ........................................................................ 246 11.2.2.2 Alternative Flows .................................................................... 246 11.2.2.3 Threat Models ........................................................................ 246 11.2.3 Web Application Security Testing—Critical Success Factors ...................247 11.2.3.1 Patch-n-Fix Approach vs. Secure SDLC ...................................247 11.2.3.2 Testing Frequency................................................................... 248 11.2.3.3 Documentation for Security ................................................... 248 11.2.3.4 Testing Mix ............................................................................ 248 11.2.4 Security Testing for Web Applications and Security Compliance ........... 248 11.3 Summary ..............................................................................................................249 12 Practical Web Application Security Testing .............................................................251 12.1 Web Application Vulnerability Assessment and Penetration Testing ....................251 12.1.1 Approach to Practical Web Application Testing ......................................251 12.1.2 Tools and Technologies for Practical Security Testing .............................252 12.1.2.1 Primary Tool—Web Application Proxy ...................................252 12.1.2.2 Generic Security Assessment Tools ..........................................255 12.2 Practical Security Testing for Web Applications ...................................................256 12.2.1 Information Gathering and Enumeration ................................................256 12.2.1.1 DNS and WHOIS Information Enumeration .........................256 12.2.1.2 Operating Environment and Services Enumeration .................257 12.2.1.3 Spidering .................................................................................258 12.2.1.4 Search Engine Reconnaissance ................................................259 12.2.2 Testing Web Application for Access Control ...........................................261 12.2.2.1 Testing for Nonsecure Passwords .............................................261 12.2.2.2 Testing for Transmission of Credentials over Encrypted Channel ...................................................................................261 12.2.2.3 Testing for Authentication Schema ......................................... 262 12.2.2.4 Testing for Logout and Other Functionality ........................... 263 12.2.2.5 Testing for Weak or Nonsecure Session Identifiers ..................265 12.2.2.6 Testing for Session Fixation .....................................................265

📄 Page 17

xvi  ◾  Contents 12.2.2.7 Testing for Path Traversal ........................................................265 12.2.2.8 Testing for Client-Side Authorization Vulnerabilities ............. 266 12.2.2.9 Testing for Flawed Business Logic Implementation for Authorization ......................................................................... 266 12.2.2.10 Testing for Cross-Site Request Forgery ....................................267 12.2.3 Testing Data Validation ...........................................................................267 12.2.3.1 Testing for Cross-Site Scripting Vulnerabilities ........................267 12.2.3.2 Testing for SQL Injection Vulnerabilities ................................270 12.3 Summary ..............................................................................................................271 Appendix A: Application Security Guidelines for the Payment Card Industry Standards (PCI-DSS and PA-DSS) ....................................................................................273 Index .................................................................................................................................275

📄 Page 18

xvii Foreword Information security is an important consideration for any enterprise today. An organization’s data is its lifeline and it must remain secure against a multitude of threats. Concepts such as online banking, e-commerce, and social networking are no longer buzzwords, but have become integral to our daily lives. Enterprises have harnessed the power of Web applications and the cloud to bring about new ways of doing business and to reach out to clients around the world However, as Sir Francis Bacon correctly observed, “Prosperity is not without its fears and dis- tastes.” Though Web applications have brought tremendous dividends, they also leave companies vulnerable to attackers who continually seek to exploit vulnerable applications to gain access to sensitive financial data and user information. Successful attacks can cause a great deal of financial harm and embarrassment for an organization, making the creation of secure applications a high priority. Secure Java: For Web Application Development by Abhay Bhargav of we45 Solutions and Dr. B.V. Kumar of Altius Inc., reflects the importance of security in a world where Web applications are rendered vulnerable due to a continuous onslaught of attacks. They give solid evidence as to why Web applications must be both secure and securely deployed, and how Web applications, developed and deployed using the Java platform, can be optimally secured. The book also offers sound insight into the security aspects of application development process, with focused attention to crucial topics such as authentication, access control, cryptography, logging, and secure coding practices using the Java platform. Given that Java is the platform of choice for enterprise application development the world over, this book fills a much-needed gap by thoroughly and clearly outlining the security requirements of such a critical platform. I strongly believe that this work will prove invaluable to a wide audience, including Java developers, architects, and students. Kris Gopalakrishnan, CEO Infosys Technologies Ltd.

📄 Page 19

(This page has no text content)

📄 Page 20

xix Preface Secure Java: For Web Application Development was the result of a casual discussion we were having on the state of Web application development and security for Web applications. Web application security had become one of the important watchwords in the industry, and its importance was ris- ing in the world. As we ferreted through the Internet and other sources looking for information on Web application security for Java, we couldn’t find a comprehensive work that encapsulated secu- rity requirements for Web development with the Java programming environment. Most security books on Java usually focused on cryptography and access control, excluding critical aspects such as secure coding practices, logging, security compliance requirements, and Web application risk assessment, among others. We decided to focus our energies toward filling that void in the form of a book with useful information about how to build a secure Web application with Java. The first steps of this book were thus formed on an office whiteboard, where we first conceived a Table of Contents that would make the most sense for architects, developers, and security professionals. Security of a Web application is best established when it is secure from its inception. In light of this fact, we decided to provide a comprehensive view of Web application security which facilitates an effective understanding of the subject by detailing an application development process from its inception to a point where the application is tested for security. USP—Unique Security Proposition The book provides a comprehensive insight into secure Web application development right from its inception to its development and testing process. This book is the only one of its kind to cover important concepts such as Web application security risk assessment, threat modeling, and inte- gration of these concepts into a secure SDLC process to develop a secure Web application from its inception. We believe that Web application security concepts and practices are best assimi- lated by quoting appropriate anecdotes and case studies during the course of different aspects of Web application security. Accordingly, we have included a few anecdotes and incidents related to several aspects of Web application security. We have also included a case study of a hypothetical e-commerce company that is facing Web application security challenges. We believe that this approach provides for a practical viewpoint of building security into the Web application. We have packed this book with detailed implementation guidance and best practices for authen- tication and authorization, access control, cryptography, logging, and secure coding practices for Web application development. We have also discussed some of the latest and greatest application