Most security books on Java focus on cryptography and access control, but exclude key aspects such as coding practices, logging, and web application risk assessment. Encapsulating security requirements for web development with the Java programming platform, "Secure Java: For Web Application Development" covers secure programming, risk assessment, and threat modeling—explaining how to integrate these practices into a secure software development life cycle.
From the risk assessment phase to the proof of concept phase, the book details a secure web application development process. The authors provide in-depth implementation guidance and best practices for access control, cryptography, logging, secure coding, and authentication and authorization in web application development. Discussing the latest application exploits and vulnerabilities, they examine various options and protection mechanisms for securing web applications against these multifarious threats. The book is organized into four sections:
Provides a clear view of the growing footprint of web applications
Explores the foundations of secure web application development and the risk management process
Delves into tactical web application security development with Java EE
Deals extensively with security testing of web applications
This complete reference includes a case study of an e-commerce company facing web application security challenges, as well as specific techniques for testing the security of web applications. Highlighting state-of-the-art tools for web application security testing, it supplies valuable insight on how to meet important security compliance requirements, including PCI-DSS, PA-DSS, HIPAA, and GLBA. The book also includes an appendix that covers the application security guidelines for the payment card industry standards.
Review By: Scott Brookhart 07/08/2011Not many developers understand web application security with Java development as well as they should. This book does a great job of not only introducing security with essential concepts but also looking at specific Java practices and examples.
There are many terms and concepts within security that are important to understand before getting underway with secure development. Developers also need to understand how to implement these concepts. This book references the Open Web Application Security Project (www.owasp.org), an important site for developers where effective practices are constantly being updated.
The writing style is quite effective and easy for the reader to follow, though I would have liked to have seen more code samples using these concepts. Developers from other environments, such as .NET or PHP, will learn from the book’s concepts and practices but will need specific library examples for their environments.
This book really explains the core of security development. There is even a section on attack types that helps the developer understand how to think more like a hacker when developing. Additionally, the appendix references PCI compliance (credit card) coding concepts and how they can be implemented.
Overall, I liked this book and found it to be quite helpful with explaining secure coding practices, web application security, secure testing, and essential security concepts. There is a strong need for Java developers to understand security in a way that makes them more effective, and this book definitely supports that pursuit. I would recommend this book both to Java developers with little or no experience with secure coding practices and to Java developers who could use a refresher in secure coding.