{"id":50550,"date":"2018-02-17T16:17:56","date_gmt":"2018-02-17T10:47:56","guid":{"rendered":"https:\/\/asha24.com\/blog\/?p=50550"},"modified":"2023-02-04T09:24:10","modified_gmt":"2023-02-04T03:54:10","slug":"best-java-secure-coding-standards","status":"publish","type":"post","link":"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/","title":{"rendered":"The Best Java Secure Coding Standards"},"content":{"rendered":"\n[et_pb_section bb_built=&#8221;1&#8243;][et_pb_row][et_pb_column type=&#8221;4_4&#8243;][et_pb_post_title _builder_version=&#8221;3.0.106&#8243; title=&#8221;on&#8221; meta=&#8221;off&#8221; author=&#8221;on&#8221; date=&#8221;on&#8221; categories=&#8221;on&#8221; comments=&#8221;on&#8221; featured_image=&#8221;off&#8221; featured_placement=&#8221;below&#8221; text_color=&#8221;dark&#8221; text_background=&#8221;off&#8221; title_font=&#8221;Titillium Web||||||||&#8221; title_font_size=&#8221;47&#8243; title_font_size_tablet=&#8221;40&#8243; title_font_size_phone=&#8221;35&#8243; title_font_size_last_edited=&#8221;on|desktop&#8221; title_text_color=&#8221;rgba(0,0,0,0.8)&#8221; title_text_align=&#8221;left&#8221; text_shadow_horizontal_length=&#8221;0.08em&#8221; text_shadow_vertical_length=&#8221;0.08em&#8221; text_shadow_blur_strength=&#8221;0.08em&#8221; title_text_shadow_horizontal_length=&#8221;0.08em&#8221; title_text_shadow_vertical_length=&#8221;0.08em&#8221; custom_margin=&#8221;|||10%&#8221; \/][\/et_pb_column][\/et_pb_row][et_pb_row][et_pb_column type=&#8221;4_4&#8243;][et_pb_text _builder_version=&#8221;3.0.106&#8243; background_layout=&#8221;light&#8221; text_font=&#8221;Titillium Web|300|||||||&#8221; text_font_size=&#8221;20&#8243; text_font_size_last_edited=&#8221;on|phone&#8221; text_text_color=&#8221;rgba(0,0,0,0.8)&#8221; text_line_height=&#8221;1.6em&#8221; max_width=&#8221;800px&#8221; custom_margin=&#8221;|||10%&#8221; text_line_height_last_edited=&#8221;off|phone&#8221; max_width_last_edited=&#8221;off|phone&#8221; custom_margin_last_edited=&#8221;off|desktop&#8221;]\r\n<ol>\r\n \t<li><strong> Input Validation<\/strong><\/li>\r\n<\/ol>\r\nInput validation is the process of validating the input to an application prior to use. Input validation is critical to application security as the majority of application risks arise due to weak input validation. Input Validation is primarily conducted in order to ensure that no invalid or unexpected data is supplied to the system\/application which could result in the application behaving in an undesirable manner. Validation of input comprises of comprehensive verification of every input that is supplied to the application including the data that is coming from the user interface, external applications\/sources, HTML controls, cookies, HTTP header variables and any other un-trusted sources.\r\n\r\nWhen software fails to properly validate input, an attacker will be able to craft the input in a format that is not expected by the application.\u00a0 The attacker may inject malicious input, control resource references or cause a program to crash. If unaddressed, weak input validation may lead to the following implications:\r\n<ul>\r\n \t<li>Disclosure of confidential and restricted information<\/li>\r\n \t<li>Unauthenticated and unauthorized access to information and system functionality<\/li>\r\n \t<li>Denial-of-service of the application and server<\/li>\r\n \t<li>Altered control flow, arbitrary control of a resource or arbitrary code execution<\/li>\r\n<\/ul>\r\n<ol>\r\n \t<li>Validate all inputs for length, type, syntax, and business rules before accepting the data for further processing, display or storage. This includes the validation of data and files coming from untrusted sources covering all parameters, URLs and HTTP header content (e.g. cookie name and value)<\/li>\r\n \t<li>Validate input at each tier of the application. Perform validation pertaining to the length, type and syntax (security validations) at the web tier while the business logic validation should be performed separately at the business tier. As business tier components can be re-used by different applications, the tier\u2019s validation logic will ensure that the data is validated properly even if the web tier is not properly validated<\/li>\r\n \t<li>Perform input validations both at the client side and server side. Client side validation must be adopted in scenarios where the data is not going to the server and is processed \/ displayed in the client side itself. In all the other scenarios, server side validation should be mandated in the application. Client side validation will also help to reduce the load on the server by performing the first level of validation at the client side before the data is posted \/ submitted to the server.<\/li>\r\n \t<li>Validate the following when accepting files from the user as an attachment\/file upload:\r\n<ol>\r\n \t<li>File Name<\/li>\r\n \t<li>Size of the file<\/li>\r\n \t<li>File type<\/li>\r\n \t<li>Content format<\/li>\r\n \t<li>File within file<\/li>\r\n \t<li>Signature<\/li>\r\n \t<li>Malware(using anti-virus solutions present in the file server)<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Canonicalize path names before validating them. Use getCanonicalPath() to isolate code from operating system and file system-specific naming conventions. Validate the path name against benign directories<\/li>\r\n \t<li>Do not log unsanitized user input. To avoid log injection attacks, validate user input before logging it.<\/li>\r\n \t<li>Safely extract files from ZipInputStream. Validate the name of each entry before extracting the entry, e.g. by Canonicalizing the path name. Enforce limits on the number of zip files and the size of each file, to mitigate possible denial of service attacks<\/li>\r\n \t<li>Exclude unsanitized input from format string, regular expressions, and Runtime.exec()<\/li>\r\n \t<li>Prevent XML Injection. Use input validation and\/or XML schema validation using a Document Type Definition (DTD) to prevent injections from being mistaken for valid XML<\/li>\r\n \t<li>Use white list validations. Always check and validate the input based on the valid set of characters including numbers, alphabets and special characters.\u00a0 White listing presents a strict set of valid inputs rather than black listing which presents a broad set of invalid inputs. This valid set of characters should be defined during the design phase and should be in-line with the application requirement<\/li>\r\n \t<li>Identify and validate every input source in the web tier.\u00a0 Possible sources of input include but are not limited to:\r\n<ol>\r\n \t<li>GET, POST &amp; PUT parameters<\/li>\r\n \t<li>Hidden Fields<\/li>\r\n \t<li>Cookies<\/li>\r\n \t<li>HTTP Headers<\/li>\r\n \t<li>Environment variables<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Use a centralized validation mechanism and common validation modules throughout the application and these modules should be called whenever there is a requirement for data validation. Usage of centralized modules will ensure that the data validation is performed consistently across the application and can be used to mitigate potential validation problems by doing the following:\r\n<ol>\r\n \t<li>Sanitizing data<\/li>\r\n \t<li>Logging events<\/li>\r\n \t<li>Invalidating sessions<\/li>\r\n \t<li>Notifications such as display of customized error messages and alerts<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Handle all the errors identified during the validation process in a secure manner<\/li>\r\n \t<li>Note that frameworks such as Struts provide validator plugins that can be used to validate user input. The \u201cStruts validator\u201d plug-in validates the data against a set of required characters using regular expressions and other validation features provided by Struts framework<\/li>\r\n \t<li>Perform data validation to mitigate flaws arising within the business logic affecting sequence and order of transaction flow<\/li>\r\n \t<li>Perform appropriate validation checks before using data retrieved from application processes (e.g. downloaded or uploaded between central and\/or remote computers) from different systems<\/li>\r\n \t<li>Prevent SQL Injection &#8211; Use the JDCB library API, like PreparedStatement, to build SQL commands that sanitize untrusted data and validate the length and content of input variables.<\/li>\r\n \t<li>Normalize strings before validating them &#8211; Normalizer.normalize() transforms Unicode text into the standard normalizations forms described in <a href=\"http:\/\/www.unicode.org\/reports\/tr15\/tr15-23.html\">Unicode Standard Annex #15 Unicode Normalization Forms<\/a>. Most suitable normalization form for arbitrarily encoded strings is frequently KC (NFKC)<\/li>\r\n<\/ol>\r\nInput Validation \u2013 Examples\r\n\r\n<strong>Example 1:<\/strong>\r\n\r\nThe following code demonstrates the configuration details of validator plug-ins and dynavalidatorform in the Struts Config file:\r\n<blockquote>\/\/ Validator plug in configuration\r\n\r\n&lt;plug-in className=&#8221;org.apache.struts.validator.ValidatorPlugIn&#8221;&gt;\r\n&lt;set-property property=&#8221;pathnames&#8221; value=&#8221;\/WEB-INF\/validator-rules.xml,\/WEB-INF\/validation.xml&#8221;\/&gt;\r\n&lt;\/plug-in&gt;\r\n\r\n\/\/Configuration details for dynavalidatorform\r\n&lt;form-beans &gt;\r\n&lt;form-bean name=&#8221;exampleForm&#8221; type=&#8221;org.apache.struts.validator.DynaValidatorForm&#8221;&gt;\r\n&lt;form-property name=&#8221;age&#8221; type=&#8221;java.lang.Integer&#8221; \/&gt;\r\n&lt;form-property name=&#8221;name&#8221; type=&#8221;java.lang.String&#8221; \/&gt;\r\n&lt;\/form-bean&gt;\r\n&lt;\/form-beans&gt;<\/blockquote>\r\n<strong>Example 2:<\/strong>\r\n\r\nThe code below utilizes validator plug-in to validate phone numbers. This verifies and ensures that phone numbers contain only numbers in a particular format (for eg: 111-111-1111)\r\n<blockquote>&lt;form-validation&gt;\r\n&lt;formset&gt;\r\n&lt;form name=\u201duserForm\u201d&gt;\r\n&lt;field property=\u201dphoneNumber\u201d depends=\u201drequired, mask\u201d&gt;\r\n&lt;arg0 key=\u201dphoneNumber.mask\u201d\/&gt;\r\n&lt;var&gt;\r\n&lt;var-name&gt;mask&lt;\/var-name&gt;\r\n&lt;var-value&gt;\r\n^\\d{3}-\\d{3}-\\d{4}$\r\n&lt;\/var-value&gt;\r\n&lt;\/var&gt;\r\n&lt;\/field&gt;\r\n&lt;field property=\u201duserId\u201d depends=\u201drequired, userId\u201d&gt;\r\n&lt;arg0 key=\u201dphoneNumber.mask\u201d\/&gt;\r\n&lt;\/field&gt;\r\n&lt;\/form&gt;\r\n&lt;\/formset&gt;\r\n&lt;\/form-validation&gt;<\/blockquote>\r\n<strong>Example 3:<\/strong>\r\n\r\nData is checked for its length \u2013 The variable \u2018Name\u2019 is checked to ensure that it contains less than 20 characters, otherwise data is not processed\r\n\r\nIF (LENGTH(Name) &lt; 20) THEN\r\n\r\n&#8212; Process the data as the data is less than 20 characters\r\n\r\nEND IF;\r\n<ol start=\"2\">\r\n \t<li><strong> Output Validation<\/strong><\/li>\r\n<\/ol>\r\nOutput validation is the process of validating each and every data obtained from the different components before displaying the data in the user interface. This is accomplished by ensuring that data output satisfies set criteria such as being safe for processing by the client and not leaking sensitive information. Output validation also ensures that the response is properly validated before displaying it to the end user (e.g. web browser), thus allowing for safe consumption of data by the client application (browser).\r\n\r\nIf unaddressed, weak output validation may lead to the following implications:\r\n<ul>\r\n \t<li>Disclosure of confidential and restricted information<\/li>\r\n \t<li>Execution of malicious scripts\/commands affecting the confidentiality and integrity of the application and end user<\/li>\r\n<\/ul>\r\n<strong>Output Validation Standard<\/strong>\r\n<ol>\r\n \t<li>Perform appropriate checks to validate all output data processed by the application. The following are some of the instances of output validation requirements specific to applications:\r\n<ol>\r\n \t<li>Check and confirm if the output data is correct and in the secure format<\/li>\r\n \t<li>Ensure sufficient information (accuracy, completeness, precision, and classification of the information, where warranted) is provided or display<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Validate output and sanitize data by considering the application context and type of data involved (for example, displaying the * character instead of digits while displaying the credit card number)<\/li>\r\n \t<li>Use methods such as output encoding (for example, HTML encoding) and filtering on all information\/data that is displayed in the browser before the application attempts to display data from un-trusted sources to the web interface<\/li>\r\n<\/ol>\r\n<strong>Table below lists the characters that the output filter converts as part of output encoding (using HTML encoding),<\/strong>\r\n<table width=\"100%\">\r\n<tbody>\r\n<tr>\r\n<td>Character<\/td>\r\n<td>Encoded Value<\/td>\r\n<td>Character<\/td>\r\n<td>Encoded Value<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>&lt;<\/td>\r\n<td>&amp;lt; or &amp;#60;<\/td>\r\n<td>)<\/td>\r\n<td>&amp;#41;<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>&gt;<\/td>\r\n<td>&amp;gt; or &amp;#62;<\/td>\r\n<td>#<\/td>\r\n<td>&amp;#35;<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>&amp;<\/td>\r\n<td>&amp;amp; or &amp;#38;<\/td>\r\n<td>%<\/td>\r\n<td>&amp;#37;<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>&#8220;<\/td>\r\n<td>&amp;quot; or &amp;#34;<\/td>\r\n<td>;<\/td>\r\n<td>&amp;#59;<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>&#8216;<\/td>\r\n<td>&amp;apos; or &amp;#34;<\/td>\r\n<td>+<\/td>\r\n<td>&amp;#43;<\/td>\r\n<\/tr>\r\n<tr>\r\n<td>(<\/td>\r\n<td>&amp;#40;<\/td>\r\n<td>&#8211;<\/td>\r\n<td>&amp;#45;<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<ol>\r\n \t<li>Only information that is required by the user to perform the authorized activities, must be present in the client side pages (such as in form fields, query string parameters, comments in the user interface pages, hidden variables etc.). Any additional information which is not required by the end-user to perform their application functionality must not be present anywhere in the client side pages. Additional information (such as information on user credentials, server\/application details and other sensitive data) would help an attacker to successfully launch targeted attacks<\/li>\r\n \t<li>Use \u201csecurity\u201d attribute in FRAME and IFRAME tags to enforce user\u2019s IE security settings. Typically use restricted security settings which do not allow any script execution<\/li>\r\n \t<li>Efficiently handle all the errors identified during the output validation process<\/li>\r\n<\/ol>\r\n<strong>Output Validation \u2013 Examples<\/strong>\r\n\r\n<strong>Example 1: <\/strong>\r\n\r\nIn the following code, a function is used to encode any input passed to it for display in a web browser into its equivalent form, using decimal character references:\r\n<blockquote>{\r\n\r\n\u2026.\/\/Code present in Action class\r\n\r\nString address = encode(formaddress);\r\n\r\npublic static String encode(String data)\r\n\r\nfinal StringBuffer buf = new StringBuffer();\r\n\r\nfinal char[] chars = data.toCharArray();\r\n\r\nfor (int i = 0; i &lt; chars.length; i++)\r\n\r\n{\r\n\r\nbuf.append(&#8220;&amp;#&#8221; + (int) chars[i]);\r\n\r\n}\r\n\r\nreturn buf.toString();\r\n\r\n}\r\n\r\nrequest.setAttribute(\u201cformAddress\u201d, address);\r\n\r\n}<\/blockquote>\r\n<ol start=\"3\">\r\n \t<li><strong> Authentication and Password Management<\/strong><\/li>\r\n<\/ol>\r\nAuthentication is the process of confirming the identity of a user attempting to access an application or other information resources. secure authentication mechanisms control access to applications and information resources and the trust between multiple parties to communicate with them.\r\n\r\nIf unaddressed, weak authentication may lead to the following implications:\r\n<ul>\r\n \t<li>Unauthenticated\/anonymous access to the data present in the application<\/li>\r\n \t<li>Insecure management of user \/system authentication credentials<\/li>\r\n<\/ul>\r\n<strong>Authentication Standard and Password Management Standard<\/strong>\r\n<ol>\r\n \t<li>Always authenticate users when accessing protected resources and data in the application<\/li>\r\n \t<li>Use trusted and secure mechanisms such as Kerberos, Integrated Windows Authentication, and One Time Password Tokens (OTP) between application tiers and between information resources<\/li>\r\n \t<li>Use multi-factor authentication\/strong authentication when accessing critical application information or data processing. Implement other authentication methods such as usage of hardware or software tokens and biometric (e.g., fingerprint, retina pattern, voice print) whenever there is a greater assurance level of user identification is required<\/li>\r\n \t<li>Enforce strong passwords. Passwords are the key to protect account information. The strength and complexity of the password should be directly associated to the security requirements laid out for the application and the value of the asset being protected. Recommended values for various password attributes are listed below:\r\n<ol>\r\n \t<li>Strong password minimum length should be 8 characters<\/li>\r\n \t<li>Password should comprise at least three of the following<\/li>\r\n \t<li>Uppercase character (A through Z)<\/li>\r\n \t<li>Lowercase character (a through z)<\/li>\r\n \t<li>Base 10 digit (0 through 9)<\/li>\r\n \t<li>Non-alphanumeric character (e.g., space, punctuation mark, special character)<\/li>\r\n \t<li>Password history value should be set to a number sufficient to prevent re-use within the last 12 months<\/li>\r\n \t<li>Maximum age of password is 180 days<\/li>\r\n \t<li>Do not use default passwords or easily guessable passwords<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Implement an account lock out policy after 5 unsuccessful attempts<\/li>\r\n \t<li>Implement multi-step login process (i.e., user name and password entry on separate pages) to ensure that no additional information is disclosed that helps an attacker to identify the user credentials<\/li>\r\n \t<li>Enable logging for all unsuccessful login attempts<\/li>\r\n \t<li>Securely develop the Change Password functionality so the current password is re-authenticated when changing the password of the user<\/li>\r\n \t<li>Notify the user of the new password for the Forgot\/Reset Password functionality through secure email or other secure communication channels instead of displaying the information to the browser. The new password should meet the established password complexity requirements<\/li>\r\n \t<li>Never display the password on the screen \/ web page or send it to the client side in any manner (such as HTTP headers, cookies, or hidden form fields).<\/li>\r\n \t<li>Display the password expiration notification when the user logs-in<\/li>\r\n \t<li>Do not indicate which mechanism has caused the failure in the event of an authentication failure (e.g., an invalid user sign-on attempt) in the authentication system. For example, in a user ID and password authentication system, an authentication failure shall not indicate whether the user ID or the password was incorrect<\/li>\r\n \t<li>Employ the use of HTTP sessions for all authenticated users<\/li>\r\n \t<li>Do not allow web browsers to cache the restricted \/ confidential information present in the login forms during authentication<\/li>\r\n \t<li>Show minimal errors about last successful login and failed login attempts after successful user authentication. Allowing a user to verify their failed login attempts and last successful login date will help the user to determine if an unauthorized access to the account was attempted<\/li>\r\n \t<li>Use secure communication channel such as SSL when form based authentication is used to transmit login credentials<\/li>\r\n \t<li>Use mutual authentication when two servers\/systems need to communicate restricted\/confidential information or perform restricted\/confidential transactions and transports\r\n<ol>\r\n \t<li>Use authentication frameworks such as Java Authentication and Authorization (JAAS) framework to authenticate a client. The JAAS authentication component provides the ability to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, a bean, or a servlet,<\/li>\r\n \t<li>Standard built-in frameworks such as JAAS authentication mechanism can be used to authenticate users against user repository<\/li>\r\n \t<li>Authenticate domain users against Active Directory to provide access to protected resources. Set SSL attribute to true in LDAP configuration to ensure secure communication of sensitive authentication information<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Use SSL to protect the transfer of user information among end-user, web-tier, Enterprise JavaBeans EJB-tier and data-tier (based on any methods implemented<\/li>\r\n \t<li>Pass Servlets\/Java Server Pages (JSP) client credentials within the InitialContext object, which is used to look up the remote Enterprise Java Beans<\/li>\r\n \t<li>Do not hardcode passwords in code. Store them in an encrypted or hashed form separately in a configuration file or database, or fetch from a password vault at runtime.<\/li>\r\n \t<li>Hash stored passwords and concatenate a salt to the password before the digest operation. Apply a different salt for each stored entry. Avoid use of weak cryptographic hashes such as MD2, MD4, MD5 and SHA-1.<\/li>\r\n \t<li>Use the SecureRandom function to generate a cryptographically strong random number<\/li>\r\n \t<li>Use the Java Cryptography Architecture (JCA) API which includes the Java Cryptographic Extension to build secure applications<\/li>\r\n \t<li>Set up authentication requirements &lt;login-config&gt; in the corresponding deployment descriptor. For example:\r\n<ol>\r\n \t<li>Configure &lt;auth-method&gt; to the type of authentication to use (e.g., Basic, Form, etc.,)<\/li>\r\n \t<li>Configure &lt;form-login-page&gt; and &lt;form-error-page&gt; under &lt;form-login-config&gt; with the path of logon and default error pages, respectively<\/li>\r\n<\/ol>\r\n<\/li>\r\n<\/ol>\r\n<strong>Authentication and Password Management \u2013 Examples<\/strong>\r\n\r\n<strong>Example 1:<\/strong>\r\n\r\nThe following sample code shows configuration details for SSL communication:\r\n<blockquote>&lt;user-data-constraint&gt;\r\n\r\n&lt;description&gt;SSL required&lt;\/description&gt;\r\n\r\n&lt;transport-guarantee&gt;CONFIDENTIAL&lt;\/transport-guarantee&gt;\r\n\r\n&lt;\/user-data-constraint&gt;<\/blockquote>\r\n<strong>Example 2:<\/strong>\r\n\r\nThe following sample code shows LDAP login configuration details for JAAS Authentication:\r\n<blockquote>Example {\r\n\r\nedu.vt.middleware.ldap.jaas.LdapLoginModule required\r\n\r\nhost=&#8221;ldap.clientname.org&#8221;\r\n\r\nport=&#8221;&lt;specify LDAP over SSL port number&gt;&#8221;\r\n\r\nssl=&#8221;true&#8221;\r\n\r\ntls=&#8221;false&#8221;\r\n\r\nbase=&#8221;ou=people,dc=clientname,dc=org&#8221;\r\n\r\nsubtreeSearch=&#8221;true&#8221;\r\n\r\nuserField=&#8221;uid&#8221;\r\n\r\nserviceUser=&#8221;cn=administrator,dc=clientname,dc=org&#8221;\r\n\r\nserviceCredential=&#8221;password&#8221;;<\/blockquote>\r\n<strong>Example 3:<\/strong>\r\n\r\nThe following sample code shows the access of remote EJBs from a servlet or JavaBean, passing the credentials in the InitialContext object:\r\n<blockquote>Hashtable env = new Hashtable();\r\n\r\nenv.put(&#8220;java.naming.provider.url&#8221;, &#8220;ormi:\/\/myhost\/ejbsamples&#8221;);\r\n\r\nenv.put(&#8220;java.naming.factory.initial&#8221;&#8221;com.evermind.server.ApplicationClientInitialContextFactory&#8221;);\r\n\r\nenv.put(Context.SECURITY_PRINCIPAL, &#8220;XYZ&#8221;);\r\n\r\nenv.put(Context.SECURITY_CREDENTIALS, &#8220;welcome&#8221;);\r\n\r\nContext ic = new InitialContext (env);\r\n\r\nCustomerHome =\r\n\r\n(CustomerHome)ic.lookup(&#8220;java:comp\/env\/XYZpurchaseOrderBean&#8221;)<\/blockquote>\r\n<ol start=\"4\">\r\n \t<li><strong> Authorization<\/strong><\/li>\r\n<\/ol>\r\nAuthorization is the process of assigning and verifying user privileges to access protected information. Once a user has been authenticated, their credentials can be used to determine what privileges to assign and whether they should have access to application resources. Authorization provides access controls to applications and can be performed by specifying a role or list of roles to explicitly allow or deny access to the application resources. Proper authorization mechanisms ensure secure access to protected application resources.\r\n\r\nIf unaddressed, weak authorization may lead to the following implications:\r\n<ul>\r\n \t<li>Unauthorized access to restricted\/confidential information and the application functionality<\/li>\r\n \t<li>Subversion of business processes<\/li>\r\n \t<li>Fraud and reputation-related risks<\/li>\r\n<\/ul>\r\n<strong>Authorization Standard<\/strong>\r\n<ol>\r\n \t<li>Ensure that the user is authenticated and authorized to access the application data and functionality before granting access to any protected application resource<\/li>\r\n \t<li>Perform access control at all layers (environment, presentation, business and data) in order to ensure authorized access to application resources. Use role based authorization both at the web tier and EJB tier<\/li>\r\n \t<li>Wherever applicable, use the Java Authentication and Authorization framework (JAAS) to control the access to protected resources. Perform the following steps as part of JAAS authorization:\r\n<ol>\r\n \t<li>Create appropriate security policy file entries<\/li>\r\n \t<li>Create a custom Permission class, a subclass of the java.security.Permission class<\/li>\r\n \t<li>Create a custom action class, an implementation of java.security.PrivilegedAction<\/li>\r\n \t<li>Execute the static Subject doAsPrivileged method, passing the Subject instance containing the principals required and the custom PrivilegedAction, along with an optional AccessControlContext<\/li>\r\n \t<li>Within the body of the PrivilegedAction run method, access the SecurityManager and call the checkPermission method using the custom Permission class<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Use the principle of Least Privilege to limit processes and user access to the resources which are necessary to perform their tasks, and nothing more<\/li>\r\n \t<li>Use declarative (configurative) security wherever applicable. Declarative security is more flexible as the application&#8217;s security environment can be changed without modifying the application itself<\/li>\r\n \t<li>Use the principle of segregation of duties and implement approval workflow processes to ensure that no user has excessive control over any critical process. For example a person should not be able to grant himself rights to perform an action<\/li>\r\n \t<li>Enforce limits on business logic (such as transaction limits) to reduce the attack surface<\/li>\r\n \t<li>Disable directory indexing on all web applications<\/li>\r\n \t<li>Store authorization tokens on the server-side. Do not use client-side tokens, such as cookies, hidden form fields, or request headers for storing authorization information. Ensure authorization tokens are confidential, tamper proof, and not replayable using cryptographic mechanisms whenone must store or pass the authorization tokens<\/li>\r\n \t<li>Implement role-based authorization in the web-tier using standard frameworks such as struts. Struts role based authorization can be used in applications for:\r\n<ol>\r\n \t<li>Form and Method level security, extend Request Processor\u00a0 and override the method\u00a0 processRoles() to perform the check against a HashMap that stores a mapping of roles and form IDs\/Method IDs<\/li>\r\n \t<li>Field-level security, tag libraries are extended to perform the check against the field ID<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Use Java EE Filters to intercept requests to achieve a clean separation of concerns and invoke a method on the Java class to perform the work to verify that a user\u2019s role or roles allow them to access the resource that is requested<\/li>\r\n \t<li>Ensure role based authorization based on risk (e.g. EJB resources). In Role based authorization, only users with valid role are allowed to access the requested resource<\/li>\r\n \t<li>EJB declarative role based authorization to protect EJB resources by:\r\n<ol>\r\n \t<li>Granting access to EJB resources based on security roles<\/li>\r\n \t<li>Declaring method permissions for EJB resources. Method permissions indicate which roles are allowed to invoke which methods<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Assign roles to J2EE Users and Groups. J2EE security architecture provides a mechanism for automatically mapping of roles defined in the application to the users or groups defined in the run time realm<\/li>\r\n<\/ol>\r\n<strong>Authorization \u2013 Examples<\/strong>\r\n\r\n<strong>Example 1:<\/strong>\r\n\r\nThe following sample code restricts direct access to JSPs in applications:\r\n<blockquote>\/\/Below code is to protect JSPs from direct access by end user\r\n\r\n&lt;web-app&gt;\r\n\r\n&lt;security-constraint&gt;\r\n\r\n&lt;auth-constraint&gt;\r\n\r\n&lt;web-resource-collection&gt;\r\n\r\n&lt;web-resource-name&gt;no_access&lt;\/web-resource-name&gt;\r\n\r\n&lt;url-pattern&gt;*.jsp&lt;\/url-pattern&gt;\r\n\r\n&lt;\/web-resource-collection&gt;\r\n\r\n&lt;auth-constraint\/&gt;\r\n\r\n&lt;\/security-constraint&gt;\r\n\r\n&lt;\/web-app&gt;\r\n\r\nThe following sample code protects directory indexing in applications:\r\n\r\n&lt;servlet&gt;\r\n\r\n&lt;servlet-name&gt;default&lt;\/servlet-name&gt;\r\n\r\n&lt;servlet-class&gt;org.apache.catalina.servlets.DefaultServlet&lt;\/servlet-class&gt;\r\n\r\n&lt;init-param&gt;\r\n\r\n&lt;param-name&gt;listings&lt;\/param-name&gt;\r\n\r\n&lt;param-value&gt;false&lt;\/param-value&gt;\r\n\r\n&lt;\/init-param&gt;\r\n\r\n&lt;init-param&gt;\r\n\r\n&lt;param-name&gt;readonly&lt;\/param-name&gt;\r\n\r\n&lt;param-value&gt;true&lt;\/param-value&gt;\r\n\r\n&lt;\/init-param&gt;\r\n\r\n&lt;\/servlet&gt;<\/blockquote>\r\n<strong>Example 2<\/strong>\r\n\r\nThe following is the sample code snippet of java security files for JAAS authorization. The entries in the file create associations between the principal that was assigned using authentication and the permissions. These entries are checked by Java Security Manager when the checkPermission call is made.\r\n<blockquote>JAAS Authorization Security Configuration\r\n\r\ngrant Principal examples.jaas.DemoPrincipal \u00ab art \u00bb\r\n\r\n{\r\n\r\npermission java.util.PropertyPermission \u00ab user.home \u00bb, \u00ab read \u00bb;\r\n\r\npermission examples.jaas.DemoPermission \u00ab doIt \u00bb;\r\n\r\npermission examples.jaas.DemoPermission \u00ab doThat \u00bb;\r\n\r\npermission examples.jaas.DemoPermission \u00ab doITAll\u00bb;<\/blockquote>\r\n<strong>Example 3:<\/strong>\r\n<blockquote>The following sample code performs privileged action:\r\n\r\n\/\/Use static doAsPrivileged method to execute privileged code\r\n\r\nObject o = Subject.doAsPrivileged( lc.getSubject(), new PrivilegedAction() {\r\n\r\nPublic Object run() {\r\n\r\nSecurityManager sm = System.getSecurityManager();\r\n\r\ntry{\r\n\r\nsm.checkpermission(\r\n\r\nnew DemoPermission(\u201cdoIT\u201d));\r\n\r\nSystem.out.println(\u201cDid doIt\u201d);\r\n\r\nsm.checkpermission(\r\n\r\nnew DemoPermission(\u201cdoITAll\u201d));\r\n\r\nSystem.out.println(\u201cDid doItAll\u201d);\r\n\r\n}\r\n\r\ncatch(SecurityException e){\r\n\r\nSystem.out.println(\u201cyou do not have permission to do that\u2026.\u201d);\r\n\r\nSystem.out.println(\u201cException : \u201d + e);\r\n\r\n}\r\n\r\nfinally{\r\n\r\nreturn null;\r\n\r\n}\r\n\r\n}\r\n\r\n}\r\n\r\nnull );<\/blockquote>\r\n<strong>Example 4:<\/strong>\r\n\r\nThe following sample code in a servlet verifies whether user has an employee role. If user has an employee role, they will be allowed to read customer information.\r\n<blockquote>public double readEmployeeinformation(String employeeId) {\r\n\r\njava.security.Principal userPrincipal = request.getUserPrincipal();\r\n\r\nString callerId = userPrincipal.getName();\r\n\r\n\/\/ Checks whether user has employee role\r\n\r\nif ( ((request.isUserInRole(\u201cemployee\u201d)) &amp;&amp;(callerId == employeeId)) ) {\r\n\r\n\/\/ return Salary information for the employee\r\n\r\ngetCustomerInformation(employeeId);\r\n\r\n} else {\r\n\r\n\/\/ Log unauthorized access\r\n\r\nthrow new SecurityException(\u201caccess denied\u201d);\r\n\r\n}\r\n\r\n}<\/blockquote>\r\n<strong>Example 5:<\/strong>\r\n<blockquote>The following sample code shows use of ejb-jar.xml to control access to EJBs and EJB methods:\r\n\r\n&lt;enterprise-beans&gt;\r\n\r\n&lt;assembly-descriptor&gt;\r\n\r\n&lt;security-role&gt;\r\n\r\n&lt;description&gt;Managers in an organization &lt;\/description&gt;\r\n\r\n&lt;role-name&gt;manager&lt;\/role-name&gt;\r\n\r\n&lt;\/security-role&gt;\r\n\r\n&lt;security&lt;description&gt;employees in an organization &lt;\/description&gt;\r\n\r\n&lt;role-name&gt;employee&lt;\/role-name&gt;\r\n\r\n&lt;\/security-role&gt;\r\n\r\n&lt;\/assembly-descriptor&gt;\r\n\r\n&#8230;&#8230;\r\n\r\n\/\/ An employee with manager role can update Customer information.\r\n\r\n&lt;method-permission&gt;\r\n\r\n&lt;role-name&gt;manager&lt;\/role-name&gt;\r\n\r\n&lt;method&gt;\r\n\r\n&lt;ejb-name&gt;Customerdetails&lt;\/ejb-name&gt;\r\n\r\n&lt;method-name&gt;UpdateCustomerInformation&lt;\/method-name&gt;\r\n\r\n&lt;\/method&gt;\r\n\r\n&lt;\/method-permission&gt;\r\n\r\n\/\/ An employee with employee role can view Organization policies\r\n\r\n&lt;method-permission&gt;\r\n\r\n&lt;role-name&gt;employee&lt;\/role-name&gt;\r\n\r\n&lt;method&gt;\r\n\r\n&lt;ejb-name&gt;Employeedetails&lt;\/ejb-name&gt;\r\n\r\n&lt;method-name&gt;viewOrganizationPolicies&lt;\/method-name&gt;\r\n\r\n&lt;\/method&gt;\r\n\r\n&lt;\/method-permission&gt;\r\n\r\n&lt;\/assembly-descriptor&gt;<\/blockquote>\r\n<ol start=\"5\">\r\n \t<li><strong> Error and Exception Management<\/strong><\/li>\r\n<\/ol>\r\nApplications can unintentionally leak information about their configuration or internal workings, or expose privileged information through improper error handling methods. In order to avoid leakage of technical information, the errors and exception should be customized to display uniform user interface to end user and mask all technical information.\r\n\r\nImproper error and exception management can lead to disclosure of internal technology information which may allow the attacker to launch attacks specific to the technology that is being used to develop the application and also in the web, application and database server or to perform social engineering on the administrators of the application and the servers associated with the application.\r\n\r\nIf unaddressed, weak error and exception handling may\u00a0have the following implications:\r\n<ul>\r\n \t<li>Undetected\/unmanaged errors and exceptions<\/li>\r\n \t<li>Difficulty debugging the application<\/li>\r\n<\/ul>\r\n<strong>Error and Exception Management Standard<\/strong>\r\n<ol>\r\n \t<li>Handle all possible errors and exceptions that are expected from the application using a structured exception handling mechanism (\u201ctry\u2026\u2026catch\u2026\u201d mechanism)<\/li>\r\n \t<li>Handle specific or sub-classed exception or errors (such as IllegalArgumentException) but not a generic master exception (such as RuntimeException, Throwable or Exception)<\/li>\r\n \t<li>Display custom (i.e.,\u00a0 messages generated by the application\u00a0 and not the message thrown by the system\/software) and generic (i.e., should not contain any restricted\/confidential or system related information as well as any other information which is not required for the user to perform the application functionality) error messages Create separate exception classes for specific types of application attacks and throw an instance of these exception classes whenever the possibility of the attack is identified.\u00a0 This will help to log the required information specific to the application attacks<\/li>\r\n \t<li>Log and protect the details of the error and exception in a log file by implementing proper access control mechanisms<\/li>\r\n \t<li>Do not log sensitive information present in the error\/exception messages (such as password, credit card numbers etc.) in the log file<\/li>\r\n \t<li>Implement fail safe applications. If an application enters an unknown state, it is likely that an attacker may be able to exploit this indeterminate state to access unauthorized functionality<\/li>\r\n \t<li>Release all the memory space allocated to the resources which are associated with the error or exception as long as these resources are not being used anywhere else in the application when an error or exception occurs<\/li>\r\n \t<li>Redirect handled\/unhandled errors or exceptions that occur in the application to a common error page<\/li>\r\n \t<li>Use the try, catch, finally connection pattern to prevent resource leaks and other undesired behavior<\/li>\r\n \t<li>Handle exceptions in the web or business tier of Java using the try-catch block or throw\/throws statements<\/li>\r\n \t<li>Avoid use of the following:\r\n<ol>\r\n \t<li>empty catch blocks<\/li>\r\n \t<li>overly broad catch or throws<\/li>\r\n \t<li>Returning from inside a finally block. This will cause exceptions to be lost<\/li>\r\n \t<li>Using a throw statement inside a finally block. This can bypass any cleanup code as the normal flow of the execution is interrupted<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Explicitly handle SSL exceptions as this will avoid leaving the connection in an unexpected or potentially insecure state.<\/li>\r\n \t<li>Catch and handle all possible errors and exceptions that are expected in database routines which use data from external data store or user controlled data<\/li>\r\n<\/ol>\r\n<strong>Error and Exception Management \u2013 Examples<\/strong>\r\n\r\n<strong>Example 1:<\/strong>\r\n<blockquote>The following code snippet shows application exception handled in the catch block via ActionErrors class of Struts framework:\r\n\r\ntry {\r\n\r\n\/\/Code in Action class\r\n\r\n}\r\n\r\ncatch (ApplicationException e) {\r\n\r\nlog exception\r\n\r\nActionErrors actionErrors = new ActionErrors();\r\n\r\nActionError actionError = new ActionError(e.getErrorCode());\r\n\r\nactionErrors.add(ActionErrors.GLOBAL_ERROR, actionError);\r\n\r\nsaveErrors(request, actionErrors);\r\n\r\n}\/\/end of catch\r\n\r\nif (!actionErrors.isEmpty()) {\r\n\r\nforward = mapping.findForward(&#8220;Exception&#8221;);\r\n\r\n}\r\n\r\nelse {\r\n\r\nforward = mapping.findForward(&#8220;success&#8221;);\r\n\r\n}<\/blockquote>\r\n<strong>Example 2:<\/strong>\r\n<blockquote>The following code from \u201cstruts-config.xml\u201d shows application redirection to a custom page when an exception is encountered in \u201cactionForm\u201d:\r\n\r\n&lt;action-mappings&gt;\r\n\r\n&lt;action\r\n\r\npath=&#8221;\/action&#8221;\r\n\r\nname=&#8221;actionForm&#8221;\r\n\r\nscope=&#8221;request&#8221;\r\n\r\ntype=&#8221;web.DefectsAction&#8221;\r\n\r\nparameter=&#8221;method&#8221;\r\n\r\nvalidate=&#8221;false&#8221;&gt;\r\n\r\n&lt;forward name=&#8221;Exception&#8221; path=&#8221;\/exception\/customexceptionpage.jsp&#8221; \/&gt;\r\n\r\n&lt;forward name=&#8221;success&#8221; path=&#8221;\/welcome.jsp&#8221; \/&gt;\r\n\r\n&lt;\/action&gt;\r\n\r\n&lt;\/action-mappings&gt;<\/blockquote>\r\n<ol start=\"6\">\r\n \t<li><strong> Logging<\/strong><\/li>\r\n<\/ol>\r\nThe information within a log provides information on who accessed the application, what information was accessed on the application, when and where events occurred, and where the user accessed the application from. Improper logging may allow an attacker to prevent a security professional from constructing a clear picture of the logical flow of events occurring before, during, and after an attack. Attackers may also fill the log with irrelevant information or invalid special characters; inject external data or user-controlled data directly into the log files, store log data in an insecure location, or transport data over an insecure network connection.\r\n\r\nIf unaddressed, weak logging may lead to the following implications:\r\n<ul>\r\n \t<li>Information relevant to reconstruct an attack is not available affecting breach investigation and forensics<\/li>\r\n \t<li>Denial of service if irrelevant data is logged<\/li>\r\n \t<li>Removal of the trace of an attack<\/li>\r\n \t<li>Breach of confidential\/restricted information logged<\/li>\r\n<\/ul>\r\n<strong>Logging Standard<\/strong>\r\n<ol>\r\n \t<li>Use a centralized logging mechanism within the application logic, wherever possible<\/li>\r\n \t<li>Use built-in logging frameworks such as \u201cjava.util.logging\u201d or external component such as log4j instead of a custom logging module<\/li>\r\n \t<li>Categorize application related events to different types of logging mechanisms such as application logging, audit logging, security logging and profiling<\/li>\r\n \t<li>Prioritize logged events for the ease of review by log reviewers and auditors<\/li>\r\n \t<li>Validate the user controlled data (or data coming from untrusted sources) before appending the same as part of the log entry. Preference is to use a white list of approved characters before appending the data as part of the log entry. This ensures that no malicious content is stored in the log file<\/li>\r\n \t<li>Store relevant data in the log files so that it is possible to trace the activity related to a specific data or event back to the sources. At a minimum, following information needs to be logged as part of a log entry:\r\n<ul>\r\n \t<li>Type of event such as login, logout and database connection type<\/li>\r\n \t<li>Date and timestamp of when the event occurred<\/li>\r\n \t<li>Description of the event<\/li>\r\n \t<li>A user identifier to link a user to the event<\/li>\r\n \t<li>Contextual data of the event i.e.\u00a0 server IP address and port number of the database used when creating a new database connection<\/li>\r\n<\/ul>\r\n<\/li>\r\n \t<li>Do not log restricted\/confidential data.\u00a0 The presence of restricted\/confidential information in the log file may lead to disclosure of this information to administrators or users who accesses the log data. This may lead to breach of confidentiality of restricted\/confidential information and adversely affect the user, application or related IT infrastructure with which these information are associated<\/li>\r\n \t<li>Integrate the log information with the enterprise level Security Information Event Management (SIEM) system, wherever possible<\/li>\r\n \t<li>Enforce proper logging mechanisms in security as well as restricted\/confidential areas such as authentication, authorization, session management, input validation, configuration, administration.\u00a0 The following are some of the events to be logged in the application restricted\/confidential areas:\r\n<ul>\r\n \t<li>Authentication: Events such as logging in successfully, logging out, failure to log in<\/li>\r\n \t<li>Authorization:\r\n<ol>\r\n \t<li>Any place where authorization to access a resource is requested by the user<\/li>\r\n \t<li>Impersonation failure, i.e., User attempting to access the protected application functionality or data, which the user is not authorized to access, affecting the confidentiality or integrity of the application data<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Session mechanism usage:\r\n<ol>\r\n \t<li>Session startup\/teardown<\/li>\r\n \t<li>Session validation failures<\/li>\r\n \t<li>Session timeouts<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Database usage:\r\n<ol>\r\n \t<li>Any SQL statement execution on restricted\/confidential data records<\/li>\r\n \t<li>Any actions requiring modification to a database, such as DROP, CREATE,\u00a0 TRUNCATE, GRANT, REVOKE, STARTUP, and SHUTDOWN<\/li>\r\n \t<li>Database access failures<\/li>\r\n \t<li>Errors returned from a database<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>File system usage:<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ol>\r\n<ol>\r\n \t<li style=\"list-style-type: none;\">\r\n<ul>\r\n \t<li style=\"list-style-type: none;\">\r\n<ol>\r\n \t<li>Any actions requiring access or modifications to a file\/directory<\/li>\r\n \t<li>File access failures<\/li>\r\n \t<li>Directory access failures<\/li>\r\n \t<li>Errors returned from the file system<\/li>\r\n<\/ol>\r\n<\/li>\r\n \t<li>Administrative usage:<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ol>\r\n<ol>\r\n \t<li style=\"list-style-type: none;\">\r\n<ul>\r\n \t<li style=\"list-style-type: none;\">\r\n<ol>\r\n \t<li>Account changes<\/li>\r\n \t<li>Permission changes<\/li>\r\n \t<li>Role changes<\/li>\r\n \t<li>Database security changes<\/li>\r\n \t<li>File system security changes<\/li>\r\n \t<li>Disabling\/enabling of logging<\/li>\r\n<\/ol>\r\n<\/li>\r\n<\/ul>\r\n<\/li>\r\n \t<li>Store the log file in a secure location with necessary access controls and track access to log files\/records separately<\/li>\r\n \t<li>Generate appropriate alerts\/notifications if any security critical event is logged<\/li>\r\n \t<li>Write data to the log as soon as possible and as close to the occurrence event as possible.\u00a0 When an\u00a0 event occurs, log the event first and then take necessary actions for remediation if required<\/li>\r\n \t<li>Use a proper logging mechanism at the web and business tier of the application as all the major functionalities are performed at these application tiers<\/li>\r\n \t<li>Ensure protection of security logs by following the principle of least privileges for log file access. Retain audit trails history for at least one year, with a minimum of three months immediately available for analysis<\/li>\r\n \t<li>Ensure continuous or periodic monitoring of security logs and have reporting and alerting procedures in place<\/li>\r\n \t<li>Ensure protection of security logs by following the principle of least privileges for log file access<\/li>\r\n \t<li>When an event occurs, log the event first and then take necessary actions for remediation<\/li>\r\n<\/ol>\r\n<strong>Logging \u2013 Examples<\/strong>\r\n\r\n<strong>Example 1:<\/strong>\r\n<blockquote>The following example shows that event is logged first before performing any other action:\r\n\r\nTry\r\n\r\n{\r\n\r\n\/\/ code\r\n\r\n}\r\n\r\ncatch (exception e)\r\n\r\n{\r\n\r\nlog.debug(&#8220;Error message descriptor&#8221;, &#8220;Location&#8221;, e);\r\n\r\n\/\/ Do any necessary cleanup here\u2026\r\n\r\n}<\/blockquote>\r\n<ol start=\"7\">\r\n \t<li><strong> Session Management<\/strong><\/li>\r\n<\/ol>\r\nSession Management is the process of tracking a user\u2019s activity across various sessions of interaction with the application. Managing application user session is critical as web applications use HTTP as the underlying data transfer protocol and HTTP is a stateless protocol which does not maintain user state across subsequent requests.\r\n\r\nWeb session management provides an integrated way for a web server\/application to maintain states throughout a user\u2019s subsequent requests. The server generates a session identifier (ID) at an early point in the user interaction, sends this identity to the user\u2019s browser and requests the identity from the browser with each subsequent request. Session identities thereby become identification tokens for user sessions and servers can use them to maintain session data (for example, session variables containing user information such as user roles).\r\n\r\nIf unaddressed, weak session management may lead to the following implications:\r\n<ul>\r\n \t<li>Session hijacking<\/li>\r\n \t<li>Replay attacks<\/li>\r\n \t<li>Unauthorized access\/ privilege escalation<\/li>\r\n \t<li>Request forging<\/li>\r\n<\/ul>\r\n<strong>Session Management Standard<\/strong>\r\n<ol>\r\n \t<li>Session IDs must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques. For this purpose, a good PRNG (Pseudo Random Number Generator) must be used. The session ID value must provide at least 64 bits of entropy.<\/li>\r\n \t<li>Session ID should not have any have any restricted\/confidential information<\/li>\r\n \t<li>Create a new HTTP session object after user authenticates successfully to the application. This will ensure that an authenticated user session is assigned a new session identifier<\/li>\r\n \t<li>Do not create session objects in JSP pages<\/li>\r\n \t<li>Invalidate session at the server side when the user logs out<\/li>\r\n \t<li>Define idle session time out in web.xml.\u00a0 Remove sessions which are not active in container and client side for specified period of time<\/li>\r\n \t<li>Always issue a new session ID when the user changes authentication state<\/li>\r\n \t<li>Seamlessly expire the current session token and regenerate token if the user session is inactive for an extended and defined period of time. This shortens the window of opportunity for brute force attack Use as few resources as possible to prevent denial of service attacks for unprotected pages, and do not leak information about the protected portion of the application<\/li>\r\n \t<li>Hash the Session ID, IP address, and other fixed\/unchanging HTTP header attributes before processing each subsequent request; checking whether the hash has changed can reveal session tampering or man in the middle attacks.\u00a0 If there are changes in the hash, the user should be logged off to prevent session fixation and session tampering<\/li>\r\n \t<li>Use separate session identifiers for secure (HTTPS) and insecure (HTTP) communication channel<\/li>\r\n \t<li>Do not transmit session identifiers via GET request (as part of query string parameter)<\/li>\r\n \t<li>Ensure that the session ID content is meaningless to prevent information disclosure attacks, where an attacker is able to decode the contents of the ID and extract details of the user, the session, of the inner workings of the web application. The session ID must not contain sensitive information (e.g., PII).<\/li>\r\n \t<li>If session management features of web development framework are used then ensure that the latest version of web development framework is used that potentially fixes all the well- known vulnerabilities related to session management, as well as review and change the default configuration to enhance its security.<\/li>\r\n \t<li>Ensure that session management mechanism used is strict and not permissive. The permissive mechanism allow the web application to initially accept any session ID value set by the user as valid, creating a new session for it, while the strict mechanism enforces that the web application will only accept session ID values that have been previously generated by the web application.<\/li>\r\n \t<li>Ensure that the session ID is renewed or regenerated by the web application after any privilege level change within the authenticated user session.<\/li>\r\n \t<li>If multiple cookies are used for a given session, the web application must verify all cookies (and enforce relationship between them) before allowing access to the user session.<\/li>\r\n \t<li>Idle or inactivity time out must be implemented for application session in-line with the requirement. Absolute time out must be implemented regardless of session activity.<\/li>\r\n<\/ol>\r\n<strong>Session Management \u2013 Examples<\/strong>\r\n\r\n<strong>Example 1:<\/strong>\r\n<blockquote>The following code sample shows that configuration of session time out in the web.xml file:\r\n\r\n\/\/Session time out configuration in web.xml\r\n\r\n&lt;session-config&gt;\r\n\r\n&lt;session-timeout&gt;timeValue&lt;\/session-timeout&gt;\r\n\r\n&lt;\/session-config&gt;<\/blockquote>\r\n<ol start=\"8\">\r\n \t<li><strong> Cookie Management<\/strong><\/li>\r\n<\/ol>\r\nA cookie is a piece of information sent to a browser by a Web Server. Cookies are designed to handle user preferences and are used to identify the authenticated user\u2019s requests from a client to the server.\u00a0 Cookie management ensures that cookies used in the applications are securely managed.\r\n\r\nThe improper management of cookies may allow an attacker to steal cookies or hijack a session.\r\n\r\nIf unaddressed, weak cookie management may impact the security of the application session (provided session identity is stored as part of cookie) affecting the confidentiality and integrity.\r\n\r\n<strong>Cookie Management Standard<\/strong>\r\n<ol>\r\n \t<li>Avoid the presence of restricted \/ confidential information in the cookies. If required, encrypt the restricted\/confidential data used in cookies.\u00a0 For example, if an application requirement mandates usage of user role in a cookie, then ensure that it is encrypted so that the end user is not aware of the presence of user role in the cookies. Another example is the use of persistent cookies as part of \u201cRemember Me\u201d functionality of the application. If the application wants to remember the user even after the user logs out, then the application should make use of persistent cookies and stores some restricted\/confidential information in the cookies. This will help the application to identify this user when the user tries to access the application functionality next time from the same machine. In such a scenario, the application should encrypt the restricted\/confidential information present in the cookies<\/li>\r\n \t<li>Perform proper input validation on all cookie parameters before processing<\/li>\r\n \t<li>Use the SECURE attribute in the cookie of the application which is using encrypted communication channel (such as HTTPS) between client and server. This will ensure that the application cookie will be transmitted only through the encrypted communication channel. If the application requirement mandates the inclusion of restricted\/confidential information as part of cookie and the cookie does not carry the SECURE attribute, then there may be an opportunity for information disclosure of restricted\/confidential information stored as part of the cookie during transmission over unencrypted channels<\/li>\r\n \t<li>Avoid usage of persistent cookies and if required, set the expiry date of persistent cookies to a short duration of time which is in-line with the requirements and sensitivity\/criticality of the data handled by the application<\/li>\r\n \t<li>Implement domain-specific cookies such that the cookies will not be transmitted to other sites by setting the \u201cDomain\u201d and \u201cPath\u201d attributes<\/li>\r\n \t<li>Set cookies to HTTP-ONLY to prevent potential misuse of information present in cookies by client side scripts. When this attribute is enabled, web browsers return empty responses to the client side script requests when tried to access application cookie<\/li>\r\n \t<li>Web applications should not mix or use same session identifier for encrypted and unencrypted communication channel on the same host \/ domain, as the request of any web object over an unencrypted channel might disclose the session ID<\/li>\r\n<\/ol>\r\n<strong>Cookie Management \u2013 Examples<\/strong>\r\n\r\n<strong>Example 1:<\/strong>\r\n<blockquote>The following example shows the secure implementation of cookie attributes:\r\n\r\nCookie applnCookie = new Cookie(cookieName, cookieValue);\r\n\r\n\/\/Ensure that max age value is very low\r\n\r\napplnCookie.setMaxAge(maxAge);\r\n\r\napplncookie.setSecure(true);\r\n\r\n\/\/Set domain name to restrict cookie transmission to other domains\r\n\r\napplncookie.setDomain(domainname);\r\n\r\n\/\/Set HTTP Only to the cookie using HTTPServletResponse object\r\n\r\nresponse.setHeader(&#8220;Set-Cookie&#8221;, \u201c&lt;cookiename&gt;=&lt;cookievalue&gt;; HTTPOnly&#8221;);<\/blockquote>\r\n<ol start=\"9\">\r\n \t<li><strong> Cryptography<\/strong><\/li>\r\n<\/ol>\r\nCryptography is the fundamental security element that protects data from adversaries either during storage or in-transit. Cryptographic systems provide secure authentication, non-repudiation, confidentiality and integrity.\r\n\r\nIf unaddressed, weak cryptography may lead to insecure storage or transmission of restricted\/confidential data affecting the confidentiality and integrity.\r\n\r\n<strong>Cryptography Standard<\/strong>\r\n<ol>\r\n \t<li>Use the framework provided built-in functionality such as Java Cryptography Extension (JCE) which provides a framework and implementation for encryption, key generation, key agreement and Message Authentication Code (MAC) algorithms. JCE provides support for encryption that includes symmetric, asymmetric, block, and stream ciphers.<\/li>\r\n \t<li>Use a strong cryptographic technique, taking into consideration the effectiveness of the algorithm, block size, and key size<\/li>\r\n \t<li>Do not use proprietary algorithms as these algorithms may be prone to weaknesses that could lead to compromise of information<\/li>\r\n \t<li>Generate random key and salt values in a secure way by using the built-in functionality, SecureRandom (java.security.SecureRandom) wherever required<\/li>\r\n \t<li>Do not transfer any restricted\/confidential data in the URL(via HTTP GET or any other user viewable format) and if there is a requirement to do so, then use strong encryption or hashing to conceal the data<\/li>\r\n \t<li>Protect cryptographic keys stored in a file through encryption, role-based access control and\/or file system permissions<\/li>\r\n \t<li>Log any changes made to the cryptographic keys<\/li>\r\n \t<li>Apply a process to upgrade the algorithms used over time as cryptography is always changing when using cryptographic functions<\/li>\r\n \t<li>Enforce the use of strong and secure cryptography controls (including encryption\/hashing algorithms, key management and salt values) for securing the sensitive information while in transit and during storage (both temporary and permanent).<\/li>\r\n \t<li>Preferred set of cryptographic algorithms are listed in the table below for additional reference,<\/li>\r\n<\/ol>\r\n<strong>Preferred Symmetric Encryption Algorithms <\/strong>\r\n<table width=\"100%\">\r\n<tbody>\r\n<tr>\r\n<td width=\"22%\">Table<\/td>\r\n<td width=\"38%\">Minimum Key Length<\/td>\r\n<td width=\"38%\">Usage Restrictions<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"22%\">AES<\/td>\r\n<td width=\"38%\">128 bits<\/td>\r\n<td width=\"38%\">Electronic Code Book (ECB) shall not be used. Other modes of operation are acceptable.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"22%\">3DES<\/td>\r\n<td width=\"38%\">&nbsp;\r\n\r\n112 bits\r\n\r\n(excluding parity)<\/td>\r\n<td width=\"38%\">Restricted to the following mode of operation:\r\n<ul>\r\n \t<li>CBC (cipher block chaining)<\/li>\r\n<\/ul>\r\n<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<strong>Preferred Asymmetric Encryption Algorithms <\/strong>\r\n<table width=\"100%\">\r\n<tbody>\r\n<tr>\r\n<td width=\"22%\">Table<\/td>\r\n<td width=\"38%\">Minimum Key Length<\/td>\r\n<td width=\"38%\">Usage Restrictions<\/td>\r\n<\/tr>\r\n<tr>\r\n<td rowspan=\"2\" width=\"22%\">RSA<\/td>\r\n<td width=\"38%\">2048 bit modulus<\/td>\r\n<td width=\"38%\">No usage restriction<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"38%\">&nbsp;\r\n\r\n1024 bit modulus<\/td>\r\n<td width=\"38%\">Restricted to the following mode of operation:\r\n<ul>\r\n \t<li>CBC (cipher block chaining)<\/li>\r\n<\/ul>\r\n<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<strong>Preferred Digital Signature Algorithms<\/strong>\r\n<table width=\"100%\">\r\n<tbody>\r\n<tr>\r\n<td width=\"22%\">Table<\/td>\r\n<td width=\"38%\">Minimum Key Length<\/td>\r\n<td width=\"38%\">Usage Restrictions<\/td>\r\n<\/tr>\r\n<tr>\r\n<td rowspan=\"2\" width=\"22%\">RSA<\/td>\r\n<td width=\"38%\">2048 bit modulus<\/td>\r\n<td width=\"38%\">No usage restriction<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"38%\">1024 bit modulus<\/td>\r\n<td width=\"38%\">May be used where the key is associated with a valid certificate (i.e., one that is neither revoked nor expired)\r\n\r\nMay be used where a 1024 bit key is a documented requirement for interoperability shall not be used after 01\/01\/2011 to effect a SAFE compliant signature\r\n\r\nNote1: Not recommended for use in validated environments\r\n\r\nNote2: Transition to the use of a 2048 bit modulus is strongly recommended<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<strong>Other Symmetric Encryption Algorithms<\/strong>\r\n<table width=\"100%\">\r\n<tbody>\r\n<tr>\r\n<td width=\"22%\">Table<\/td>\r\n<td width=\"38%\">Minimum Key Length<\/td>\r\n<td width=\"38%\">Usage Restrictions<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"22%\">RC-4<\/td>\r\n<td width=\"38%\">128 bits<\/td>\r\n<td width=\"38%\">May be used as part of an SSL or TLS cipher suite where use of a preferred algorithm would cause a performance issue or where no technical solution using a preferred algorithm is available.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"22%\">Twofish<\/td>\r\n<td rowspan=\"4\" width=\"38%\">128 bits<\/td>\r\n<td rowspan=\"4\" width=\"38%\">May be used where there is no technical solution available that uses a preferred algorithm.<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"22%\">Blowfish<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"22%\">IDEA<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"22%\">CAST<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\nGenerate the key and salt values in a secure manner using secure random algorithms. Use securely generated key or salt values along with encryption and hashing algorithms which will improve the overall security of the cryptographic control. For example, do not use unsalted password hashes in the application. The following hashing algorithms and digest lengths should be used, subject to the indicated restrictions (if any). They are listed in order of preference, starting with the most preferred.\r\n\r\n<strong>Hashing<\/strong>\r\n<table width=\"100%\">\r\n<tbody>\r\n<tr>\r\n<td width=\"22%\">Algorithm<\/td>\r\n<td width=\"38%\">Digest Length(s)<\/td>\r\n<td width=\"38%\">Usage Restrictions<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"22%\">SHA-3<\/td>\r\n<td width=\"38%\">224, 256, 384, or 512 bits<\/td>\r\n<td rowspan=\"3\" width=\"38%\">No Usage restrictions<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"22%\">SHA-2<\/td>\r\n<td width=\"38%\">224, 256, 384, or 512 bits<\/td>\r\n<\/tr>\r\n<tr>\r\n<td width=\"22%\">SHA-1<\/td>\r\n<td width=\"38%\">224, 256, 384, or 512 bits<\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<strong>Cryptography \u2013 Example <\/strong>\r\n\r\n<strong>Example 1: <\/strong>\r\n<blockquote>The following packages belonging to JCE, aid in data encryption:\r\n\r\nimport javax.crypto.KeyGenerator;\r\n\r\nimport javax.crypto.SecretKey;\r\n\r\nimport javax.crypto.Cipher;<\/blockquote>\r\n<strong>Example 2:<\/strong>\r\n\r\nThe following sample code shows AES key generation using KeyGenerator, initialization of the keysize to 128 followed by cipher creation and initialization by specifying the algorithm name i.e. AES:\r\n<blockquote>KeyGenerator key = KeyGenerator.getInstance(&#8220;AES&#8221;);\r\n\r\nkey.init(128);\r\n\r\nSecretKey secretKey = key.generateKey();\r\n\r\nCipher aesCipher = Cipher.getInstance(&#8220;AES&#8221;);\r\n\r\naesCipher.init(Cipher.ENCRYPT_MODE,secretKey);<\/blockquote>\r\n<strong>Example 3:<\/strong>\r\n\r\nThe aesCipher.doFinal(byteDataToEncrypt) is used to encrypt the data (byte data). Decryption is achieved through the same method doFinal but after initializing the cipher for decryption:\r\n<blockquote>aesCipher.init(Cipher.DECRYPT_MODE,secretKey,aesCipher.getParameters())<\/blockquote>\r\n<ol start=\"10\">\r\n \t<li><strong> Configuration Management<\/strong><\/li>\r\n<\/ol>\r\nConfiguration management is the arrangement of the application\u2019s functional units. It deals with the application configuration attributes which assist the application to be developed and deployed in a secure manner. The configuration settings of the application which are accessed and used throughout the application are specified in a centralized application configuration file. Some of the areas covered in the configuration file include database connection details, global variables used throughout the application, and compilation attributes.\r\n\r\nIf unaddressed, weak configuration management may lead to the following implications:\r\n<ul>\r\n \t<li>Breach of the confidentiality and integrity of the application<\/li>\r\n \t<li>Information leakage of internal workings<\/li>\r\n \t<li>Unencrypted connection strings and network transmission<\/li>\r\n<\/ul>\r\n<strong>Configuration Management Standard<\/strong>\r\n<ol>\r\n \t<li>Encrypt the username\/password information present in configuration file as part of database connection string<\/li>\r\n \t<li>Lock the application configuration settings and enforce a machine wide policy by setting appropriate attributes in the server configuration file, \u201cserver.xml\u201d. This tells the configuration system to throw an error if a lower-level configuration file attempts to override any locked configuration attribute<\/li>\r\n \t<li>Disable tracing on the production application<\/li>\r\n \t<li>Configure the request and response encoding<\/li>\r\n \t<li>Disable debug compilation on the application<\/li>\r\n \t<li>Access to administrative services should not be allowed over the Internet. Multifactor authentication mechanisms should be considered to enhance access control to such interfaces.<\/li>\r\n \t<li>Control access to application configuration files (such as web.xml). Consider the principle of \u201cleast privilege\u201d and \u201cneed-to-know-basis\u201d while setting up the access control to configuration files. These configuration files often contain restricted \/ confidential information such as passwords, connection parameters and access control information relating to the most critical assets in the system<\/li>\r\n \t<li>Prevent users from uploading very large files by enforcing restrictions on the size of the file to be uploaded using the application.<\/li>\r\n \t<li>Set global application error handler and redirect the error to a customized error page providing generic information without disclosing technology and sensitive details<\/li>\r\n \t<li>Set global data\/input validation in the configuration file so that it can be used consistently throughout the application<\/li>\r\n \t<li>Do not store the configuration files in the public folder<\/li>\r\n \t<li>Do not store sensitive information in the application configuration file in plain text. Store the sensitive information (for example, database connection string) in an encrypted form either in the configuration file itself or in some external sources (such as registry) and provide reference in the configuration file.<\/li>\r\n \t<li>If a web development framework are used then ensure that the latest version of modules, libraries or extensions are used that potentially fixes all the well- known vulnerabilities, as well as review and change the default configuration to enhance its security.<\/li>\r\n \t<li>Access to the files in the server should be provided only to authenticated and authorized set of users by following the principle of least privilege and on a need-to-know-basis.<\/li>\r\n \t<li>Restrict the users and their access rights based on the requirement. The web server directories should not have write permissions enabled unless it is used for uploading files by the application. The directory in which the files are uploaded by the application should not be in the webroot.<\/li>\r\n \t<li>Disable directory listing in the web server configuration. Directory listing will lead to disclosure of web directory and file information to the unauthorized users who are access the application via web browser.<\/li>\r\n \t<li>Server operating system and software\u2019s present in the server should be kept up-to-date and patched with the latest vendor supplied security patches.<\/li>\r\n \t<li>Vendor-supplied default user credentials and default unnecessary files\/modules\/functions should be removed from the systems. This should also include default stored procedures, views, tables and other database objects which are not required for the database system.<\/li>\r\n \t<li>Development, test and\/or custom application accounts, user IDs, and passwords should be removed before applications become active or are released to customers.<\/li>\r\n \t<li>Unnecessary software\u2019s and services should not be running on the system. The system should not have any additional software\u2019s or services (which are related to each other) apart from the primary requirement for which the system is developed or used. For example, it is not advisable to have a database system present in the web\/application server itself.<\/li>\r\n \t<li>Do not dynamically retrieve external build dependencies from untrusted sources. This may leave the build system vulnerable to malicious binaries and or lead to unexpected system\/application behavior.<\/li>\r\n<\/ol>\r\n<strong>Configuration Management \u2013 Examples<\/strong>\r\n\r\n<strong>Example 1:<\/strong>\r\n\r\nThe following code snippet shows configuration of application resources in struts using web.xml file:\r\n<blockquote>&lt;servlet&gt;\r\n\r\n&lt;servlet-name&gt;action&lt;\/servlet-name&gt;\r\n\r\n&lt;servlet-class&gt;\r\n\r\norg.apache.struts.action.ActionServlet\r\n\r\n&lt;\/servlet-class&gt;\r\n\r\n&lt;init-param&gt;\r\n\r\n&lt;param-value&gt;\r\n\r\ncom.example.ApplicationResources\r\n\r\n&lt;\/param-value&gt;\r\n\r\n&lt;\/init-param&gt;\r\n\r\n&lt;\/servlet&gt;<\/blockquote>\r\n<ol start=\"11\">\r\n \t<li><strong> Data Access<\/strong><\/li>\r\n<\/ol>\r\nIn Java enterprise applications, the data access layer includes the process of communication of data between the application and the storage repository (which could be a database, a flat-file, or a complete accounting system).\r\n\r\nIf unaddressed, weak data access controls may lead to the following implications:\r\n<ul>\r\n \t<li>Unauthorized access to data<\/li>\r\n \t<li>Performance of unauthorized operations on the application and related infrastructure<\/li>\r\n \t<li>Breach of the confidentiality, integrity and availability of information<\/li>\r\n<\/ul>\r\n<strong>Data Access Standard<\/strong>\r\n<ol>\r\n \t<li>Protect database login information\r\n<ul>\r\n \t<li>Allow web applications to use container managed connection pools to protect database login formation. Container managed connection pools should be used to configure applications and roles to use server resources<\/li>\r\n<\/ul>\r\n<\/li>\r\n \t<li>Secure the communication between data source and data access layer<\/li>\r\n \t<li>Data validation\r\n<ul>\r\n \t<li>Use prepared statements or stored procedures instead of dynamically generated SQL in data access layer to avoid SQL injection<\/li>\r\n \t<li>When making calls to backend databases, carefully validate the data provided to ensure that it does not contain any malicious content<\/li>\r\n \t<li>Validate all input, even when using prepared queries and stored procedures<\/li>\r\n<\/ul>\r\n<\/li>\r\n \t<li>Avoid external interpreters\r\n<ul>\r\n \t<li>Use library API\u2019s to call external resources<\/li>\r\n \t<li>Avoid using system calls such as exec, fork, Runtime.exe etc. to talk to external resources<\/li>\r\n<\/ul>\r\n<\/li>\r\n \t<li>Return minimal error information to users. Handle database errors at the data access layer through the use of database queries (i.e. using PL\/SQL error and exception handlers)<\/li>\r\n \t<li>Grant minimum privileges to the database user for access to the database resource. Follow the principle of Least Privilege wherein the user is given only the defined privileges required to perform the actions assigned to his role<\/li>\r\n \t<li>Do not allow unauthorized users to access or modify XML document information during transmission over the network by encrypting and digitally signing the XML documents. The following steps detail the process of creating a XML signature:\r\n<ul>\r\n \t<li>Determine the resources that are to be signed<\/li>\r\n \t<li>Calculate the digest of each resource.\u00a0 The &lt;DigestMethod&gt; element tells which algorithm is used to calculate the digest value<\/li>\r\n \t<li>Collect the &lt;Reference&gt; elements (with their associated digests) within a &lt;SignedInfo&gt; element<\/li>\r\n \t<li>Sign the digest and put the signature value in a &lt;SignatureValue&gt; element<\/li>\r\n \t<li>Add the key information that includes public key needed for signature verification<\/li>\r\n \t<li>Place the &lt;SignedInfo&gt;, &lt;SignatureValue&gt;, and &lt;KeyInfo&gt; elements into a &lt;Signature&gt; element. The &lt;Signature&gt; element comprises the XML signature<\/li>\r\n<\/ul>\r\n<\/li>\r\n \t<li>Encrypt XML documents containing restricted \/ confidential information (such as user credentials, connection parameters, user account details etc.)<\/li>\r\n \t<li>Digitally sign the XML document. Create and verify electronic signatures. Such a signature may be used for different purposes such as verifying the integrity and ensuring the non-repudiation<\/li>\r\n \t<li>Only allow legitimate parties to view content<\/li>\r\n \t<li>Ensure database user has minimum privileges to access database resource<\/li>\r\n \t<li>Avoid using system calls such as exec, fork, Runtime.exe etc to call external resources. Use library API\u2019s to call external resources<\/li>\r\n<\/ol>\r\n<strong>Data Access \u2013 Examples<\/strong>\r\n\r\n<strong>Example 1:<\/strong>\r\n\r\nThe following sample code details the creation of an XML signature:\r\n<blockquote>&lt;? Xml version=&#8221;1.0&#8243; encoding=&#8221;UTF-8&#8243;?&gt;\r\n\r\n&lt;Signature xmlns=&#8221;http:\/\/www.w3.org\/2000\/09\/xmldsig#&#8221;&gt;\r\n\r\n&lt;SignedInfo Id=&#8221;foobar&#8221;&gt;\r\n\r\n&lt;CanonicalizationMethod\r\n\r\nAlgorithm=&#8221;http:\/\/www.w3.org\/TR\/2001\/REC-xml-c14n-20010315&#8243;\/&gt;\r\n\r\n&lt;SignatureMethod\r\n\r\nAlgorithm=&#8221;http:\/\/www.w3.org\/2000\/09\/xmldsig#dsa-sha1&#8243; \/&gt;\r\n\r\n&lt;Reference\r\n\r\nURI=&#8221;http:\/\/www.abccompany.com\/news\/2000\/03_27_00.htm&#8221;&gt;\r\n\r\n&lt;DigestMethod\r\n\r\nAlgorithm=&#8221;http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1&#8243;\/&gt;\r\n\r\n&lt;DigestValue&gt;j6lwx3rvEPO0vKtMup4NbeVu8nk=&lt;\/DigestValue&gt;\r\n\r\n&lt;\/Reference&gt;\r\n\r\n&lt;Reference\r\n\r\nURI=&#8221;http:\/\/www.w3.org\/TR\/2000\/WD-xmldsig-core-\r\n\r\n20000228\/signature-example.xml&#8221;&gt;\r\n\r\n&lt;DigestMethod\r\n\r\nAlgorithm=&#8221;http:\/\/www.w3.org\/2000\/09\/xmldsig#sha1&#8243;\/&gt;\r\n\r\n&lt;DigestValue&gt;UrXLDLBIta6skoV5\/A8Q38GEw44=&lt;\/DigestValue&gt;\r\n\r\n&lt;\/Reference&gt;\r\n\r\n&lt;\/SignedInfo&gt;\r\n\r\n&lt;SignatureValue&gt;MC0E~LE=&lt;\/SignatureValue&gt;\r\n\r\n&lt;KeyInfo&gt;\r\n\r\n&lt;X509Data&gt;\r\n\r\n&lt;X509SubjectName&gt;CN=Ed Simon,O=XMLSec\r\n\r\nInc.,ST=OTTAWA,C=CA&lt;\/X509SubjectName&gt;\r\n\r\n&lt;X509Certificate&gt;\r\n\r\nMIID5jCCA0+gA&#8230;lVN\r\n\r\n&lt;\/X509Certificate&gt;\r\n\r\n&lt;\/X509Data&gt;\r\n\r\n&lt;\/KeyInfo&gt;\r\n\r\n&lt;\/Signature&gt;<\/blockquote>\r\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row][et_pb_column type=&#8221;4_4&#8243;][et_pb_team_member _builder_version=&#8221;3.0.106&#8243; name=&#8221;Nitesh&#8221; position=&#8221;Author&#8221; facebook_url=&#8221;&#8221; twitter_url=&#8221;&#8221; google_url=&#8221;&#8221; linkedin_url=&#8221;&#8221; background_layout=&#8221;light&#8221; header_font=&#8221;Titillium Web|700|||||||&#8221; body_font=&#8221;Titillium Web||||||||&#8221; body_font_size=&#8221;16&#8243; image_url=&#8221;https:\/\/asha24.net\/blog\/\/wp-content\/uploads\/2018\/03\/Nitesh.gif&#8221;]\r\n\r\nBonjour. A curious dreamer enchanted by various languages, I write towards making technology seem fun here at Asha24.\r\n\r\n[\/et_pb_team_member][\/et_pb_column][\/et_pb_row][\/et_pb_section]\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":4,"featured_media":50616,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[61],"tags":[],"class_list":["post-50550","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-java"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The Best Java Secure Coding Standards - Asha24 Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Best Java Secure Coding Standards - Asha24 Blog\" \/>\n<meta property=\"og:url\" content=\"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/\" \/>\n<meta property=\"og:site_name\" content=\"Asha24 Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-02-17T10:47:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-02-04T03:54:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/asha24.net\/blog\/wp-content\/uploads\/2018\/04\/pexels-photo-160107.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mahesh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"36 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/asha24.net\/blog\/#website\",\"url\":\"https:\/\/asha24.net\/blog\/\",\"name\":\"Asha24 Blog\",\"description\":\"Dedication Towards Learning\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/asha24.net\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/asha24.net\/blog\/wp-content\/uploads\/2018\/04\/pexels-photo-160107.jpeg\",\"contentUrl\":\"https:\/\/asha24.net\/blog\/wp-content\/uploads\/2018\/04\/pexels-photo-160107.jpeg\",\"width\":1280,\"height\":853},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/#webpage\",\"url\":\"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/\",\"name\":\"The Best Java Secure Coding Standards - Asha24 Blog\",\"isPartOf\":{\"@id\":\"https:\/\/asha24.net\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/#primaryimage\"},\"datePublished\":\"2018-02-17T10:47:56+00:00\",\"dateModified\":\"2023-02-04T03:54:10+00:00\",\"author\":{\"@id\":\"https:\/\/asha24.net\/blog\/#\/schema\/person\/f6167b78bbaddfc399ae1154cd5b6759\"},\"breadcrumb\":{\"@id\":\"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/asha24.net\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The Best Java Secure Coding Standards\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/asha24.net\/blog\/#\/schema\/person\/f6167b78bbaddfc399ae1154cd5b6759\",\"name\":\"Mahesh\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/asha24.net\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/085c03e75ffb51af2509c1cfad9c7d78b30236d43a008db2e46f96e2f40c67fc?s=96&d=wavatar&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/085c03e75ffb51af2509c1cfad9c7d78b30236d43a008db2e46f96e2f40c67fc?s=96&d=wavatar&r=g\",\"caption\":\"Mahesh\"},\"url\":\"https:\/\/asha24.net\/blog\/author\/mahesh\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Best Java Secure Coding Standards - Asha24 Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/","og_locale":"en_US","og_type":"article","og_title":"The Best Java Secure Coding Standards - Asha24 Blog","og_url":"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/","og_site_name":"Asha24 Blog","article_published_time":"2018-02-17T10:47:56+00:00","article_modified_time":"2023-02-04T03:54:10+00:00","og_image":[{"width":1280,"height":853,"url":"https:\/\/asha24.net\/blog\/wp-content\/uploads\/2018\/04\/pexels-photo-160107.jpeg","path":"\/home\/reviews981\/public_html\/asha24.net\/blog\/wp-content\/uploads\/2018\/04\/pexels-photo-160107.jpeg","size":"full","id":50616,"alt":"","pixels":1091840,"type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Mahesh","Est. reading time":"36 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/asha24.net\/blog\/#website","url":"https:\/\/asha24.net\/blog\/","name":"Asha24 Blog","description":"Dedication Towards Learning","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/asha24.net\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/#primaryimage","inLanguage":"en-US","url":"https:\/\/asha24.net\/blog\/wp-content\/uploads\/2018\/04\/pexels-photo-160107.jpeg","contentUrl":"https:\/\/asha24.net\/blog\/wp-content\/uploads\/2018\/04\/pexels-photo-160107.jpeg","width":1280,"height":853},{"@type":"WebPage","@id":"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/#webpage","url":"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/","name":"The Best Java Secure Coding Standards - Asha24 Blog","isPartOf":{"@id":"https:\/\/asha24.net\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/#primaryimage"},"datePublished":"2018-02-17T10:47:56+00:00","dateModified":"2023-02-04T03:54:10+00:00","author":{"@id":"https:\/\/asha24.net\/blog\/#\/schema\/person\/f6167b78bbaddfc399ae1154cd5b6759"},"breadcrumb":{"@id":"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/asha24.net\/blog\/best-java-secure-coding-standards\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/asha24.net\/blog\/"},{"@type":"ListItem","position":2,"name":"The Best Java Secure Coding Standards"}]},{"@type":"Person","@id":"https:\/\/asha24.net\/blog\/#\/schema\/person\/f6167b78bbaddfc399ae1154cd5b6759","name":"Mahesh","image":{"@type":"ImageObject","@id":"https:\/\/asha24.net\/blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/085c03e75ffb51af2509c1cfad9c7d78b30236d43a008db2e46f96e2f40c67fc?s=96&d=wavatar&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/085c03e75ffb51af2509c1cfad9c7d78b30236d43a008db2e46f96e2f40c67fc?s=96&d=wavatar&r=g","caption":"Mahesh"},"url":"https:\/\/asha24.net\/blog\/author\/mahesh\/"}]}},"_links":{"self":[{"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/posts\/50550","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/comments?post=50550"}],"version-history":[{"count":5,"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/posts\/50550\/revisions"}],"predecessor-version":[{"id":52179,"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/posts\/50550\/revisions\/52179"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/media\/50616"}],"wp:attachment":[{"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/media?parent=50550"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/categories?post=50550"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/asha24.net\/blog\/wp-json\/wp\/v2\/tags?post=50550"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}