Security

The Java Class Library provides a number of APIs related to security, such as standard cryptographic algorithms, authentication, and secure communication protocols(SSL).

The JVM is binary form of programs running on the Java platform is not native machine code but an intermediate bytecode. The JVM performs verification on this bytecode before running it to prevent the program from performing unsafe operations such as branching to incorrect locations, which may contain data rather than instructions. It also allows the JVM to enforce runtime constraints such as array bounds checking.

Java objects/data can be cryptographically signed using various cryptography algorithms. The data is stored as in java objects form and can be extra protected using various encryption algorithms so that the data is not easily extractable.

Java has an inbuild Security Manager, a security manager is an object that defines a security policy for an application. This policy specifies actions that are unsafe or sensitive. Any actions not allowed by the security policy cause a SecurityException to be thrown. An application can also query its security manager to discover which actions are allowed.

The various ways for security for web applications are:

·         Authentication and Authorization by using various frameworks like spring security, JWT, OAuth  etc

·         Using basic Http Authentication or Form based authentication

·         Form based validation to be also performed on API server side as the client may disable the script validation so server/API has to handle the validations

·         Use parameterized input with Type-Safe for dynamic SQL statements to prevent the SQL injection

·         API responses should be either JSON objects (not json strings) or XML

·         Use servlet filters to intercept the client requests

·         Audit logs to be recorded as physical file as well as stored in database for debugging/tracing/reporting. The logs retention period days should be configured in application configuration file based on this value, the days prior log files should be deleted from the system

·         Windows API errors to be logged to Windows Event Logs

Use Cryptographic protocols (SSL) for JAVA web APIs for supporting the TLS 1.2 AES with 256 bit encryption