The Java Class
Library provides a number of APIs related to security, such as standard
cryptographic algorithms, authentication, and secure communication protocols(SSL).
The JVM is binary
form of programs running on the Java platform is not native machine code but an
intermediate bytecode. The JVM performs verification on this bytecode before
running it to prevent the program from performing unsafe operations such as
branching to incorrect locations, which may contain data rather than
instructions. It also allows the JVM to enforce runtime constraints such as
array bounds checking.
Java objects/data can
be cryptographically signed using various cryptography algorithms. The data is
stored as in java objects form and can be extra protected using various
encryption algorithms so that the data is not easily extractable.
Java has an inbuild
Security Manager, a security manager is an object that defines a security
policy for an application. This policy specifies actions that are unsafe or
sensitive. Any actions not allowed by the security policy cause a
SecurityException to be thrown. An application can also query its security
manager to discover which actions are allowed.
The
various ways for security for web applications are:
·
Authentication and Authorization by using
various frameworks like spring security, JWT, OAuth etc
·
Using basic Http Authentication or Form based
authentication
·
Form based validation to be also performed on
API server side as the client may disable the script validation so server/API
has to handle the validations
·
Use parameterized input with Type-Safe for
dynamic SQL statements to prevent the SQL injection
·
API responses should be either JSON objects
(not json strings) or XML
·
Use servlet filters to intercept the client
requests
·
Audit logs to be recorded as physical file as
well as stored in database for debugging/tracing/reporting. The logs retention
period days should be configured in application configuration file based on this
value, the days prior log files should be deleted from the system
·
Windows API errors to be logged to Windows
Event Logs
No comments:
Post a Comment