Securing Software application is more important in today’s world. As you have heard news about data breaching and hacking cost more money than developing secure code. When customer come to your application with having faith and trust to secure their Personal information. if the application code is not tested with all security aspects then hacker can still data and sell or use it their own benefits.
1. Preventing SQL injection with a prepareStatement
Key points to remember for SQL injection
- Never build SQL statements by concatenating arguments. This allows a high probability of SQL injection attacks.
- Avoid dynamic SQL. Use Prepared Statements (with parameterized queries).
- Use stored procedures.
- Whitelist input validation.
- Escape user-supplied input.
2. Sanitize your inputs
Insufficient input validation is probably the number one cause of security vulnerabilities in web applications.
3. Designing a Secure Object
- Limiting Accessibility – make all instance variable as private to provide strong encapsulation
- Restricting Extensibility – Mark the class as final
- Creating Immutable Object – As you know String, List.of(), Set.of() and Map.of() are immutable types. Try to create the object which does not change its values.
-
- Don’t define any setter methods and make fields final
- Don’t allow referenced mutable object to be modified.
- Use constructor to set all properties of the object, making a copy if needed..
4. clone object
4. Guarding Sensitive Data from Output
Avoid putting confidential information into a toString() method. That’s just inviting the information to wind up logged somewhere you did not intend. The hacker is looking confidential information in following place so make sure do not include in them.
- Writing to a log file
- Printing an exception or stack trace
- System.out and System.err messages
- Writing to data files
5. Protecting Data in Memory
if your application crashed, it may generate a dump file. That contains values of everything in memory. Reading char is recommend than the string values.
- It is not stored as a string, so java would not place it in the string pool, where it could existing in memory longer time.
- you can null out the value of array elements rather than waiting garbage collector to clean up
6. Limiting File Access
System Admin can write the policy that restricted the access of the files or directory. The policy gives the programmer to read but not update or update but not read.
we try to cover most of security best practices. The open Web Application Security Project(OWASP) publishes a top 10 list of security issues.
Leave a Reply