Secure Java: For Web Application Development, 1st Edition (Paperback) book cover

Secure Java

For Web Application Development, 1st Edition

By Abhay Bhargav, B. V. Kumar

CRC Press

308 pages | 69 B/W Illus.

Purchasing Options:$ = USD
Paperback: 9781439823514
pub: 2010-09-14
SAVE ~$18.19
Hardback: 9781138436954
pub: 2017-07-27
SAVE ~$41.00
eBook (VitalSource) : 9780429094545
pub: 2010-09-14
from $43.98

FREE Standard Shipping!


Most security books on Java focus on cryptography and access control, but exclude key aspects such as coding practices, logging, and web application risk assessment. Encapsulating security requirements for web development with the Java programming platform, Secure Java: For Web Application Development covers secure programming, risk assessment, and threat modeling—explaining how to integrate these practices into a secure software development life cycle.

From the risk assessment phase to the proof of concept phase, the book details a secure web application development process. The authors provide in-depth implementation guidance and best practices for access control, cryptography, logging, secure coding, and authentication and authorization in web application development. Discussing the latest application exploits and vulnerabilities, they examine various options and protection mechanisms for securing web applications against these multifarious threats. The book is organized into four sections:

  • Provides a clear view of the growing footprint of web applications
  • Explores the foundations of secure web application development and the risk management process
  • Delves into tactical web application security development with Java EE
  • Deals extensively with security testing of web applications

This complete reference includes a case study of an e-commerce company facing web application security challenges, as well as specific techniques for testing the security of web applications. Highlighting state-of-the-art tools for web application security testing, it supplies valuable insight on how to meet important security compliance requirements, including PCI-DSS, PA-DSS, HIPAA, and GLBA. The book also includes an appendix that covers the application security guidelines for the payment card industry standards.


Given that Java is the platform of choice for enterprise application development the world over, this book fills a much-needed gap by thoroughly and clearly outlining the security requirements of such a critical platform. I strongly believe that this work will prove invaluable to a wide audience, including Java developers, architects, and students.

—Kris Gopalakrishnan, CEO, Infosys Technologies Ltd.

… a great resource that covers all of the essential topics when building out an application security program.

—Ed Bellis, CISO, Orbitz Worldwide

Table of Contents

The Internet Phenomenon

Evolution of the Internet and the World Wide Web

Mainframe Era

Client/Server Era

Distributed Computing Architecture

Internet and World Wide Web Era

Problems with Web Architecture

Web Applications and Internet

Role and Significance of Java Technology in Web Applications

Security in Java Web Applications

Introducing Information Security

Information Security: The Need of the Hour

The Need for Information Security

The Motivation for Security

Some Basic Security Concepts

The Pillars of SecurityThe CIA Triad

Risk 101


Internet Security Incidents and Their Evolution

The 1970s

The 1980s

The 1990s

The 2000sPresent Day

SecurityMyths and Realities

There Is No Insider Threat

Hacking Is Really Difficult

Geographic Location Is Hacker-Proof

One Device Protects against All

Introducing Web Application Security

Web Applications in the Enterprise

What Is a Web Application?

Ubiquity of Web Applications

Web Application Technologies

Java as Mainstream Web Application Technology

Why Web Application Security?

A Glimpse into Organizational Information Security

The Need for Web Application Security

Web Application SecurityThe Challenges

Client-Side Control and Trust

Pangs of the Creator

Flawed Application Life Cycle


Legacy Code

Business Case Issues

Web Application Security—A Case Study

The Business NeedAn E-Commerce Application

The Company

The Existing Application Environment

Importance of Security

Panthera’s Plan for Information Security

Outlining the Application Requirements

The Request for Proposal

An Overview of the Application Development Process

The Application Development Process


Insights into Web Application Security Risk

The Need for Web Application Security Risk Management

Risk Management

The Benefits of Risk Management for Web Applications

Overview of the Risk Assessment Phase

System Characterization Process--Risk Assessment

An Overview of the System Characterization Process

Understanding Basic Application Architecture

Developing Security Policies for the Web Application

A Broad Overview of Security Policies for the Web Application

Security Compliance and Web Application Security

Threat Analysis

Understanding and Categorizing Security Vulnerabilities

Common Web Application Vulnerabilities

Basic Understanding of Threats and Associated Concepts

Threat Profiling and Threat Modeling

Risk Mitigation StrategyFormulation of Detailed Security Requirements for the Web Application

Risk Assessment for an Existing Web Application

Risk Assessment for the Typical E-Commerce Web Application

System Characterization of Panthera’s E-Commerce Application

Identification of Critical Information Assets

Practical Techniques to Identify Critical Information Assets

Identified Critical Information Assets for Panthera’s Web Application

User Roles and Access to Critical Information Assets

Application Deployment Architecture and Environment

Security Policies for the Web Application and Requirements

Panthera’s Security Policies

Threat Analysis

Threat Profiling

Threat Modeling

Risk Mitigation StrategyFormulation of Detailed Security Features for Panthera’s E-Commerce Application

Authentication and Authorization

Cryptographic Implementation for Panthera’s E-Commerce Application


Secure Coding Practices


Developing a Bulletproof Access Control System for a Java Web Application

Overview of Access Control Systems

A Brief History/Evolution of Access Control Mechanisms

An Overview of Access Control

Access Control Models

Developing a Robust Access Control System for Web Applications

Attacks against Web Application Access Control

User CredentialsUsernames and Passwords

SessionMaintaining a Secure State for Web Applications

AuthorizationEffective Authorization for a Web Application

Other Best Practices

Security Compliance and Web Application Access Control


Implementing a Secure Authentication and Authorization System for a Java Web Application

Java Security Overview

Java Authentication and Authorization Services


Process of Authentication

Process of Authorization

Application Data Protection Techniques

Overview of Cryptography

Evolution of Cryptography

CryptographyTerminology and Definitions

Symmetric and Asymmetric Cryptography

Block Ciphers and Stream Ciphers

Block Cipher Modes of Encryption

Crypto Attacks

Crypto Implementation for Web Applications

Data Protection with CryptographyA Primer

A Study of Encryption Algorithms and Hashing Functions

Implementation Implications of Encryption in Web Applications

Key ManagementPrinciples and Practical Implementation

Security Compliance and Cryptography

Java Implementation for Web Application Cryptography

Implementation Independence

Implementation Interoperability

Algorithm Extensibility and Independence

Architecture Details

Core Classes, Interfaces, and Algorithms of JCA

Protection of Data-in-Transit

History of Secure Socket Layer/Transport Layer Security

Java Secure Socket Extensions for Secure Data Transmissions

Features of the JSSE

Cryptography and JSSE

Core Classes and Interfaces of JSSE

Support Classes and Interfaces

Effective Application Monitoring: Security Logging for Web Applications

The Importance of Logging for Web ApplicationsA Primer

Overview of Logging and Log Management

Logging for SecurityThe Need of the Hour

Need for Web Application Security Logging

Developing a Security Logging Mechanism for a Web Application

The Constituents of a Web Application Security Log

Web Application LoggingInformation to Be Logged

Details to Be Omitted from Web Application Logs

Application LoggingBest Practices

Security Compliance and Web Application Logging

Logging Implementation Using Java

Control Flow

The Core Classes and Interfaces

Secure Coding Practices for Java Web Applications

Java Secure Coding PracticesAn Overview

A Case for Secure Coding Practices

Java Secure Coding PracticesAn Introduction

Input Validation and Output Encoding

The need for Input Validation and Output Encoding

User Input Validation for Java Web Applications

Java Implementation for Input Validation and Output Encoding

Secure Database Queries

Need for Secure Database Access


Security Testing for Web Applications

Overview of Security Testing for Web Applications

Security Testing for Web ApplicationsA Primer

Need for Web Application Security Testing

Security Testing Web ApplicationsSome Basic Truths

Integration of Security Testing into Web Application Risk Management

Designing an Effective Web Application Security Testing Practice

Approach to Web Application Security Testing

Threat Models for Effective Security Testing

Web Application Security TestingCritical Success Factors

Security Testing for Web Applications and Security Compliance

Practical Web Application Security Testing

Web Application Vulnerability Assessment and Penetration Testing

Approach to Practical Web Application Testing

Tools and Technologies for Practical Security Testing

Practical Security Testing for Web Applications

Information Gathering and Enumeration

Testing Web Application for Access Control

Testing Data Validation

Appendix A: Application Security Guidelines for the Payment Card Industry Standards (PCI-DSS and PA-DSS)


Each chapter concludes with a Summary

About the Authors

Abhay Bhargav is the founder and CTO of we45 Solutions India Pvt. Ltd., an information security solutions company. As the CTO of we45, his primary role is to deliver information security consulting solutions for diverse clientele. He also oversees the information security research and application development activities of we45. He has performed security assessments for enterprises in various industires including banking, software development, retail, telecom, and legal. Previously, he was a security assessor for the payment card industry and has led several security assessments for payment card industry compliance.

He specializes in Web application security and has performed security testing and consulting engagements for a wide array of enterprises and governmental/quasi-governmental entities. He also possesses security code review, vulnerability assessment, and penetration testing experience. He has been involved in several such assessments for small and large clients from various industries.

Abhay is a regular speaker at industry events. He has spoken at the OWASP (Open Web Application Security Project) AppSec Conference in New York. He is a regular speaker at prestigious industry events such as the PCI Summit in Mumbai, December 2008, Business Technology Summit and events organized by the Confederation of Indian Industry (CII). He is also a trainer and has led several public workshops on information security subjects including PCI, PA-DSS, Web application security, and risk assessment.

Apart from his professional interests, Abhay is also a trained Carnatic classical flutist and vocalist. He is also a playwright who has an English comedy play to his writing credits. He blogs actively and maintains an information security blog. He writes articles on computer education for the rural youth on a weekly basis for a leading daily.

Dr. B. V. Kumar, currently the director at SESCon Technology Solutions, has a Masters in Technology from IIT Kanpur and a Ph.D. from IIT Kharagpur. He has more than 20 years of experience in the field of information technology at various levels and in organizations such as ComputerVision Corporation (Singapore), Parametric Technologies (Seoul, S. Korea), Sun Microsystems (India), and Infosys. Prior to SESCon, Dr. Kumar was director and chief architect at Cognizant Technology Solutions and was responsible for the research and development activities such as IP creation, technology evangelization, and branding and project support as well as new initiatives at Cognizant.

Dr. Kumar has been working on the enterprise technologies for more than 8 years, focusing on the new enterprise Java and Web services technologies. As a chief architect and director at SESCon Technology Solutions, Dr. Kumar is managing IP and asset creation, technology branding and evangelization, community development, project support, and educational services. Dr. Kumar has filed for two patents in the IT space and published many technological papers in international journals and conferences. He has coauthored Web Services: An Introduction (ISBN 0070593787), J2EE Architecture (ISBN 007059936X), and, more recently, Implementing SOA Using Java EE (ISBN 0321492153).

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Programming Languages / General
COMPUTERS / Software Development & Engineering / General
COMPUTERS / Security / General