What steps can be taken to make sure a web application using Hibernate, Spring and JSF is secure? What vulnerabilites can exist and what security framework if any is standard?
+2
A:
A good set of practices noted by Joel Coehoorn and couple of others by answering a similar question here:
- It's a lot to digest but the OWASP development guide covers Web Site security from top to bottom
- Know about SQL injection and how to prevent it
- Never trust user input (cookies count as user input too!)
- Encrypt Hash and salt passwords rather than storing them plain-text.
- Don't try to come up with your own fancy authentication system: it's such an easy thing to get - wrong in subtle and untestable ways and you wouldn't even know it until after you're hacked.
- Know the rules for processing credit cards. See this question as well:
- http://stackoverflow.com/questions/51094/payment-processors-what-do-i-need-to-know-if-i-want-to-accept-credit-cards-on-m
- Use SSL/HTTPS for login and any pages where sensitive data is entered (like credit card info)
- How to resist session hijacking
- Avoid cross site scripting (XSS)
- Avoid cross site request forgeries (XSRF)
- Keep your system(s) up to date with the latest patches
- Make sure your database connection information is secured.
- Keep yourself informed about the latest attack techniques and vulnerabilities affecting your platform.
- Read The Google Browser Security Handbook
KMan
2010-04-16 16:57:19
This is completely unrelated to the question.
Rook
2010-04-16 17:35:15
@TheRook: Thanks for pointing out; it was related when the question was unedited.
KMan
2010-04-16 21:18:01
+2
A:
Security isn't solved just by using a framework. It requires a lot of education, understanding, creativity, and evaluation of risk to avoid making mistakes.
Start by reading these URLs
- http://www.owasp.org/index.php/Hibernate-Guidelines
- http://www.owasp.org/index.php/Java_Server_Faces
- http://www.owasp.org/index.php/OWASP_Java_Table_of_Contents
And definitely be up to speed on the top kinds of vulnerabilities, etc. An introduction to security, including the "no silver bullet" article.
- http://www.owasp.org/index.php/Getting_Started
- http://www.owasp.org/index.php/OWASP_Top_Ten_Project lists the top ten security threats
Kimball Robinson
2010-04-16 17:12:59
+2
A:
I would concur with the other responses in that there is no silver bullet for security or simple framework you just plug in and tada, you're security enabled. Do check out the OWASP site which is a great resource for learning about security.
And fully understanding security yourself (rather than delegating security to frameworks) will ultimately make your application more secure. For example, JSF prevents most (if not all?) XSS type attacks by default, but you can override this feature, possibly without realising the security implications and suddenly your JSF code is exposed.
Since noone has mentioned it, static code analysis can help to. Check out such things like Findbugs, PMD, and checkstyle among others for basic and free code analysis. Or go for something more heavy duty like Fortify which is designed specifically to detect security vulnerabilies in your application.
Chris Knight
2010-04-16 20:36:19