Tag: Java developer

Best Practices for Writing Secure Java Code

Posted on by eugene evdokimov

Every Java developer should follow coding standards and best practices to develop secure Java code. It is critical your code is not vulnerable to exploits or malicious attacks. In recent times, even big organizations like eBay, the CIA, and the IRS have fallen victim to vulnerabilities in their applications that have been discovered and exploited by attackers. 

The following guidelines provide a solid foundation for writing secure Java code and applications. These will minimize the possibility of creating security vulnerabilities caused by Java developers and help prevent known malicious attacks. 

1. Only Use Tried and Tested Libraries 

A large percentage of the code in applications is sourced from public libraries and frameworks. These libraries can contain vulnerabilities that may allow a malicious attacker to exploit your application. 

Organizations trust their business and reputation to the libraries they use, so make sure you only use proven ones and keep them up to date with the latest versions. Consider checking if they have any known vulnerabilities or require any security fixes.

2. Avoid Serialization

Java serialization is inherently insecure which is why Oracle recently announced it has a long-term plan to remove it. Serialization vulnerabilities were recently found in Cisco and Jenkins applications. 

Any application that accepts serialized Java objects is vulnerable, even if a library or framework is responsible and not your own Java code. One area to watch out for is making an interface serializable without thinking through what could be exposed. Another pitfall to avoid is accidentally making a security-sensitive class serializable, either by subclassing or implementing a serializable interface.

3. Always Hash User Passwords

Never store any passwords as plain text. Always hash user passwords preferably using a salted hash and a recommended hashing algorithm like SHA-2. When a password has been ‘hashed’, it has been turned into a scrambled version of itself. Using a predefined key known to the application, the hash value is derived from a combination of both the password and the key using a hashing algorithm.

4. Filter Sensitive Information From Exceptions

Exception objects can contain sensitive information that can assist an attacker hoping to exploit your system. An attacker can manufacture input arguments to expose internal structures and mechanisms of the application. It’s important to remember that information can be leaked from the exception message text and the type of an exception.

Take for example the FileNotFoundException message. These messages contain information about the layout of the file system and the exception type reveals the missing requested file. 

To secure Java code applications, you should filter both exception messages and exception type.

5. Do Not Log Sensitive Information

Data thefts cause massive harm to individuals and organizations, and developers need to do everything possible to prevent them from happening. Information like credit and debit card numbers, bank account numbers, passport numbers, and passwords are highly sensitive and valuable to criminals. Don’t store this type of information in log files and make sure it’s not detectable through searches in cleartext. 

If you have to log any sensitive information like card numbers, for example, think about logging only part of the card number e.g. the last four digits, and make sure it’s encrypted using a proven library. Don’t write your own encryption functionality. 

6. Error Handling and Logging 

You can accidentally reveal sensitive information in user error messages and error messages recorded in the log files, such as account information or system details. 

A safer way is to use generic screen error messages for users. Additionally, write log error messages that will help support teams investigating production issues without providing an attacker with useful information to further exploit your systems.

7. Write Simple Java Code

Generally speaking, simple java code is secure java code. Here are some tips on keeping your code simple and secure:

  • Keep it as simple as possible without reducing functionality. 
  • Use code quality checking products like SonarQube. This tool will continuously inspect the code quality whilst checking for any new vulnerabilities in your latest code release. Once a bug or vulnerability is in production, it is a lot harder to fix it compared to the effort to prevent it in the first place. 
  • Expose the minimum amount of information in your code. Hiding implementation details is good for keeping your code both secure and maintainable. 
  • Make good use of Java’s access modifiers. Declare the most restrictive access levels for classes, methods, and their attributes possible. Set everything that can be set to private, as private. 
  • Always define the smallest possible API and interface objects. Decouple components and make them interact in the smallest scope possible. If one component of your application is compromised by a breach, the others will be safe.

8. Prevent Injection Attacks

An injection attack occurs when malicious code is injected into the network. This type of attack is considered a major problem in web application security and is listed as the number one security risk in the OWASP Top 10. Any application that allows users to enter or upload data might contain a vulnerability that can allow an injection attack. Insufficient user input validation is usually the primary reason injection vulnerabilities exist. 

SQL Injection 

SQL Injection vulnerabilities are created when developers write dynamic database queries that can include user input. An attacker can include SQL commands in the input data, in any screen input field. Then because of a vulnerability in the code, the application runs the rogue SQL in the database. This gives attackers a way to bypass the application’s authentication functionality and allow them to retrieve the contents of an entire database. 

Key things to remember to prevent SQL injections: 

  • Never build SQL statements by concatenating arguments. This allows a high probability of SQL injection attacks.
  • Avoid dynamic SQL. Use Prepared Statements (with parameterized queries). 
  • Use stored procedures. 
  • Whitelist input validation. 
  • Escape user-supplied input. 

XPath Injection 

XPath injections are similar to SQL injections in that they can attack websites that operate on user-supplied information to construct an XPath query for XML data. An attacker can gain detailed information on how the XML data is structured or access data that is not normally accessible by sending malicious information to the website. 

These vulnerabilities can also elevate the attacker’s privileges in the application if the XML data is being used for authentication. 

You can avoid XPath injection by similar techniques used to prevent SQL injection: 

  • Sanitize all user input. 
  • When sanitizing, verify the data type, format, length, and content. 
  • In client-server applications, perform validation at both the client and the server sides.
  • Thoroughly test applications especially user input. 

Cross-Site Scripting 

Cross-Site Scripting (XSS) attacks happen when an attacker uses a web application to send malicious code (usually a browser-side script) to other users. Vulnerabilities that allow these attacks can occur anywhere a web application receives input from a user, within the output it generates, without validating or encoding it. 

To keep Java code applications secure and prevent XSS, filter your inputs with a whitelist of allowed characters and use a proven library to HTML encode your output for HTML contexts. For JavaScript use JavaScript Unicode escapes. 

Summary 

In summation, there are some key points to bear in mind in writing secure Java code. You should always think about security in the development of your application in the design stage and code reviews, as well as look for vulnerabilities in your Java code and take advantage of the Java security APIs and libraries.

Only ever use highly rated vendor tools to monitor and log your code for security issues. This means you should investigate the full list of application attack types and follow the recommended prevention methods.

If you use these guidelines for writing secure Java code applications in your organization, you can protect yourself and your applications against malicious attacks and data theft.

Five Tools Every Java Developer Needs

Posted on by eugene evdokimov

If you search the internet for “Java Developer Tools”, millions of articles come back. You’ll see results that recommend the eight best Java development tools, and even those that want to share the 20 best Java tools. The problem is that sometimes too much of a good thing can be bad.

As a Java developer, you need the consensus, the best-of-breed tools in each category. You want someone to tell you the best tool for each purpose, grab it and start working. You don’t need to sit and evaluate an endless selection of tools to find out which is 2% better than the other.

We want to help you save time by pinpointing the best tool for each development requirement. There are five essential categories of tools you will need as a Java developer:

  1.  An Integrated Development Environment (IDE)
  2.  A build tool
  3.  A Java profiler
  4.  A framework for writing and running tests
  5.  A troubleshooter

What is Java?

Java is a programming language and platform that was released in 1995. As all developers know, Java is a huge part of the ever-evolving digital space and a reliable platform for many to build services and applications. It’s fast, reliable, and secure, which makes it perfect for coding everything, from enterprise software to mobile applications.

The five tools every Java developer needs

Whether you’re looking for Java build tools or Java script development tools, we’ve got you covered. Here are the five tools every Java developer needs:

 1. Integrated Development Environment (IDE)

An IDE is a comprehensive suite of software tools that every developer needs. An IDE should include, at a minimum, a source code editor, build automation tools and a debugger.

The consensus best-of-breed IDE is the open source Eclipse IDE. Surveys indicate that it is the preferred IDE for almost half of Java developers. It is so widely adopted that there is a large selection of third-party plugins that extend its core functionality. You can’t go wrong choosing Eclipse for your IDE.

2. Build Tool

Build tools automate the building, publishing, and deploying of software applications. The honor for best Java build tool goes to the open source Gradle.

Gradle isn’t currently the most widely adopted tool, Maven is. However, since Gradle builds on the features of Maven, it is quickly increasing its adoption rate. Gradle prides itself on developers being able to build anything, automate everything and deliver faster. It also allows you to build in any language, whether it be Java, Kotlin or CC+. 

Similar to Eclipse, Gradle comes with a vast ecosystem of plugins for extending its capabilities. It’s just a matter of time before Gradle becomes the most widely adopted build tool around.

 3. Java Profiler

A Java profiler is a tool used to analyze a Java program and estimate its CPU and memory requirements. It is used primarily to optimize code.

The YourKit Java Profiler has already been recognized by many IT professionals and analysts as the best profiling tool and has even received the Java Developer’s Journal Editor’s Choice Award. Key features of YourKit include:

  • Tight integration with IDEs
  • Profile remote applications
  • CPU profiling
  • Flame graphs
  • Database queries and web requests
  • Memory profiling
  • Comparing CPU and memory snapshots
  • Performance inspections
  • Thread synchronization issues

And more you can view here.

4. Framework for Testing

Whether testing a smaller project or a unit of a larger project, you’re going to need the ability to conduct white-box testing. White-box testing is a method of testing software that tests the internal structures or workings of an application as opposed to its functionality. A unit test framework is a core tool of test-driven development and enables repeatable white-box testing.

The open source JUnit is a simple, open source framework for writing and running white-box tests. It can test classes and methods, as well as functionality. In the past, it has also won Java Editor’s Choice Award for best performance testing tool.

5. Troubleshooter

When it comes to your Java code, you’re going to want an all-in-one troubleshooter. A tool that can allow you to generate and analyze heap data, track down memory leaks, and monitor the garbage collector. You’ll also want it designed for both development and production time.

VisualVM, which makes it easy to diagnose performance issues in real-time, fits the bill. VisualVM actually comes with the Java Development Kit (JDK), the most widely used Software Development Kit (SDK).

VisualVM perfectly fits all the requirements of application developers, system administrators, quality engineers, and end users. In a survey conducted by Rebel Labs, they found that VisualVM is used by 46.5% of developers.

Final thoughts

There are a lot of tools available to you as a Java developer, and sometimes the choices can be overwhelming. When making your decisions, you want to ensure you are selecting widely adopted, award-winning tools with full-scale capabilities. 

If you’re unsure where to start, remember you can’t go wrong with Eclipse, Gradle, YourKit, JUnit, and VirtualVM.

(This blog post was updated August 2023)