WebApp Sec mailing list archives

RE: J2EE Application Security Code Review

From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 28 Oct 2005 14:41:45 -0500

-----Original Message-----
From: Yousef Syed [mailto:yousef.syed () gmail com]

[...]

Can someone please advise me on what I should be looking for?
Where can I get further information on the procedure that 
should be followed? Are there any Standards/Best Practices
for Securing J2EE applications?


Yousef, here's a list of resources I provide developers; it
includes links to other people's book lists as well. Many
items on here are Java-specific:

===============================================
Resources on Application and Software Security
===============================================

:::Web-Based Resources:::

OWASP (Open Web Application Security Project):
Focus: Whitepapers, Guidelines, Free Tools
http://www.owasp.org

WASC (Web Application Security Consortium)
Focus: Whitepapers, Research, Standards/Definitions
http://www.webappsec.org
http://www.webappsec.org/web_security_books.shtml (webappsec books)

Java Passion
Focus: J2EE, Security, Webappsec, OWASP Top-10
http://www.javapassion.com/j2ee/WebApplicationSecurity4.pdf
http://www.javapassion.com/j2ee/WebSecurityThreatsAndCounterMeasures4.pdf
http://www.javapassion.com/j2eeadvanced/index0.html#SyallbusforAdvanced
(on the last link search for "Advanced J2EE Security"; nice list of resources)

Threats and Countermeasures
Focus: Info on Patterns (attack/defense, and practice patterns) and Threat Modeling
http://www.threatsandcountermeasures.com

Improving Web Application Security: Threats and Countermeasures
Focus: MS Centric, but good info, as book or updated web-based document:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp

TRIKE:
Focus: Threat Modeling
http://dymaxion.org/trike/index.shtml

Foundstone .NET toolkit
Focus: Free tools
www.foundstone.com/resources/proddesc/s3itoolkit.htm


:::Books on Application and Software Security:::

---------------Threat Modeling-----------------------

Threat Modeling, MS Press
http://www.microsoft.com/MSPress/books/6892.asp

----------Designing/Building Secure Apps---------

Secure Coding: Principles & Practices (High Level overview book):
http://www.securecoding.org/book/press.php

Security Engineering: A Guide to Designing Dependable,
-Distributed Applications, Ross Anderson
(Still one of the best security design and architecture books written)
http://www.cl.cam.ac.uk/~rja14/book.html

The Software Vulnerability Guide:
http://www.amazon.com/exec/obidos/tg/detail/-/1584503580/


----------------Writing Secure Code-----------------

19 Deadly Sins of  Software Security
(Mostly a "Things Not to Do" book with examples/case studies)
http://www.amazon.com/exec/obidos/tg/detail/-/0072260858/

-Subset Unmanaged code

Secure Coding, 2nd Edition, MS Press (C/C++ oriented but
covers a wide variety of issues MS-centric)
http://www.microsoft.com/mspress/books/5957.asp


-Subset: Java

Building Secure Software, Hoglund and McGraw
(Secure Coding book, Java-centric)
http://www.amazon.com/exec/obidos/tg/detail/-/020172152X/

-Subset: .NET

---------------Attacking Software---------------------

-Subset: All

Exploiting Software: How to Break Code , Hoglund and McGraw
http://www.amazon.com/exec/obidos/tg/detail/-/0201786958/

How to Break Software, Whittaker
http://www.amazon.com/exec/obidos/tg/detail/-/0201796198

How to Break Software Security, by Whittaker, Thompson & Thompson
(This is more how to test/break software locally, think fat-client
software in a sandbox/vm way using fault injection, and resource
starvation; relies on their proprietary tool Holodeck)
http://www.amazon.com/exec/obidos/tg/detail/-/0321194330/

The Shellcoder's Handbook, Aitel and others (One of several on how to hack software)
http://www.amazon.com/exec/obidos/tg/detail/-/0764544683/

Database Hacker's Handbook, David and Mark Litchfield, others
http://www.amazon.com/exec/obidos/tg/detail/-/0764578014/


The Shellcoder's Handbook, Aitel and others (One of several on how to hack software)
http://www.amazon.com/exec/obidos/tg/detail/-/0764544683/

Database Hacker's Handbook, David and Mark Litchfield
http://www.amazon.com/exec/obidos/tg/detail/-/0764578014/

-Subset: Web

See WASC List above.

Arian J. Evans
FishNet Security

816.421.6611 [office]
816.701.2045 [direct] <--checked infrequently
888.732.9406 [toll-free]
816.421.6677 [fax]
913.710.7045 [mobile] <--daily/international access
aevans () fishnetsecurity com [email]

http://www.fishnetsecurity.com

Current thread:

J2EE Application Security Code Review Yousef Syed (Oct 28)
- Re: J2EE Application Security Code Review Eoin Keary (Oct 28)
- Re: J2EE Application Security Code Review Andrew van der Stock (Oct 28)
- Re: J2EE Application Security Code Review crazy frog crazy frog (Oct 28)
- <Possible follow-ups>
- RE: J2EE Application Security Code Review Prashant Shirangare (Oct 28)
  - Re: J2EE Application Security Code Review Dean H. Saxe (Oct 30)
- RE: J2EE Application Security Code Review Evans, Arian (Oct 28)
- RE: J2EE Application Security Code Review Jeff Robertson (Oct 28)
  - Re: J2EE Application Security Code Review Dean H. Saxe (Oct 30)
  - Message not available
    - Re: J2EE Application Security Code Review Yousef Syed (Nov 01)