WebApp Sec mailing list archives
RE: J2EE Application Security Code Review
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 28 Oct 2005 14:41:45 -0500
-----Original Message----- From: Yousef Syed [mailto:yousef.syed () gmail com]
[...]
Can someone please advise me on what I should be looking for? Where can I get further information on the procedure that should be followed? Are there any Standards/Best Practices for Securing J2EE applications?
Yousef, here's a list of resources I provide developers; it includes links to other people's book lists as well. Many items on here are Java-specific: =============================================== Resources on Application and Software Security =============================================== :::Web-Based Resources::: OWASP (Open Web Application Security Project): Focus: Whitepapers, Guidelines, Free Tools http://www.owasp.org WASC (Web Application Security Consortium) Focus: Whitepapers, Research, Standards/Definitions http://www.webappsec.org http://www.webappsec.org/web_security_books.shtml (webappsec books) Java Passion Focus: J2EE, Security, Webappsec, OWASP Top-10 http://www.javapassion.com/j2ee/WebApplicationSecurity4.pdf http://www.javapassion.com/j2ee/WebSecurityThreatsAndCounterMeasures4.pdf http://www.javapassion.com/j2eeadvanced/index0.html#SyallbusforAdvanced (on the last link search for "Advanced J2EE Security"; nice list of resources) Threats and Countermeasures Focus: Info on Patterns (attack/defense, and practice patterns) and Threat Modeling http://www.threatsandcountermeasures.com Improving Web Application Security: Threats and Countermeasures Focus: MS Centric, but good info, as book or updated web-based document: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp TRIKE: Focus: Threat Modeling http://dymaxion.org/trike/index.shtml Foundstone .NET toolkit Focus: Free tools www.foundstone.com/resources/proddesc/s3itoolkit.htm :::Books on Application and Software Security::: ---------------Threat Modeling----------------------- Threat Modeling, MS Press http://www.microsoft.com/MSPress/books/6892.asp ----------Designing/Building Secure Apps--------- Secure Coding: Principles & Practices (High Level overview book): http://www.securecoding.org/book/press.php Security Engineering: A Guide to Designing Dependable, -Distributed Applications, Ross Anderson (Still one of the best security design and architecture books written) http://www.cl.cam.ac.uk/~rja14/book.html The Software Vulnerability Guide: http://www.amazon.com/exec/obidos/tg/detail/-/1584503580/ ----------------Writing Secure Code----------------- 19 Deadly Sins of Software Security (Mostly a "Things Not to Do" book with examples/case studies) http://www.amazon.com/exec/obidos/tg/detail/-/0072260858/ -Subset Unmanaged code Secure Coding, 2nd Edition, MS Press (C/C++ oriented but covers a wide variety of issues MS-centric) http://www.microsoft.com/mspress/books/5957.asp -Subset: Java Building Secure Software, Hoglund and McGraw (Secure Coding book, Java-centric) http://www.amazon.com/exec/obidos/tg/detail/-/020172152X/ -Subset: .NET ---------------Attacking Software--------------------- -Subset: All Exploiting Software: How to Break Code , Hoglund and McGraw http://www.amazon.com/exec/obidos/tg/detail/-/0201786958/ How to Break Software, Whittaker http://www.amazon.com/exec/obidos/tg/detail/-/0201796198 How to Break Software Security, by Whittaker, Thompson & Thompson (This is more how to test/break software locally, think fat-client software in a sandbox/vm way using fault injection, and resource starvation; relies on their proprietary tool Holodeck) http://www.amazon.com/exec/obidos/tg/detail/-/0321194330/ The Shellcoder's Handbook, Aitel and others (One of several on how to hack software) http://www.amazon.com/exec/obidos/tg/detail/-/0764544683/ Database Hacker's Handbook, David and Mark Litchfield, others http://www.amazon.com/exec/obidos/tg/detail/-/0764578014/ The Shellcoder's Handbook, Aitel and others (One of several on how to hack software) http://www.amazon.com/exec/obidos/tg/detail/-/0764544683/ Database Hacker's Handbook, David and Mark Litchfield http://www.amazon.com/exec/obidos/tg/detail/-/0764578014/ -Subset: Web See WASC List above. Arian J. Evans FishNet Security 816.421.6611 [office] 816.701.2045 [direct] <--checked infrequently 888.732.9406 [toll-free] 816.421.6677 [fax] 913.710.7045 [mobile] <--daily/international access aevans () fishnetsecurity com [email] http://www.fishnetsecurity.com
Current thread:
- J2EE Application Security Code Review Yousef Syed (Oct 28)
- Re: J2EE Application Security Code Review Eoin Keary (Oct 28)
- Re: J2EE Application Security Code Review Andrew van der Stock (Oct 28)
- Re: J2EE Application Security Code Review crazy frog crazy frog (Oct 28)
- <Possible follow-ups>
- RE: J2EE Application Security Code Review Prashant Shirangare (Oct 28)
- Re: J2EE Application Security Code Review Dean H. Saxe (Oct 30)
- RE: J2EE Application Security Code Review Evans, Arian (Oct 28)
- RE: J2EE Application Security Code Review Jeff Robertson (Oct 28)
- Re: J2EE Application Security Code Review Dean H. Saxe (Oct 30)
- Message not available
- Re: J2EE Application Security Code Review Yousef Syed (Nov 01)