I have published an (Turkish) article about secure coding guidelines for Java within OWASP-Turkey Documents. The article aims at helping IT-architects and developers to understand the main security aspects during design and development phases.

The guideline contains generic countermeasures (e.g. Do not write repeated codes) as well as Java-specific countermeasures (e.g. How to use doPrivileged() method in a secure way). It is mainly grouped into the following sections:

• Design
• Confidentiality and Privacy
• Access Control
• Input Validation
• Serialization

The main references for the article are as follows:

• Secure Coding Guidelines for the Java Programming Language, http://java.sun.com/security/seccodeguide.html
• The CERT Oracle Secure Coding Standard for Java,
  https://www.securecoding.cert.org/confluence/display/java/The+CERT+Oracle+Secure+Coding+Standard+for+Java

The article is available in OWASP-Turkey Documents. You can download it in the Publications section as well.

OWASP Enterprise Security API (ESAPI) provides a security control library for helping programmers to integrate security into their applications. It is not a new framework, but it provides a common interface and reference implementations that can be benefited from other frameworks.

Security is a complex issue. The “weakest chain” is a well-known problem. If you need to provide security, you should consider all possible threats and relevant solutions. If you forget a control to integrate, then you would probably loose.

ESAPI aims to close this gap by providing a more “complete” best-practices for security controls. Let’s look at an encryption example in Java. In Listing 1, an AES symmetric encryption example which encrypts the given plain text with the secret key is shown. For readability, some details (e.g. includes, exceptions, comments etc.) are omitted.

Read the rest of this entry »