John Melton's Weblog
Java, Security and Technology

Year Of Security for Java – Conclusion and Links

Print this article

No Gravatar

Year Of Security for Java

This will serve as the conclusion to a year-long series on security topics for Java. Let’s first look at the original motivations from the series introduction.

There are several motivations for this series:

1. Get some old topics written down
2. Research some new technologies
3. Write
4. Learn
5. Answer questions from Java friends

I can safely say that I’ve achieved all of these. I covered a pretty wide variety of topics along the way and noticed a few interesting trends:

- The posts that got the most reads were about technical controls, specifically those that were related to configuration settings or response headers. I’m not sure what this means, but it’s possible these were read more because they don’t specifically apply to Java and can be handled at the web server level or with a WAF, etc.

- The posts that got the most interaction (comments/emails/etc) were process topics that are repeated constantly in the security echo chamber (audit, access control, thread modeling, security training). The interesting thing to me was that these topics were poorly understood by many commenters, and those “experts” that do understand them often have no hard data backing up their assumptions about the topics.

- As I worked through the year, the vast majority of topics I wrote about had less to do with Java specifically – they were security topics that applied across languages – this was actually to be expected. The unexpected thing to me was that many of the topics were referenced in the context of security, but are really just a specific use case of basic software engineering best practice. I knew good development usually spurs much better security, but writing on this many topics really drove the point home for me.

It’s my sincere hope that some, if not all, of these topics are helpful to you. I (mostly) enjoyed writing them and had some great discussions with folks along the way.

Below I’ve added the full list of links for all the posts from the series. Hope you enjoyed it!

——————————————

http://www.jtmelton.com/2012/01/02/year-of-security-for-java-introduction/
http://www.jtmelton.com/2012/01/02/year-of-security-for-java-week-1-session-fixation-prevention/
http://www.jtmelton.com/2012/01/10/year-of-security-for-java-week-2-error-handling-in-web-xml/
http://www.jtmelton.com/2012/01/17/year-of-security-for-java-week-3-session-cookie-secure-flag/
http://www.jtmelton.com/2012/01/25/year-of-security-for-java-week-4-session-cookie-httponly-flag/
http://www.jtmelton.com/2012/02/03/year-of-security-for-java-week-5-clickjacking-prevention/
http://www.jtmelton.com/2012/02/07/year-of-security-for-java-week-6-csrf-prevention-in-java/
http://www.jtmelton.com/2012/02/14/year-of-security-for-java-week-7-content-security-policy/
http://www.jtmelton.com/2012/02/21/year-of-security-for-java-week-8-http-strict-transport-security/
http://www.jtmelton.com/2012/02/28/year-of-security-for-java-week-9-x-frame-options/
http://www.jtmelton.com/2012/03/06/year-of-security-for-java-week-10-x-content-type-options/
http://www.jtmelton.com/2012/03/13/year-of-security-for-java-week-11-x-xss-protection/
http://www.jtmelton.com/2012/03/20/year-of-security-for-java-week-12-log-forging-prevention/
http://www.jtmelton.com/2012/03/29/year-of-security-for-java-week-13-know-your-frameworks/
http://www.jtmelton.com/2012/04/03/year-of-security-for-java-week-14-store-jsps-in-web-inf/
http://www.jtmelton.com/2012/04/10/year-of-security-for-java-week-15-audit-security-related-events/
http://www.jtmelton.com/2012/04/17/year-of-security-for-java-week-16-set-a-soft-session-timeout/
http://www.jtmelton.com/2012/04/27/year-of-security-for-java-week-17-set-a-hard-session-timeout/
http://www.jtmelton.com/2012/05/01/year-of-security-for-java-week-18-perform-application-layer-intrusion-detection/
http://www.jtmelton.com/2012/05/09/year-of-security-for-java-week-19-reduce-the-attack-surface/
http://www.jtmelton.com/2012/05/16/year-of-security-for-java-week-20-trust-nothing/
http://www.jtmelton.com/2012/05/23/year-of-security-for-java-week-21-anti-caching-headers/
http://www.jtmelton.com/2012/05/31/year-of-security-for-java-week-22-http-parameter-pollution/
http://www.jtmelton.com/2012/06/06/year-of-security-for-java-week-23-http-header-injection/
http://www.jtmelton.com/2012/06/13/year-of-security-for-java-week-24-use-static-analysis/
http://www.jtmelton.com/2012/06/20/year-of-security-for-java-week-25-use-dynamic-analysis/
http://www.jtmelton.com/2012/06/27/year-of-security-for-java-week-26-do-code-reviews/
http://www.jtmelton.com/2012/07/05/year-of-security-for-java-week-27-penetration-testing/
http://www.jtmelton.com/2012/07/11/year-of-security-for-java-week-28-unit-test/
http://www.jtmelton.com/2012/07/17/year-of-security-for-java-week-29-manage-resources/
http://www.jtmelton.com/2012/07/25/year-of-security-for-java-week-30-authentication/
http://www.jtmelton.com/2012/08/02/year-of-security-for-java-week-31-access-control-1/
http://www.jtmelton.com/2012/08/07/year-of-security-for-java-week-32-access-control-2/
http://www.jtmelton.com/2012/08/14/year-of-security-for-java-week-33-access-control-3/
http://www.jtmelton.com/2012/08/21/year-of-security-for-java-week-34-separate-admin-functionality/
http://www.jtmelton.com/2012/08/30/year-of-security-for-java-week-35-solve-security-problems-one-at-a-time/
http://www.jtmelton.com/2012/09/07/year-of-security-for-java-week-36-solve-sql-injection/
http://www.jtmelton.com/2012/09/12/year-of-security-for-java-week-37-solve-cross-site-scripting/
http://www.jtmelton.com/2012/09/21/year-of-security-for-java-week-38-create-a-reusable-security-framework/
http://www.jtmelton.com/2012/09/27/year-of-security-for-java-week-39-dont-reinvent-the-wheel-unless-its-square/
http://www.jtmelton.com/2012/10/05/year-of-security-for-java-week-40-get-a-security-person-or-some-people-if-you-can/
http://www.jtmelton.com/2012/10/12/year-of-security-for-java-week-41-spend-wisely-on-developer-security-training/
http://www.jtmelton.com/2012/10/19/year-of-security-for-java-week-42-break-something/
http://www.jtmelton.com/2012/10/27/year-of-security-for-java-week-43-build-something-and-give-it-away/
http://www.jtmelton.com/2012/11/03/year-of-security-for-java-week-44-follow-a-secure-sdlc/
http://www.jtmelton.com/2012/11/09/year-of-security-for-java-week-45-do-threat-modeling/
http://www.jtmelton.com/2012/11/17/year-of-security-for-java-week-46-store-user-passwords-securely/
http://www.jtmelton.com/2012/11/24/year-of-security-for-java-week-47-store-encryption-keys-securely/
http://www.jtmelton.com/2012/12/01/year-of-security-for-java-week-48-you-will-get-hacked/
http://www.jtmelton.com/2012/12/08/year-of-security-for-java-week-49-collect-and-share-your-data/
http://www.jtmelton.com/2012/12/13/year-of-security-for-java-week-50-think/
http://www.jtmelton.com/2012/12/22/year-of-security-for-java-week-51-document-everything/
http://www.jtmelton.com/2012/12/29/year-of-security-for-java-week-52-never-stop-improving/

Be Sociable, Share!

Technorati Tags:

Comments

Leave a Reply