Year Of Security for Java – Week 40 – Get a Security Person (or Some People) if You Can

Tweet What is it and why should I care? I spend a good bit of time talking about both development and security. I spend a lot of time working with other developers and other security people. There are a precious few that I know of that excel at both development and security. This is a […]

Year Of Security for Java – Week 35 – Solve Security Problems One at a Time

Tweet What is it and why should I care? This article (and several of those remaining in the series) is not so much technical in nature, but rather deals more with processes related to security problem solving. It’s a fact of life in most development and/or security shops that there are those fire-drill days, and […]

Year Of Security for Java – Week 28 – Unit Test

Tweet What is it and why should I care? Unit testing is the term generally associated with the process of writing code specifically purposed for testing your application functionality. You write test code to run your functional application code and verify the results. Note: Unit testing is actually a specific subset of this idea focused […]

Year Of Security for Java – Week 18 – Perform Application Layer Intrusion Detection

Tweet What is it and why should I care? Application layer intrusion detection is a simple concept that I believe is very, very powerful when it comes to protecting applications. Most of the topics I’ve covered thus far have focused on the development portion of the software life-cycle, but this topic really covers the entire […]

Year Of Security for Java – Week 15 – Audit Security Related Events

Tweet What is it and why should I care? Auditing security related events includes two basic concepts, so we’ll begin by treating them individually. Auditing Auditing is a key part of any real software system. Many people treat logging and auditing as the same idea, though they’re actually different. Definitions might vary, but mine boils […]

Year Of Security for Java – Week 13 – Know Your Frameworks

Tweet What is it and why should I care? Libraries and frameworks are a reality for every J2EE developer (pretty much any developer, actually) out there. We use them for MVC, DB, logging, web services, security, XML processing, as well as a host of other features. We rely on them in our production apps every […]

Year Of Security for Java – Week 12 – Log Forging Prevention

Tweet What is it and why should I care? Log forging is an issue that can occur if you allow un-trusted data to be written to a log storage mechanism. The intent of the attacker using log forging is to cover his tracks in the logs or at least make understanding what he was doing […]

Year Of Security for Java – Week 11 – X-XSS-Protection

Tweet What is it and why should I care? X-XSS-Protection is a Microsoft IE technology used to help prevent reflected XSS attacks in IE. Note 1: This is not a “panacea” for XSS. There is no excuse for not developing your site in a secure manner to prevent XSS. This however is a protection offered […]

Year Of Security for Java – Week 10 – X-Content-Type-Options

Tweet What is it and why should I care? X-Content-Type-Options is an HTTP header that can help prevent browser content-type sniffing problems. The content-type for a given resource should match the “type” (too obvious?) of the resource. For example, an HTML page would use “text/html”, a PNG image would use “image/png”, and a CSS document […]

Year Of Security for Java – Week 9 – X-Frame-Options

Tweet What is it and why should I care? X-Frame-Options (moving towards just Frame-Options in a draft spec – dropping the X-) is a new technology that allows an application to specify whether or not specific pages of the site can be framed. This is meant to help deal with the clickjacking problem. The technology […]