Tag Archives: Java Security

Firesheep: HTTP Session Hijacking made so easy !

      1 Comment on Firesheep: HTTP Session Hijacking made so easy !

Way cool ! HTTP Session Hijacking can’t be made simpler than using Firesheep. Couple of days ago, a friend of mine suggested me to login a most popular website and he demonstrated how he took control and accessed my user session in less than a minute. First, I thought he used a network protocol analyser tool such as Wireshark or… Read more »

Hardware Assisted Security: Cryptographic Acceleration for SOA and Java EE applications

I’ve spent the last few days attending Oracle OpenWorld conference at San Francisco..it is my second OOW experience, so it is not a surprise to see the conference was fully packed with people, hundreds of sessions and demos – I did have an opportunity to attend few and also present two sessions focused on Security topics featuring “Hardware Assisted Security… Read more »

Java Cryptography on Intel Westmere

      3 Comments on Java Cryptography on Intel Westmere

When it comes to Java cryptography based application security –  Solaris has significant performance advantage over Linux and Windows on Intel Westmere processor equipped servers.  I am not debunking Linux performance on Intel but evidently Linux does not take advantage of Intel Westmere’s AES-NI instructions when the Java applications relies on Java cryptographic implementations  for performing AES encryption/decryption functions.  AES is one of the most popular symmetric-key encryption algorithm widely… Read more »

Secure Java Coding Guidelines v3.0

      1 Comment on Secure Java Coding Guidelines v3.0

When it comes to application security,  Secure coding is the first line of defense….and it is very critical to follow the best practice patterns and avoid pitfalls to secure the application from known risks and vulnerabities. The Java Security team has just released the updated – “Secure Coding Guidelines for the Java Programming Language, Version 3.0” .  Certainly it included a newer set of… Read more »

Java EE 6: Web Application Security made simple !

      13 Comments on Java EE 6: Web Application Security made simple !

Java EE 6 RI was released few weeks ago….I am bit late to have my first look 🙂  Without a doubt, the new Web container security enhancements are very compelling for any budding or experienced Java developer working on Web applications. The Java EE 6 has unveiled several new security features with ease of use and targetted for simplified Web… Read more »

Java Card 3.0: Deploying and Running "Web applications" on Smartcard.

Java Card technology has been a passion of mine for so long and I always tried my best to keep updated on Smart card technologies…… not just because of my role at Sun, I did get several opportunities to work closely with citizen-scale Java Card deployments with multiple National ID, eID/ICAO, US DoD/CAC, PIV/FIPS-201 cards and related Identity management projects.  It is always been quite adventurous everytime to experience a card issuance… Read more »

Enabling FIPS-140 compliance for Java based SSL/TLS applications

FIPS-140* compliance has gained overwhelming attention these days and it has become a mandatory requirement for several security sensitive applications (mostly in Government and Security solutions and recently with select finance industry solutions and particularly for achieving compliance with regulatory mandates such as PCI DSS, FISMA, HIPPA, etc ). FIPS-140 also helps defining security requirements for supporting integration with cryptographic hardware and software tokens.  Ensuring… Read more »

Dissecting the 'Obfuscated Transfer Object'

One thing I noticed lately…is lot of interest about understanding the usage of ‘Obfuscated Transfer Object (OTO) ‘ from Core Security Patterns.  I got multiple emails about its code and implementation .. understandably there is a growing security concern about using Transfer Object (aka Value Object) that passes security-sensitive data elements between Java EE tiers (especially between Presentation/Business/Persistence), when the… Read more »

Top 25 Most Dangerous Programming Errors

      No Comments on Top 25 Most Dangerous Programming Errors

Few weeks ago, US Dept. of Homeland security (National Cyber Security Division) in collaboration with SANS Institute/MITRE teams worked together and released a list of 25 dangerous programming errors as common security flaws, which opens doors for easy exploitation. My first look at this list, I thought it is a old wine in a new bottle as the document sounded… Read more »

Enabling Smart Card based PKI as Java Key Store

      4 Comments on Enabling Smart Card based PKI as Java Key Store

Last week, I was test driving a PIV Smartcard based PKI as a keystore (via Java PKCS#11)  to support using the PKI/certificate credentials for performing encryption/decryption and digital signature operations  (PKI based logins to Web applications, Encryption/decryption of documents, Digitally signing email). There is no secret receipe but some of you may find it a bit difficult – if you… Read more »