Iron Clad Java

Is this suitable for a security beginner?

The "Iron-Clad Java" authors wrote:As we named this book Iron-Clad Java, we envision this book to be the beginning of a series. We want to move every developer in the direction of Steel-Clad Java and Adamantium-Clad Java, and Self-Defending Laser-Powered-Armor-Clad Java, but our first honest step is Iron-Clad. The path to secure software is not an easy one and requires discipline, study, and a great deal of practice. We hope this book will guide you down this path in a way that benefits you, your team, and especially your users in positive ways.

I have skimmed through the book and it looks like a very good place to start. Now I plan to start my first pass of the book (the authors recommend reading through it at least three times).

The topics covered are exactly the ones I would be looking for if I needed information about making my web application secure.

As the authors say, security and writing secure software is not easy. From the little that I've read so far, it looks like they have a very direct and to-the-point approach and get right down to the nuts and bolts practical discussions. In contrast, other introductory books about security may start off with academic discussions of basic security concepts like confidentiality, integrity, availability, authentication, authorization, auditing, non-repudiation, etc. While it's good to have a foundation of basic security concepts and secure coding principles, I really like the "cut to the chase" approach in this book.

My follow-up question to Jim and August is whether "Steel-Clad Java" is already in the works and if it is, what topics will it cover? (And thanks so much for spending some time with us this week! )

Will asked the very question I was thinking. My department has recently been looking at exposing some of our Java web tools to external users and I'm being asked a lot of security questions. I have been looking for a good beginners book. Thanks, for the response Junilu. Thanks to Jim and August for your time.

Junilu Lacar,

This book is meant for the experience developer who might be new to security.

Our next book in the works is "Iron-Clad Apps" and plans to cover webservices, mobile and IoT in additional to general web security.

Jim Young,

Regardless of wether your app is "internal" or "eternal" you still want to lock that baby down. Networks tend to be porous these days and internal apps are really external.

Aloha,
Jim Manico
@Manicode
[email protected]

Junilu Lacar wrote:In contrast, other introductory books about security may start off with academic discussions of basic security concepts like confidentiality, integrity, availability, authentication, authorization, auditing, non-repudiation, etc. While it's good to have a foundation of basic security concepts and secure coding principles, I really like the "cut to the chase" approach in this book.

Thanks for your informative review Junilu. It helped me. Can you please recommend some book(s) from which I can learn the basics of security (theory and programming) before I read the Iron-clad-java book ?

Ali Gordon wrote:Can you please recommend some book(s) from which I can learn the basics of security (theory and programming) before I read the Iron-clad-java book ?

I think "field guide" type books like Iron Clad Java would actually be better as a first read. There are more practical examples and the material is easier to get through. To be honest, I find it hard to get through a lot of "introductory" books on security because the material gets so boring after a while. I can only take so much "theory"; I have to get my hands dirty with working software. That said, someone in another thread asked about "Foundations of Security: Everything a Programmer Needs to Know", which is quite comprehensive. It has a 4.5-star rating on Amazon.

You might also look at books related to the Certified Secure Software Lifecycle Professional (CSSLP) certification. I don't think they're easy for beginners to digest—in fact, there's not much about security that's easy—but these books also have a lot of material about the basics and principles of security.

Ali Gordon wrote:Can you please recommend some book(s) from which I can learn the basics of security (theory and programming) before I read the Iron-clad-java book ?

Jim Manico wrote:This book is meant for the experience developer who might be new to security.

Ali: You can learn about security from this book. I think Jim means you need to have a good knowledge of web programming first. Read a book like Core Servlets and JSPs first if you aren't experienced in that area.