Win a copy of TensorFlow 2.0 in Action this week in the Artificial Intelligence and Machine Learning forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Paul Clapham
  • Bear Bibeault
  • Jeanne Boyarsky
Sheriffs:
  • Ron McLeod
  • Tim Cooke
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Jj Roberts
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • salvin francis
  • Scott Selikoff
  • fred rosenberger

High Performance with high security

 
Greenhorn
Posts: 15
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Romain,
I thank you for taking time for authoring the subject of performance which is typically not given enough attention during the application development. I wish there is a section to include patterns for securing application cached data. Do you have any insights into application security features in Java 8?

Thank you
 
Author
Posts: 13
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Srinivas,

Security would be worth a whole book by itseld. The book doesn't deal directly with the cached data security but gives some hints on why to use a remote or local cache which is the main concern in terms of security.
There is not portable security accross cluster in JavaEE (this is vendor specific) and a bit outside the book scope which is more about ensuring it works as expected and you don't get surprises adding cache.

The security topic is interesting because you have all extremes:

- You need to not use String but char[] for sensitive data to erase them (set all items to 0) once used
- You don't need security except for incoming requests

Concretely on a Java platform - and actually any computer platform today - you can access the whole memory so if you want to hack the volatile data you can and preventing to store sensitive data a long time is valuable however if you assume somebody can do that
you also have to assume he can do anything he wants including handling your response the way he wants. I'm not saying it is easy but at the same level of intrusion.

The only way to protect yourself is to use a security manager which will limit a lot what somebody can do inside (or not) your JVM but it also slows down so much the application that today almost nobody is using it in production.

Personally I tend to ensure the outbounds of my application are really secured:

- HTTP has security
- JMS doesn't use java serialization or equivalent (see the 0-day vulnerability) and connection is secured
- if using a local file, ensure it is signed or so etc...

Going deeper in the security - for instance using some crypto for locally cached data - would be an overkill which can lead to not be worth caching at all and is not really useful from a security perspective since if you need to be able to decrypt it an attacker able to access the cache would be able to do it as well.

Romain
 
It means our mission is in jeapordy! Quick, read this tiny ad!
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
reply
    Bookmark Topic Watch Topic
  • New Topic