This week's giveaway is in the Testing forum.
We're giving away four copies of TDD for a Shopping Website LiveProject and have Steven Solomon on-line!
See this thread for details.
Win a copy of TDD for a Shopping Website LiveProject this week in the Testing forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Jeanne Boyarsky
  • Tim Cooke
  • Liutauras Vilda
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Frits Walraven
  • Piet Souris
  • Himai Minh
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Image from Amazon
Title: Iron-Clad Java: Building Secure Web Applications
Author(s): August Detlefsen and Jim Manico
Publisher: McGraw-Hill Education
Category: Miscellaneous Java


McGraw-Hill Education wrote:Proven Methods for Building Secure Java-Based Web Applications

Develop, deploy, and maintain secure Java applications using the expert techniques and open source libraries described in this Oracle Press guide. Iron-Clad Java presents the processes required to build robust and secure applications from the start and explains how to eliminate existing security bugs. Best practices for authentication, access control, data protection, attack prevention, error handling, and much more are included. Using the practical advice and real-world examples provided in this authoritative resource, you'll gain valuable secure software engineering skills.

* Establish secure authentication and session management processes
* Implement a robust access control design for multi-tenant web applications
* Defend against cross-site scripting, cross-site request forgery, and clickjacking
* Protect sensitive data while it is stored or in transit
* Prevent SQL injection and other injection attacks
* Ensure safe file I/O and upload
* Use effective logging, error handling, and intrusion detection methods
* Follow a comprehensive secure software development lifecycle

"In this book, Jim Manico and August Detlefsen tackle security education from a technical perspective and bring their wealth of industry knowledge and experience to application designers. A significant amount of thought was given to include the most useful and relevant security content for designers to defend their applications. This is not a book about security theories, it's the hard lessons learned from those who have been exploited, turned into actionable items for application designers, and condensed into print."
―From the Foreword by Milton Smith, Oracle Senior Principal Security Product Manager, Java

Book Preview (when available)

From the publisher
  • Table of Contents (PDF)
  • Foreword (PDF)
  • Chapter 4: Cross-Site Scripting Defense (PDF)

  • Where to get it?
  • McGraw-Hill Education

  • Related Websites
  • Twitter: August Detlefsen
  • Twitter: Jim Manico
  • Website: CodeMagi
  • Website: Manicode Security
    author & internet detective
    Posts: 41073
    Eclipse IDE VI Editor Java
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    I give this book 10 out of 10 horseshoes.

    It's taken me a while to write a review of "Iron-Clad Java: Building Secure Web Applications" because it motivated me to fix two security vulnerabilities in CodeRanch - clickjacking and brute force login. (and I didn't want to post this review until they were deployed)

    The concepts were explained clearly in addition to tactics and patterns/anti-patterns. I particularly liked the emphasis on security vs usability. The explanation for the different types of XSS attacks and using encoding appropriate to the context was excellent. I like that there was a whole chapter on logging.

    I learned a lot reading this book; even about topics I thought I knew a lot about. I hadn't known oWASP had an HTML validator. I hadn't heard of null byte attacks.

    For many of the vulnerabilities, the book suggests libraries you can use to help. I hadn't heard of Apache Shiro. I was surprised OWASP's CSRF filter wasn't mentioned though.

    The book targets Java developers, project managers, web security penetration testers and technical managers. I was skeptical that a book with so much code could be useful to managers. After reading the book, I'm convinced. Skipping over the coding sections gives managers an appreciation and the vocabulary for discussion security with their staff.

    If you have a web app, you should definitely get this book.

    Review migrated from old book review post

    Disclosure: I received a review copy of this book from the publisher for reviewing it on behalf of CodeRanch.
    It was the best of times. It was the worst of times. It was a tiny ad.
    free, earth-friendly heat - a kickstarter for putting coin in your pocket while saving the earth
      Bookmark Topic Watch Topic
    • New Topic