Security

Learning results (shared with Criptography):

1. Protect applications and data by defining and applying security criteria in the access, storage and transmission of information.

We will talk about logical security (software) and active security (preventive) associated with software development.

A system can be considered secure if we take care of the following aspects, from most to least significant:

• Availability: Users can access information when they need it.
• Confidentiality: Information is accessible only to those authorized to have access.
• Integrity: keep data free from unauthorized modification.
• Authentication: identity verification.
• Non-repudiation: Neither the sender nor the receiver can deny being a party to the communication that occurs.

Within the programming, and with reference to security, we will talk about the following aspects:

• Access control: registration, authentication and authorization of users.
• Secure design of software to avoid vulnerabilities.

References

Security:

• Security Features in Java SE (The Java Tutorials)
• Secure Coding Guidelines for Java SE
• Security by design (Wikipedia)
• Application Security (Wikipedia)
• SEI CERT Oracle Coding Standard for Java
• Top 10 Secure Coding Practices
• Secure Programming for Linux and Unix (Java specific)
• How to Learn Penetration Testing: A Beginners Tutorial
• OWASP Proactive Controls
• OWASP API Security Project
• Role-based access control (Wikipedia)
• Please, stop using local storage
• HTTP headers for the responsible developer
• How to Use Local Storage with JavaScript
• Application Architectures (Data Communications and Networking)
• Advanced API Security (Llibre)
• How secure is Java compared to other languages?
• The Rule Of 2
• Programming With Assertions

Authentication / authorization:

• HTTP Authentication
• Session vs Token Based Authentication
• The Web Authentication Guide Cheatsheet
• JWT, JWS and JWE for not so dummies!
• Java Authentication with JSON Web Tokens (jjwt)
• Tutorial: Create and Verify JWTs in Java
• Refresh Tokens: When to Use Them and How They Interact with JWTs
• Where to Store your JWTs – Cookies vs HTML5 Web Storage
• Attacking JWT authentication
• Token based authentication made easy
• Getting Token Authentication Right in a Stateless Single Page Application
• Stateless Sessions for Stateful Minds: JWTs Explained and How You Can Make The Switch
• Web Security for SPAs
• Webauthn guide
• An Introduction to OAuth 2
• OAuth 2.0 clients in Java programming, Part 1, Part 2 i Part 3
• LDAP Security
• REST Security Cheat Sheet (OWASP)
• Password Storage Cheat Sheet (OWASP)
• Cryptographic Storage Cheat Sheet (OWASP)
• REST API Security Essentials