loading...
Cover image for Awesome Java Security πŸ•Άβ˜•πŸ”

Awesome Java Security πŸ•Άβ˜•πŸ”

streichsbaer profile image Stefan Streichsbier ・1 min read

The first version of Java was released on January 23, 1996. Since then Java is said to run on over 3 billion devices. Many of these devices are web servers.

Java is one of the top 5 most popular technologies, according to the 2018 StackOverflow survey.

For this reason, I've compiled a curated list of awesome-java-security resources to help devs code securely with Java.

guardrailsio / awesome-java-security

Awesome Java Security Resources πŸ•Άβ˜•πŸ”


A curated list of awesome Java security-related resources.

Awesome

List inspired by the awesome list thing.

Supported by: GuardRails.io


Tools

Web Framework Hardening

  • Apache Shiro - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
  • JJWT - Java JWT: JSON Web Token for Java and Android.
  • OWASP ESAPI Java - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
  • PAC4J - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
  • Spring Security - A powerful and highly customizable authentication and access-control framework.
  • Spring Security Oauth - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

Multi tools

  • hawkeye - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java.
  • GuardRails - A…

Did I miss anything? Let me know in the comments.

And, please leave a like (or ⭐ the repo) if you find it useful.

Posted on Jan 22 '19 by:

streichsbaer profile

Stefan Streichsbier

@streichsbaer

Fascinated with bringing ideas to life. On a mission to better integrate #appsec into #agile and #devops

Discussion

markdown guide
 

Maybe add SonarQube, its a pretty big hit in the Java industry and inspects for such items as Unused Code, Coding Convention, Performance Hotspot, Resource Leak, Multi-Threading, Null-Pointer Dereference, Error Handling, Injection Vulnerabilities everytime you check in. Free for Open source, one of my go to security checkers. sonarqube.org/

 

Good one, James. Already added it here.

One thing to consider with SonarQube is that while it is a great and very mature solution, it works much better for quality related bugs, than for security bugs.

To quote from their docs:

"To be clear, the standard for most rules implemented in SonarQube language plugins is very strict: no false positives. [..] But for security-related rules, the story is a little different. [..]
That's why security-related rules cast a wider net than you may be used to seeing.
The idea is that the rule will flag anything suspicious, and leave it to the human security auditor to cull the false positives and sent the real issues for remediation."

 

Thanks for adding it!

Yes whilst they aren't in the game of security their wide catch of flagging has caught some things in the past that as developers we have looked into.

Nice work on the listing I have starred it for future looks

 

Great list Stefan! I submitted a pull request to add one of my favourite ACME clients which just so happens to be Java based :-)

 

Thanks a lot for the contribution Daniel πŸ™πŸ»
Already merged your PR!