0
Java and MySQL secure coding
Please can anyone help with secure coding practice for something like a library application written in Java and MySQL. I am about to edit this application and I want to know about the secure coding concept. Please help with web applications links or your personal secure coding concept
11 odpowiedzi
+ 1
You are repeating "secure coding" so much I am tempted to think it as another meaning?
Any way if you mean secure coding. Then I have a few suggestions even though it has been ages since I touched JDBC last.
1. Prepare your statements before execution. This is advised no matter what library or language you use. Always use prepared statements. It goes like this
stmt = dbConn.prepare("Select * from table WHERE id = ?”];
stmt.setLong(1, id);
stmt.execute();
2. Perform some regex validation before storage. Make sure you are storing the right thing. For example if a user types in a very long post comment as his slug mistakenly. If no validation is done whatsoever and the mysql field length is set to default 255. Consider the speed implications of that in your site.
3. close your connection in the finally block not your try block.
4. This should be intuitive. Don't provide an API that allows frontend access to your database.
+ 1
John most security issues that exist in systems are not that obvious. It takes experience to be able to fish them out.
+ 1
John There are 6 common forms of security breaches abbreviated as STRIDE.
1. Spoofing identity: An untrusted user logs in as a trusted user. The main cause is if the config files that contain database credentials are leaked. Please do not commit this files to Git. It can also occur through session hijacking.
2. Tampering with data: When an unauthorized user is allowed into the system. Can happen if you expose your keys e.g JWT in the frontend.
3. Repudiation: where an action cannot be reliably traced back to a user e.g. there is no way to know who uploaded something or logged in as admin and changed something. Every authorized person must have their own credentials. They should not all use the same username and password.
To be continued because of space.
+ 1
(...continued)
4. Information disclosure: This is when data is leaked may be by hackers or by internal help or for business deals.
5. Denial of service: It is not really about security. It is used to refer to when your application crashed and authorized people can not access the system.
6. Elevation of privilege: When a user has access to more than he should have. Some sites use display:none to hide their admin daahboard link. Users can always inspect the page. Unhide it and view the asmin dashboard.
+ 1
John if you can find a way to share the project maybe on Github, I might help. If it is something shareable that is.
0
nice one. i am doing a comprehensive review of a library application. to fix security issues
0
ok can i get a research on security aspect of mysql
0
something more general
0
oh yea i know STRIDE
0
will find a way around this thanks
0
ok send your mail or account please