Many analysts consider Web application vulnerabilities to be among the biggest security threats facing companies these days. A lot of attention has been paid to understanding risks such as input-validation flaws, cross-site scripting errors and other Java Web application security threats.
Receiving somewhat less attention, however, has been the question of what application software developers need to know to reduce the likelihood of such vulnerabilities in the software they write.
A group of security managers from over a dozen organizations, including Booz Allen Hamilton, Deloitte & Touche, Boeing and Ounce Labs, hope to address that shortcoming. They're set to publish a document listing what they consider to be the essential skills needed for secure Web application development.
The group was pulled together by the SANS Institute, which provides a range of security training and certification programs. The goal was to create a document that can help Java developers understand how to address some of the more common security problems plaguing Web applications, said Alan Paller, director of research at SANS.
The document will be available for public comment and suggestions for the next few weeks, after which it will be released as a formal security blueprint for Java application developers sometime early next year.
Many of the items on the list of essential skills touch upon issues that are already well understood within the security community, according to Ryan Berg, chief security officer at Ounce Labs. The idea, he said, is to get developers to focus on many of the "common weaknesses that we are seeing inside Java and how they manifest themselves in the source code," the sort of security knowledge that any competent Java programmer should be expected to know going forward.
"These are the top issues that we see arising, and it should be part of the base knowledge that your Java programmer should know about and be able to implement efficiently," Berg said.
According to the group, the following are among the essential skills that Java programmers need:
Input handling To protect their code against cross-site scripting, SQL injection and similar attacks, Java programmers must be able to write programs that read input from interfaces and properly validate and process these inputs. They need to know when to validate input and not just what to validate. Programmers need to recognize the common sources of input to Java applications, such as HTTP requests, Applet sockets and back-end databases.
Authentication and session management This is one area on which Java programmers especially need to focus, according to Berg. Java applications often require making security decisions based on the identity of a person. Therefore, Java programmers need to understand authentication processes, how to use encryption and certificate technologies to protect those various processes, and how to manage then through a session, the document states.
Access control Java programmers need to understand how to make applications support the enforcement of access control rules. They need to support functions for restricting access to system resources and functions based on policies. They also require an understanding of Java's authentication and authorization services and how they can be used to implement access control.
Error and exception handling This is another area that Java programmers typically have not paid too much attention to but should, according to Berg. Developers need to understand the principles behind logging security-related events such as user log-ins, log-offs and credential changes. They need to know how much information should be logged when an error or an exception is encountered.
Encryption services Developers need to know when and how to use encryption to protect sensitive data. They should also be responsible for knowing which of their application's external links need to be supported via encryption.
In addition to familiarity with such areas, the SANS list notes other necessary security skills for Java programmers. Those include an understanding of how their own applications interface with other applications and what needs to be done to secure the interface. They should also have an understanding of the security implications of built-in data types and Java-specific memory management functions.