Tips to power-up your Java security

  • Protect against SQL injections by binding variables in prepared statements, using the prepareStatement() function to validate inputs.
  • Returning mutable objects leaves you vulnerable to unexpected changes in your class state. Instead, use an unmodifiable/immutable collection or a copy of a mutable object to return.
  • Avoid including XSS characters in log messages. Manually sanitize each parameter and configure your logger service to replace such characters.
  • Always validate user input, especially when dealing with files whose location might be specified by user input.
  • Replace predictable random values (java.util.Random) based on clock tickets or other predictable parameters with a secure random class and functions.
  • Eliminate dynamic class loading.

Full post here, 4 mins read