|
Using Java to Prevent Attacks
Follow two important rules to prevent your Java application from falling victim to attacks
by Adam Kolawa, Ph.D., Gina Assaf, and Roberto Scaramuzzi
Posted March 3, 2004
Editor's Note: Beginning with this article, Java Pro Online will be posting a series of weekly article briefs that offer rules for preventing attacks to Java systems as well as ensuring that Java applications are secure. The discussion here provides two rules for the prevention of attacks. Look for upcoming rules for ensuring Java applications are secure. We will post a new rule each week.
Java-based systems are typically n-tier systems with many parts and complex interactions; if a hacker can find a vulnerability in just one of those parts or interactions, the entire system's security could be compromised. If you want to ensure that your Java system is secure, you need to anticipate every possible way that a hacker could attack your system.
If security is an issue for your Java application, you should always worry about external inputs. If users manage to submit the "right" inputs, they could gain access to program details you hoped to keep private, prompt the application to crash or enter an unstable state, or access and modify the database. These inputs could be created by hackers trying to design inputs that cause a security breach (for example, by applying a technique known as SQL injection where hackers submit inputs designed to create a strategic SQL string, such as a string that disables password checking, a string that adds a new account, and so forth). Moreover, well-meaning users who entered information incorrectly (as a result of a typo or a copy-paste error) or who simply misunderstood what type or format of information they were supposed to add could also submit these inputs.
By following two rules, you can bolster your defenses against security attacks that come from expected entry points in your application.
Back to top
|