This book offers a comprehensive guide to implementing Zero-Trust security principles, cloud-based defenses, and robust application development practices. Through practical examples and expert advice, readers will gain the skills needed to design and develop secure Java applications that easily can tackle today's cyber threats. It builds focus on securing your source code through analysis, vulnerability detection, and automation. It also ensures the safety of your runtime environment for managing traffic and enables multi-factor authentication. While addressing data security concerns with encryption, anonymization, and cloud-based solutions, it also uses tools like OpenTelemetry for real-time threat detection. It manages sensitive information securely with Vault integration and explores passwordless authentication. Reference architectures, secure coding patterns, and automation practices are also provided to aid implementation. By the end of this book, you'll be well-equipped to build secure Java applications with confidence and deliver applications that are robust, reliable, and compliant.

• Cover
• Title Page
• Copyright Page
• Dedication Page
• About the Authors
• Acknowledgements
• Preface
• Table of Contents
• 1. Secure Design Principles for Java Applications
  • Introduction
  • Structure
  • Objectives
  • Zero-trust security model
    • Key principles of zero-trust security model
    • Layers of security and defense in depth
  • Log4J incident and regulatory compliance
  • Five dimensions of application development
    • Source code security
    • Application runtime security
    • Application Data Security
    • Integration with Vault
    • Observability and threat protection
  • Conclusion
  • References
• 2. Analyzing and Securing Source Code
  • Introduction
  • Structure
  • Objectives
  • Software vulnerability
  • Common vulnerabilities and exposures
    • CVE record
    • CVE identifier
    • CVE Numbering Authority
    • Common Vulnerability Scoring System
    • Common Weakness Enumeration
    • National Vulnerability Database
  • Source code analysis and scanning
    • Prepare code
    • Scan code
    • Identify vulnerability
    • Report vulnerability
    • Remediate
    • Verify
    • Re-scan
  • Techniques for source code analysis and scanning
    • Static Code Analysis
    • Dynamic Code Analysis
    • Interactive Code Analysis
  • Source code security
    • Access control
    • Version control
    • Branching and merging
    • Audit trail
  • GitHub support for secure Java development
    • GitHub Dependabot
    • GitHub actions
    • Code scanning
    • CodeQL
    • SonarQube
    • Organization security
      • Access controls
      • Two-factor authentication
      • Security policies
      • Automated security scanning
      • Security alerts
      • Audit trail
      • Security advisories
      • Secret scanning
    • Workflow security
      • Workflow templates
      • Secrets management
      • Code scanning
      • Permissions management
      • Deployment approvals
  • GitHub support for CVE detection
    • Identify the package or dependency
    • Review the source code
    • Search the GitHub Advisory Database
    • Check the repository’s dependencies
    • Use third-party vulnerability scanners
    • Keep all packages and dependencies up-to-date
  • Understanding GitOps
  • Scanning applications running in a container
  • Reference architecture for Java source code analysis
  • Conclusion
  • Reference
• 3. Securing Java Runtime
  • Introduction
  • Structure
  • Objectives
  • Keep Java Runtime Environment up to date
    • Keep OS security patches up to date
    • Use strong authentication and authorization methods
      • Username and password authentication
      • Token-based authentication
      • OAuth 2.0 and OpenID connect
      • Multifactor Authentication
      • Role Based Access Control
      • Permission annotation
  • Use security manager
    • Implement code signing
    • Use encryption and decryption
    • Providers
    • API organization
    • Implement input validation
    • Probable mistakes
    • Probable remedies
  • Implement secure network communication
    • What is HTTPS
    • Man in the middle attacks
    • What is TLS
      • Benefits of using TLS
    • Concepts
      • Sockets
      • TLS certificates
      • TLS handshake
    • Implementing TLS
      • Configuring TLS in Java application servers
      • Configuring TLS in Apache
      • Configuring TLS for Tomcat
      • Configuring TLS for Spring Boot
      • Using JSSE in standalone Java application
    • Handle sensitive information in code
    • Employ secure coding practices
    • Conduct security assessments regularly
  • Conclusion
  • References
• 4. Application Data Security
  • Introduction
  • Structure
  • Objectives
  • Input validation
    • Authentication and authorization
  • Secure session management
  • Data encryption
    • Symmetric data encryption
    • Asymmetric data encryption
  • Secure data transmission
  • Data integrity validation
  • Secure object serialization
  • Error handling
  • Logging and auditing
  • Data classification
  • Data masking
  • Data anonymization
  • Access control
  • Secure data storage
  • Data exfiltration protection
  • Key management
  • Compliance and regulations
  • Conclusion
• 5. Application Observability and Threat Protection
  • Introduction
  • Structure
  • Objectives
  • Observability
    • Benefits of observability
    • Observability versus monitoring
    • Observability in a distributed system
    • Evolution of observability
  • Three pillars of observability
    • Logs
    • Metrics
    • Traces
  • Observability and monitoring tools
    • Logging frameworks
    • Application performance monitoring tools
  • Threat modelling and protection against threats
    • Benefits of threat modelling
    • Appropriate time for threat model
    • Steps of threat modelling
      • Define scope of work
      • Define zone of trust
      • Identify threats
      • Strategies of handling threats
    • Threat identification and protection against threats
  • Conclusion
  • References
• 6. Integration with Vault
  • Introduction
  • Structure
  • Objectives
  • Secrets management with HashiCorp Vault
    • Concepts
    • What is Vault
    • Secrets engine
      • Secrets engines lifecycle
      • Types of secrets engine
    • Configuration for MySQL Database
  • Integration with Vault from Standalone Java application
  • Integration with Vault from Spring Boot application
  • Integration with Vault from Spring Boot application running on Kubernetes
    • Vault configuration
    • Spring Boot application code
      • Application properties
      • Dockerfile
      • Kubernetes Deployment YAML
      • Kubernetes Service YAML
      • Deploy to Kubernetes
  • Conclusion
  • References
• 7. Established Solution Architecture and Patterns
  • Introduction
  • Structure
  • Objectives
  • Security patterns for monolith
    • Monolith application security patterns
      • Communication protocol and port(s)
    • What is SSL/TLS
      • How TLS works between client and server
      • Authentication
      • Cookie based authentication
      • HTTP basic authentication
      • HTTP UI authentication (Login UI)
      • Authorization or access control
      • How to check various security header set by a website?
  • Security patterns for microservices
    • Authorization
      • OAuth 2.0
      • JSON Web Token
    • Securing microsites or north-south traffic
    • Securing east-west traffic
  • Software supply chain management security
    • Security risk of software supply chain management
    • Mitigation plans
      • Manual security vulnerability scanning
    • DevSecOps
    • Automated security vulnerability scanning using GitHub actions
  • Conclusion
• 8. Real-world Case Studies and Solutions
  • Introduction
  • Structure
  • Objectives
  • AWS security tools
  • Use case 1: Securing web application in AWS environment
    • AWS environment setup
      • Setup key pair
    • Setup default VPC
  • Best practices for environment setup using CloudFormation template
    • Using CloudFormation via AWS console
  • Best practices to store secrets: Using AWS Secrets Manager
    • Using secrets manager and storing secret
    • Update CloudFormation with secrets manager entries
    • Best practices to protect website from common vulnerabilities using AWS web application firewall
  • Best practices to identify configuration issues using AWS Inspector and Security Hub
    • Create instance profile
    • Modify EC2
    • Enable Inspector
    • Security Hub
  • Use case 1.1: AI powered intrusion detection system
    • Key components of AI in IDS
    • Benefits of AI powered IDS
    • AWS GuardDuty
      • Step by step guide to use AWS GuardDuty
  • Use case 2: Secure AWS microservice environment
    • Securing the AWS API Gateway
    • Best practices to secure AWS Lambda
  • Similar services across different cloud providers
  • Conclusion
• 9. Java Software Licensing Model
  • Introduction
  • Structure
  • Objectives
  • Software license
  • Categories and sub-categories of software licenses
  • Types of software licensing models
    • Open-source license model
    • Perpetual license model
    • Floating license model
    • Concurrent license model
    • Subscription license model
    • Metered license model
    • Consumption-based license model
    • Use-time license model
    • User-based license model
    • Node-locked license model
    • Support license model
    • Trial license model
    • Academic license model
  • Common open-source software licenses
    • Public domain license
    • Creative Commons license
    • Apache 2.0
    • MIT License
    • GPL
    • AGPL
    • JRL
  • Comparison of these licenses
    • Public Domain License
    • Creative Commons License v4.0
    • Apache 2.0
    • MIT
    • BSD 2.0
    • GPLv3
    • AGPLv3
    • JRL
  • Guidelines and best-practices to choose
  • Conclusion
  • References
• 10. Secure Coding Tips and Practices
  • Introduction
  • Structure
  • Objectives
  • What is secure coding
  • Why secure coding
  • Secure coding: Best practices and guidelines
    • Input validation
      • Output validation / encoding
      • Authentication and password management
      • Authorization/Access control
      • Session management
      • Error handling and logging
      • Injection prevention
      • SQL Injection
      • LDAP injection
      • Xpath injection
      • Log injection
  • Conclusion
  • Exercises
• Index