#Secure Coding Java

1 messages ยท Page 1 of 1 (latest)

tulip peakBOT
#

<@&1004656351647117403> please have a look, thanks.

#

Here is an AI assisted attempt to answer your question ๐Ÿค–. Maybe it helps! In any case, a human is on the way ๐Ÿ‘. To continue talking to the AI, you can use </chatgpt:1108714622413963314>.

#
TJ-Bot
I have a Java interview upcoming -- I got to know that along with usual questions the interviewer will also ask on secure code writing. Can ya'll suggest me what I should learn about Secure coding in Java? Best practises and common vulnerabilities in your

t secure coding in Java?

  1. Input validation: Always validate user input to prevent security vulnerabilities like SQL injection and cross-site scripting.
  2. Avoid hardcoding sensitive information: Store sensitive information like passwords and API keys securely, preferably in environment variables or a secure configuration file.
  3. Use secure communication: Always use HTTPS for transmitting data over the network to prevent eavesdropping.
  4. Secure authentication and authorization: Implement secure authentication methods like OAuth or JWT tokens to ensure that only authorized users have access to resources.
  5. Protect against common security threats: Be aware of common security vulnerabilities like buffer overflows, code injections, and insecure deserialization, and take measures to prevent them.
  6. Keep libraries and dependencies up to date: Ensure that you are using the latest versions of libraries and dependencies to patch any known security vulnerabilities.
  7. Use encryption: Encrypt sensitive data at rest and in transit to protect it from unauthorized access.
  8. Conduct security testing: Perform regular security audits, code reviews, and penetration testing to identify and fix potential vulnerabilities in your code.

By following these best practices for secure coding in Java, you can demonstrate your knowledge of writing secure code during your upcoming interview. Good luck!

- AI generated response
cunning hearth
#

@sage fog I have basically 2 bits of info

#
  1. Timing attacks
#

if it takes longer or shorter to do a check based on whether you have a "close" answer, people can use that to figure out the answer

#

basically

sage fog
cunning hearth
# 
String answer = "abc";
String guessOne = "abe";
String guessTwo = "ade";

answer.equals(guessOne);
answer.equals(guessTwo);
#

no

#

i mean this

#

answer.equals(guessOne); will take longer than answer.equals(guessTwo);

#

because .equals on a string will exit early once it finds the first non-matching character

#

so to do "secure" checks, you need to make sure "you got it totally wrong" and "you got it mostly right" take the same amount of time

#
  1. Clearing out memory
#

the big difference between a char[] and a String is that a char[] is mutable

#

this means you can manually do Arrays.fill(arr, (char) 0) and clear out an array

sage fog
#

that makes sense

cunning hearth
#

which is important since waiting for the garbage collector to clear out a string means that maybe someone's password is floating around in memory longer than it shoul

#

its not as interesting + important as a timing attack, but i still find it interesting

sage fog
#

yes it is interesting and very detailed

#

thank you for sharing these, you have anything more on your mind?

cunning hearth
#

the other stuff is about how to design a server that is secure

#

so there is a whole bunch of stuff that you need to know about there

#

like

#

CSRF on form submits

#

Secure Sessions (for session based auth)

#

checking roles/access permissions

#

SQL injection (and how to avoid it)

sage fog
#

Also I know that to counter SQLi there's parameterized query and using escapeUtils. Is there any catch?

cunning hearth
#

XSS (cross site scripting)

sage fog
cunning hearth
sage fog
cunning hearth
#

i have no clue what that is, but it won't do the job of a parameterized query

sage fog
#

like escape utils first then on the sanitized string use parameterized query

cunning hearth
#

what exactly is escape utils doing?

sage fog
#

its escaping html characters and special characters IIRC

cunning hearth
#

ah, well

#

i'd rely more on decoding that before display but i guess it doesn't hurt

#

but yeah thats the basics

sage fog
#

yess

#

i will keep the 2 inputs you shared on mind

cunning hearth
#

they are mostly fun facts, but you might be quizzed idk

#

interviews are a range of silly

sage fog
tulip peakBOT
#

@sage fog

Your question has been closed due to inactivity.

If it was not resolved yet, feel free to just post a message below
to reopen it, or create a new thread.

Note that usually the reason for nobody calling back is that your
question may have been not well asked and hence no one felt confident
enough answering.

When you reopen the thread, try to use your time to improve the quality
of the question by elaborating, providing details, context, all relevant code
snippets, any errors you are getting, concrete examples and perhaps also some
screenshots. Share your attempt, explain the expected results and compare
them to the current results.

Also try to make the information easily accessible by sharing code
or assignment descriptions directly on Discord, not behind a link or
PDF-file; provide some guidance for long code snippets and ensure
the code is well formatted and has syntax highlighting. Kindly read through
https://stackoverflow.com/help/how-to-ask for more.

With enough info, someone knows the answer for sure ๐Ÿ‘