The first version of Java was released on January 23, 1996. Since then Java is said to run on over 3 billion devices. Many of these devices are web servers.
Java is one of the top 5 most popular technologies, according to the 2018 StackOverflow survey.
For this reason, I've compiled a curated list of awesome-java-security resources to help devs code securely with Java.
guardrailsio / awesome-java-security
Awesome Java Security Resources πΆβπ
A curated list of awesome Java security-related resources.
List inspired by the awesome list thing.
Supported by: GuardRails.io
Contents
Tools
Web Framework Hardening
- Apache Shiro - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
- JJWT - Java JWT: JSON Web Token for Java and Android.
- OWASP ESAPI Java - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
- PAC4J - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
- Spring Security - A powerful and highly customizable authentication and access-control framework.
- Spring Security Oauth - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
Multi tools
- hawkeye - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP andβ¦
Did I miss anything? Let me know in the comments.
And, please leave a like (or β the repo) if you find it useful.
Top comments (6)
Maybe add SonarQube, its a pretty big hit in the Java industry and inspects for such items as Unused Code, Coding Convention, Performance Hotspot, Resource Leak, Multi-Threading, Null-Pointer Dereference, Error Handling, Injection Vulnerabilities everytime you check in. Free for Open source, one of my go to security checkers. sonarqube.org/
Good one, James. Already added it here.
One thing to consider with SonarQube is that while it is a great and very mature solution, it works much better for quality related bugs, than for security bugs.
To quote from their docs:
"To be clear, the standard for most rules implemented in SonarQube language plugins is very strict: no false positives. [..] But for security-related rules, the story is a little different. [..]
That's why security-related rules cast a wider net than you may be used to seeing.
The idea is that the rule will flag anything suspicious, and leave it to the human security auditor to cull the false positives and sent the real issues for remediation."
Thanks for adding it!
Yes whilst they aren't in the game of security their wide catch of flagging has caught some things in the past that as developers we have looked into.
Nice work on the listing I have starred it for future looks
Great list Stefan! I submitted a pull request to add one of my favourite ACME clients which just so happens to be Java based :-)
Thanks a lot for the contribution Daniel ππ»
Already merged your PR!
Great article. Thanks same.
developer.oracle.com/java/technolo...