Tag Archives: j2ee

Dissecting the 'Obfuscated Transfer Object'

      2 Comments on Dissecting the 'Obfuscated Transfer Object'

One thing I noticed lately…is lot of interest about understanding the usage of ‘Obfuscated Transfer Object (OTO) ‘ from Core Security Patterns.  I got multiple emails about its code and implementation .. understandably there is a growing security concern about using Transfer Object (aka Value Object) that passes security-sensitive data elements between Java EE tiers (especially between Presentation/Business/Persistence), when the… Read more »

Top 25 Most Dangerous Programming Errors

      No Comments on Top 25 Most Dangerous Programming Errors

Few weeks ago, US Dept. of Homeland security (National Cyber Security Division) in collaboration with SANS Institute/MITRE teams worked together and released a list of 25 dangerous programming errors as common security flaws, which opens doors for easy exploitation. My first look at this list, I thought it is a old wine in a new bottle as the document sounded… Read more »

Security Guidance for "Sun Certified Enterprise Architect" for Java EE5 exam

Not a shameless promotion – I came to know from multiple feedback and praises from the people who took the Sun Certified Enterprise Architect exam.  Core Security patterns is overwhelmingly suggested as a reference text for “Section 8 – Security” of Sun Certified Enterprise Architect for Java EE5 exam.  Section 8: Security Explain the client-side security model for the Java SE environment,… Read more »

Stronger Authentication with Biometric SSO (Using OpenSSO and BiObex).

I had been involved with multiple Biometric ISV providers and its integration with Sun technologies particularly OpenSSO, IdM, Sun Rays and Solaris. I also had the opportunity to deploy Biometric solutions to few govt organizations that starts with “D” and “N”. Believe it or not…we have few of them in production. Now, getting down to the specifics – Putting it… Read more »

How do I prevent Cross-site Scripting (XSS) attacks in J2EE Web applications ?

I received this question from one of our book readers …ofcourse XSS is becoming widely popular. I had my own first-hand experience of XSS by test driving in my lab – believe me – I don’t have malicious intentions or crazy motives. If you want to verify your J2EE Web applications for XSS ulnerability…here is my cooked response – for… Read more »

HTTP response splitting? How-to prevent them in J2EE/Web applications ?

Couple of days ago, I received the above question from one of our readers.  Although I briefly responded to him over email,  I really wanted to explore the known traits for defending this vulnerability : HTTP response splitting is a Web application input validation vulnerability that allows to exploit the HTTP headers of a Web application for initiating attacks leading… Read more »

Security Patterns @Information Security Conf. NY

After long time, last week Chris and I joined together at Newyork for presenting a session on “Security By Default” at “Information Security Conference – 2006”.  The overall attendance in the conference was’nt great…. but we did have some participation in our session.  Chris and I did’nt forget to have fun especially the good food and drinks at couple of… Read more »

Patterns-driven Security Design @ New England JUG

Couple of days ago, I presented “Patterns-driven Security Design” at an event hosted by “New England Java User Group” at Sun Burlington campus.The participants were outstanding, I had quite a lot of good questions…. and by the time I left the building it was 10:00 PM. It was quite inspiring event as this is first time I presented the complete… Read more »

Our show at RSA…

      No Comments on Our show at RSA…

We did two panel sessions at RSA Conference, SFO last week – Both were well received.  Here is the links to the slides that we used to present  “Core Security Patterns” in the sessions. RSA 2005 Panel – Building End-to-End Security for XML Web Services: Applied Techniques, Patterns and Best Practices Security Patterns and Best Practices for J2EE, Web Services… Read more »

Tackling XML Web Services Performance & Scalability

It’s been a while.. I forgot to publish this post !!! Last JavaONE, Sameer and I had an opportunity to present on “High-performance Web Services: Tacking Scalablity and Speed”.  We digged into the XML Web services and its architecture/deployment characteristics and how its QoS mechanisms contributes to performance overheads that impedes its adoption. We explored on several mitigation strategies that can help eliminate the performance… Read more »