After various months talking about cybersecurity, I hope you’ve found these posts interesting and above all that you’re more aware of the importance of cybersecurity now.
In case you missed them, here’s a summary of other cybersecurity posts that I’m sure you will find interesting:
? How cyber attacks work and what to do to avoid them
? Collection#1, a.k.a the biggest security breach in history
? Shodan, how to avoid your webcam from being hacked
? 5 tips to become a cybersecurity expert by the end of the summer
Now I’d like to take you through how to analyse and eliminate vulnerabilities in applications you’ve developed using Java (Java 11 or any of its previous versions).
So, where do we start?
I’m sure you know what a vulnerability is, but to refresh your memory it comprises any weak point of your computer system that may be attacked. A while ago, one such vulnerability caused a major security breach: Collection#1.
Why a vulnerability may occur?
Vulnerabilities may arise for various reasons. Mainly we can find two reasons though:
- due to a coding error of the application itself;
- due to a coding error in the library you’re using to develop the application.
In both cases, this can happen if you don’t take into account secure design principles, such as validating the input data of your application to prevent injection of XSS attacks (cross-site scripting).
Now, I’m going to show you how to check if your code has any of these kind of vulnerability and how to correct them.
Error in your application code: How do I know if I have vulnerabilities in my code?
Cases such as the above vulnerability can be detected using Static Application Security Testing (SAST) tools, which generate a report on the main vulnerabilities of your code. There are numerous paid applications on the market that perform this type of analysis, such as:
Kiuwan and Checkmarx integrate with Eclipse-based IDEs and Kiuwan can even be used with Pycharm if you’re a Python developer. The advantage is that in one of the views (in the case of Eclipse) you can see the class and line of the code with the vulnerability, indicating what type it is and how to resolve it.
Fortify has two different modes: On Demand and On Premise. In the first case, the sources of your application are sent for analysis and a report is sent back informing where your vulnerabilities are located.
Example: How to correct vulnerabilities in Java code
In the case of our Java application, with the Eclipse IDE working with Kiuwan and Checkmarx we have the possibility of integrating the tools on the IDE itself, so while we are developing our Java classes and interfaces we can also run the SAST checks.
Kiuwan displays information on the vulnerabilities we have in the ‘Problems’ view. Moreover, by double-clicking each problem reported a Java class editor is opened and the line of the code with the vulnerability is displayed. There is also help on each type of vulnerability, with an example of the code indicating the reason why the vulnerability exists and another example showing how to edit the code to eliminate the vulnerability.
Checkmarx has two views in a similar manner to Kiuwan. Upon clicking the vulnerabilities selected, information is displayed regarding the vulnerability on the line affected.
This video shows how to install the Checkmarx plugin for Eclipse, review scan results and identify security vulnerabilities within the application source code.
Error in third-party libraries: How do I know if I have vulnerabilities in my dependencies?
If third-party libraries are reused to optimise development time you may end up with more vulnerabilities. However, don’t worry because the people at OWASP have developed a command line interface which may also be integrated in Maven allowing analysis of Java and .NET libraries, generating a report with the vulnerabilities known at that time: OWASP Dependency check
Just go to your Maven Java project and add the OWASP dependency check plugin in the following manner on our pom.xml:
<plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>3.0.2</version> <executions> <execution> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin>
Then run the goal check for your project and you’ll receive a report in HTML format with a list of the vulnerabilities in your dependencies.