Iron-Clad Java: Building Secure Web Applications (Oracle Press)

Let me first start out by complementing the authors on the writing style. The book is actually engaging. The style is conversational and very enjoyable. It makes reading about security fun while presenting key information that every developer needs to understand.This book makes no assumptions. It builds a framework for understanding complex and sometimes intimidating concepts so that every reader can fully grasp and own that material. Topics are then further explored with code examples as well as references to projects (i.e. OWASP HTML Validator, Shiro, etc.) so that the reader can apply what has been presented.One of the things that I really like about the book is the presentation of anti-patterns as well as positive patterns. The authors take the time to show you both the approaches that do not work as well as ones that will! This is crucial as many of the bad approaches (anti-patterns) are solutions that are often seen in real-world situations. The authors explain why the anti-patterns are weak and then present solutions that will work!The breadth of the topic matter is superb. The OWASP top 10 vulnerabilities are well represented in this book. However, it goes beyond the theoretical and covers topics that have an immediate impact to actual projects. I recently found myself pointing a fellow developer to the chapter on Safe File Upload and File I/O.This book is very approachable and would be appropriate anyone in application development, project management, information security, or upper management.This is absolutely a must-read for developers in industries that deal with personal, financial, or medical information.I highly recommend this book!

I really liked this book. It brings a lot of issues together, than one otherwise should look up in too many different sources.The writing style is also great.That being said, I don't like so much the presentation of CSRF. I believe the discussion of this problem should start by describing the "same-origin policy", cos this is where the problem but also the solutions start. CSRF is a case where the "same-origin policy" does not apply. The "Synchronizer token" offers effective protection cos the attacker cannot retrieve the token by doing a GET request before the POST request that would submit the token,because of the "same-origin policy". And in the "double submit cookies" solution, the attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy, and not because the cookie is HttpOnly, as the authors put it. On the contrary, this cookie should not be HttpOnly, so that javascript frameworks such as AngularJS and DWR can manipulate it.I think that the chapter of CSRF should be rewritten around the "same-origin policy".One other place I disagree with the authors is the presentation of the "Insecure Direct Object Reference" Attack as a special case of SQL injection. Specifically, the authors present a special case of SQL injection where the injected part is the "order by clause" as the "Insecure Direct Object Reference" Attack. However, the later is not related to SQL injection.

I couldn't put the book down, as I found a lot of things that I will incorporate in my next projects.Great practical examples that I found easy to follow and to implement.I particularly liked the explanation on the anti-patterns and the reason for their inadequacy when used exclusively(e.g. Black list validation).I was pleasantly surprised to find the topic that covers authorization approaches other than the usual role-based approach. The book does justice in covering different authorization approaches and also looking at what modern applications will begin to need, which pure role-based approaches fall short on.All in all, I enjoyed all the chapters in this book. I continue to re-read topics of interest from some chapters, to make sure that the lessons become part of how I approach all my future projects.

This is amazing book, for busy developer who don't have a lot of time, this book cover most security issues you might have while developingweb application in java, and explain how hackers think and exploit weak area in application, and then give you all available ways to defense against.

Concise coverage of all the essential topics. Iron-Clad Java is a winner. If you are looking for advice on current secure software development best practices, this book is invaluable. The writing style stays conversational, while delivering the specific facts a developer needs to implement the recommendations.

This is a must-have book for anyone architecting or developing webapps in Java. The advice is solid, un-biased, and framework agnostic, so the lessons learned from it should apply to any project. The takeaways from reading it will be a solid understanding of what is wrong with many webapps (in general) and corrective measures you can take to mitigate the issues. I highly encourage dev teams to collaborate on the examples in the book.

I wouldn't waste my $$$ on this book if I needed something that would help me to my job. I does not have enough information in it to do the job. It is more of a very high level, secondary reference book, which tells you where to go, rather than giving you what you need to know to do the job.I should have known by the price that it would not do the job; i.e., $28.95....I have 50 to 75 good software technical books in my reference library and most of which cost at least $40+ to $60+.

Jim and August outdid themselves here. This is THE definitive work on writing secure Java. I use it as a required textbook in secure coding classes in Java environments. Someone needs to write a .NET version!!

Excellent book! The only suggestions would be to include a greater coverage of Spring Security (and securing thymeleaf views against csfr attacks) and Apache Shiro. And to update examples that are based on the frameworks which are on the slope of popularity (Struts) in favor of more popular ones. But even without that it remains a must read for Java developers.

Every Java web application developer should have this book.

Livre à la fois synthétique et pointu.Bonne source complémentaire de code à associer aux ressources traditionnelles de l'OWASP.Dommage que le code des exemples ne soit pas disponible en téléchargement