Scribd
Upload
6 views13 pages

Information Security Transformation-Nahil Mahmood-Lecture 101

Uploaded by

Safa yousaf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
6 views13 pages

Information Security Transformation-Nahil Mahmood-Lecture 101

Uploaded by

Safa yousaf
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

CASE STUDY – JAVA APPLICATIONS SECURITY

HARDENING

• Carnegie Mellon
Software
Engineering
Institute
• https://
wiki.sei.cmu.edu/co
nfluence/display/jav
a/SEI+CERT+Oracle
+Coding+Standard
+for+Java

1
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

1. Identify critical 6. Validation of 7. Change


assets (& asset control management
owner) implementation process for PROD

2. Research on 5. Implement
8. Implement on
applicable controls on test
PROD & monitor
security controls setup

3. Checklist of
4. Document
applicable
controls into SOP
controls

2
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

3
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

• Rule 7
• ERR02-J. Prevent ex
ceptions while loggi
ng
data
• Exceptions that are
thrown while logging
is in progress can
prevent successful
logging unless
special care is
taken. Failure to
account for 4
exceptions during
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

• …cause security
vulnerabilities, such
as allowing an
attacker to conceal
critical security
exceptions by
preventing them
from being logged.
Hence, programs
must ensure that
data logging
continues to operate
correctly even when5
exceptions are
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

• …during the logging


process.

6
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

7
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

• Non-compliant
Code Example:
• This noncompliant
code example writes
a critical security
exception to the
standard error
stream:

8
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

• Writing such
exceptions to the
standard error
stream is
inadequate for
logging purposes.
First, the standard
error stream may be
exhausted or closed,
preventing
recording of
subsequent
exceptions. Second, 9
the trust level of the
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

• …insufficient for
recording certain
security-critical
exceptions or errors
without leaking
sensitive
information. If an I/O
error were to occur
while writing the
security exception,
the catch block
would throw
an IOException and 10
the
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

• …critical security
exception would be
lost. Finally, an
attacker may
disguise the
exception so that it
occurs with several
other innocuous
exceptions.

11
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

12
CASE STUDY – JAVA APPLICATIONS SECURITY
HARDENING

• Compliant
Solution:
• This compliant
solution
uses java.util.loggin
g.Logger, the
default logging API
provided by JDK 1.4
and later. Use of
other compliant
logging
mechanisms, such
END
as log4j, is also 13

You might also like