Security Checklist Skill Package
Based on OWASP Top 10, comprehensively ensure application security.
OWASP Top 10 (2021)
A01:2021 – Broken Access Control
Risk: Unauthorized users can access sensitive functions or data
Mitigation Measures:
- ✓ Deny access by default, implement explicit authorization
- ✓ Implement Role-Based Access Control (RBAC)
- ✓ Disable directory listing
- ✓ Log access control failures and trigger alerts
- ✓ Limit API access rate
Code Example:
java
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/admin/users")
public List<User> getUsers() {
return userService.findAll();
}
A02:2021 – Cryptographic Failures
Risk: Sensitive data is unencrypted or uses weak encryption
Mitigation Measures:
- ✓ Use HTTPS for all sensitive data transmission
- ✓ Encrypt static data (databases, files)
- ✓ Disable weak encryption algorithms (MD5, SHA1)
- ✓ Use strong password hashing (bcrypt, Argon2)
- ✓ Key management (regular rotation, secure storage)
Code Example:
java
// Use BCrypt to encrypt password
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String hashedPassword = encoder.encode(rawPassword);
A03:2021 – Injection
Risk: SQL injection, command injection, LDAP injection, etc.
Mitigation Measures:
SQL Injection Protection
java
// ❌ Unsafe
String query = "SELECT * FROM users WHERE username = '" + username + "'";
// ✓ Safe: Use parameterized queries
String query = "SELECT * FROM users WHERE username = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, username);
NoSQL Injection Protection
java
// ✓ Use parameter binding
Query query = new Query(Criteria.where("username").is(username));
Command Injection Protection
java
// ❌ Unsafe
Runtime.getRuntime().exec("ls " + userInput);
// ✓ Safe: Validate and escape
if (userInput.matches("[a-zA-Z0-9]+")) {
ProcessBuilder pb = new ProcessBuilder("ls", userInput);
pb.start();
}
A04:2021 – Insecure Design
Risk: Security flaws at the architecture and design level
Mitigation Measures:
- ✓ Threat modeling
- ✓ Secure design patterns
- ✓ Principle of least privilege
- ✓ Defense in depth
- ✓ Secure Development Lifecycle (SDLC)
A05:2021 – Security Misconfiguration
Risk: Default configurations, unupdated software, unnecessary features
Mitigation Measures:
- ✓ Minimal installation (remove unnecessary features)
- ✓ Disable default accounts and passwords
- ✓ Error messages do not expose sensitive information
- ✓ Regular updates and patching
- ✓ Security configuration reviews
Checklist:
yaml
# application.yml
server:
error:
include-stacktrace: never # Do not expose stack trace in production
spring:
devtools:
restart:
enabled: false # Disable devtools in production
A06:2021 – Vulnerable and Outdated Components
Risk: Using libraries and frameworks with known vulnerabilities
Mitigation Measures:
- ✓ Remove unused dependencies
- ✓ Continuously monitor dependency vulnerabilities
- ✓ Obtain components from official sources
- ✓ Use signature verification for component integrity
Tools:
bash
# Maven dependency check
mvn dependency:tree
mvn versions:display-dependency-updates
# OWASP Dependency Check
mvn org.owasp:dependency-check-maven:check
A07:2021 – Identification and Authentication Failures
Risk: Weak passwords, improper session management, credential exposure
Mitigation Measures:
Password Policy
- ✓ Minimum length of 8 characters
- ✓ Complexity requirements (uppercase, lowercase, numbers, special characters)
- ✓ Check for weak and commonly used passwords
- ✓ Limit login failure attempts
- ✓ Multi-Factor Authentication (MFA)
Session Management
java
// Session configuration
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
return http.build();
}
A08:2021 – Software and Data Integrity Failures
Risk: Insecure CI/CD, automatic updates, deserialization
Mitigation Measures:
- ✓ Code signing
- ✓ CI/CD security hardening
- ✓ Dependency integrity verification
- ✓ Avoid insecure deserialization
java
// ❌ Insecure deserialization
ObjectInputStream ois = new ObjectInputStream(inputStream);
Object obj = ois.readObject();
// ✓ Use secure formats like JSON
ObjectMapper mapper = new ObjectMapper();
User user = mapper.readValue(json, User.class);
A09:2021 – Security Logging and Monitoring Failures
Risk: Attacks cannot be detected and responded to
Mitigation Measures:
- ✓ Log all login attempts and access control failures
- ✓ Audit logs for high-value transactions
- ✓ Standardized log formats
- ✓ Centralized log management
- ✓ Real-time alerts
Log Example:
java
log.warn("Failed login attempt: user={}, ip={}",
username, request.getRemoteAddr());
log.info("Password changed: user={}, timestamp={}",
username, System.currentTimeMillis());
A10:2021 – Server-Side Request Forgery (SSRF)
Risk: Attackers control requests initiated by the server
Mitigation Measures:
- ✓ Prohibit user-controlled URLs
- ✓ URL whitelisting
- ✓ Disable HTTP redirects
- ✓ Network layer isolation
java
// ✓ URL validation
private boolean isAllowedUrl(String url) {
try {
URL u = new URL(url);
String host = u.getHost();
return ALLOWED_HOSTS.contains(host);
} catch (MalformedURLException e) {
return false;
}
}
Additional Security Measures
XSS Protection
java
// Output escaping
String safe = HtmlUtils.htmlEscape(userInput);
// Content Security Policy
response.setHeader("Content-Security-Policy",
"default-src 'self'; script-src 'self' 'unsafe-inline'");
CSRF Protection
java
// Spring Security enables CSRF automatically
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
Clickjacking Protection
java
// X-Frame-Options
response.setHeader("X-Frame-Options", "DENY");
Security Response Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
Sensitive Information Detection
Information that should not be hard-coded:
- ❌ Database passwords
- ❌ API keys
- ❌ Encryption keys
- ❌ Private key certificates
- ❌ OAuth keys
Correct Approach:
yaml
# application.yml
spring:
datasource:
password: ${DB_PASSWORD} # Read from environment variables
Secure Development Process
1. Requirements Phase
- Identify security requirements
- Threat modeling
2. Design Phase
- Secure architecture design
- Secure design review
3. Coding Phase
- Secure coding standards
- Code review
4. Testing Phase
- Security testing
- Penetration testing
- Vulnerability scanning
5. Deployment Phase
- Security configuration check
- Deploy with least privilege
6. Operations Phase
- Security monitoring
- Patch management
- Incident response
Recommended Tools
Static Analysis
- SpotBugs: Java code defect detection
- SonarQube: Code quality and security
- Checkmarx: Commercial static analysis tool
Dependency Check
- OWASP Dependency-Check: Dependency vulnerability scanning
- Snyk: Open source dependency vulnerability detection
Dynamic Testing
- OWASP ZAP: Web application security testing
- Burp Suite: Penetration testing tool
Key Scanning
- git-secrets: Prevent key commits
- TruffleHog: Git history key scanning
Security Checklist
Authentication & Authorization
Data Protection
Input Validation
Security Configuration
Logging & Monitoring
Incident Response
After discovering a vulnerability
- Assess Impact: Scope, severity
- Isolate System: Prevent further damage
- Fix Vulnerability: Emergency patch
- Verify Fix: Security testing
- Summary & Review: Prevent recurrence
Reference Resources