5 Tips to Improve Security for Java 8 Applications

Java 8

It’s been a tough journey for Oracle Corporation in addressing cyber security vulnerabilities, Java 8 is out (a new java update, which was rolled out in the beginning of 2014).

Securing data exchanges between systems is a huge concern. Public key encryptions are widely used, but they are broken and even at full strength, most forms of encryption are vulnerable to data capture. However, there are still ways to secure your data, if you have control over both ends of the exchange. In this blog, we will figure out, how we can improve security for Java 8 applications.

Transport Layer Security (TLS)

The first security enhancement in Java 8 is “TLS 1.2 Enabled by Default”. TLS encrypts communication between two systems i.e. it provides a trust relationship, when integrated with certificate authority it will strengthen the security.

Certificate Authorities (CAs)

I am sure you all know about CAs. The principal of public-key cryptography is to make two keys to work together. Anyone having the public key can encrypt the data and only the individual having the private key can decrypt the data, sounds simple isn’t ?

Secure Socket Layer (SSL)

When you make a connection using the Secure Socket Layer (SSL) protocol, a certificate provided by the server keeps the initial data exchanges secure. Your connection will be routed through a number of intermediary servers to get to the main server, and as long as all the intermediary servers are “genuine” your connection is more or less secure.

More or Less – Sounds Scary?

Here it goes, but if one of the intermediaries is not genuine, you are susceptible to the man-in-the-middle attack. The easiest way of man-in-the-middle attack is to use of a self-generated certificate for the server – one that says it’s for the server, but has actually been generated by a hacker using their own private key.

A good way to protect is to control the allowed certificates per connection. Here’s the source code to implement this approach. All you have to use classes in the standard java.security packages to implement secure handling in Java 8:

public static void main(String[] args) throws IOException,
GenSecurityException {

// open the keystore
KeyStore kStore = KeyStore.getInstance("JKS");
FileInputStream fis = new FileInputStream(Constants.TRUSTSTORE_NAME);
kStore.load(fis, Constants.TRUSTSTORE_PASS.toCharArray());

// create trust manager which will trust only the server certificate
String algo = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmfact = TrustManagerFactory.getInstance(algo);
tmfact.init(kStore);
X509TrustManager tmanager = (X509TrustManager)tmfact.getTrustManagers()[0];

// create connection
URL url = new URL(args[0]);
HttpURLConnection urlCon = (HttpURLConnection)url.openConnection();
 if (!(urlCon instanceof HttpsURLConnection)) {
System.err.println("Connection is not secured!");
}

// configure SSL connection to use trustmanager
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { tmanager }, null);
SSLSocketFactory sfactory = context.getSocketFactory();
((HttpsURLConnection) urlCon).setSSLSocketFactory(sfactory);

// open connection to server
urlCon.connect();
urlCon.getInputStream();
System.out.println("Got connection!");
}

As a software developer, you should always try to find ways of making it more difficult for anyone to alter data exchanges. This type of hardening is an important part of cyber security, but it’s not the only part. It also requires defensive mechanism, where you treat everything that comes into system as not safe until its proven safe.

Here are 5 best practices to Secure Data Layers
1. Private Key and Certificate
  • Use 2048-bit private keys
  • Protect private keys
  • Ensure sufficient hostname coverage
  • Obtain certificates from a reliable CA
2. Configuration
  • Deploy with valid certificate chains
  • Use secure protocols
  • Use secure cipher suites
  • Control cipher suite selection
  • Support forward secrecy
  • Disable client-initiated renegotiation
  • Mitigate known problems immediately
3. Performance
  • Do not use too strong private keys
  • Ensure session resumption works properly
  • Use persistent connections (HTTP)
  • Enable caching of public resources (HTTP)
4. Application Design (HTTP)
  • Encrypt 100% of your website
  • Avoid mixed content
  • Understand and acknowledge 3rd party trust
  • Secure cookies
  • Deploy HTTP strict transport security
  • Disable caching of sensitive content
5. Other Security Vulnerabilities
  • Review your code multiple times for other security vulnerabilities

Wrap up

Cyber threats are numerous and it may get worse in the near future. Many countries already have programs to monitor and collect data about cyber sabotage. Governments which don’t have such active programs are more or less likely to implement them in the near future, so even if you trust your own government with your data, you need to be careful about other governments who have not yet taken cyber crime seriously. As a software developer the onus lies on you to create applications that are highly secure and not easily prone to cyber attacks.

Siva KD

View posts by Siva KD
Siva was Director Technical at Evoke Technologies. He is competent in cyber security & Image processing. Has expertise in account management, setting up development centers, risk management, mentoring teams, pre-sales etc.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

%d bloggers like this: