struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject RE: About bank application using Struts 2
Date Mon, 22 Mar 2010 21:35:52 GMT

implementing parameterised dynamic statements are of particular interest to me.. 

does anyone know how i can achieve paramterised dynamic statements with hibernate??


Many Thanks to Wes for the advice on hardening Tomcat
Martin Gainty 
______________________________________________ 
Please do not modify or disrupt this transmission. Thank You



 


> Date: Mon, 22 Mar 2010 17:01:22 -0400
> Subject: Re: About bank application using Struts 2
> From: wesw@wantii.com
> To: user@struts.apache.org
> 
> There are quite a few good books about general security practices for
> software development...
> 
> There used to be a library that you can use to help secure your web-app
> 
> ...looking...
> 
> http://www.hdiv.org/
> 
> They used to support an s2 plugin, but I'm not sure which version it
> works with.
> 
> In general, you want to treat security as something you approach in
> layers. Obviously, you want to encrypt communications that might
> expose sensitive information (apply ssl), and you want to utilize an
> authentication and authorization mechanism (spring-security). After
> that, you want to treat all user input as unsafe/tainted (escape
> before displaying to other users, use parameterized sql statements
> rather than constructing strings of sql) and make sure that you pay
> close attention that you try not to put sensitive data on the URL
> string (using form method="GET" for form-based authentication).
> 
> In addition, it may not hurt and would probably be worth the money to
> involve a security professional to perform audits or to participate in
> code reviews. There are new attack mechanisms that crop up all the
> time and a lot of times security pros can point out things that you
> didn't know where potential problems.
> 
> Lastly, make sure you secure your application server... There is a
> guide to hardening Tomcat here -
> 
> http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.servers.web.apache
> 
> If you are not using tomcat, make sure you know enough about your
> application server that you don't open up attack vectors at the
> server.
> 
> -Wes
> 
> On Mon, Mar 22, 2010 at 4:28 PM, Oscar <oscar.kalderon@gmail.com> wrote:
> > Hi to all, right now i'm going to develop something like bank application to
> > enable users to manage their accounts, transfer money, pay services and so
> > on, and really i have no experience developing applications like that (where
> > security is reeeeeally important) so i don't know if exists some book about
> > critical applications development with struts 2 or you can give me some tips
> > to develop a secure application, also tips about struts and ssl,  or if you
> > know internet resources that talk about that.
> >
> > Thanks in advance.
> >
> > --
> > Oscar
> >
> 
> 
> 
> -- 
> Wes Wannemacher
> 
> Head Engineer, WanTii, Inc.
> Need Training? Struts, Spring, Maven, Tomcat...
> Ask me for a quote!
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 
 		 	   		  
_________________________________________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:WL:en-US:WM_HMP:032010_3
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message