As application development continues to grow in significance for countless organizations, so, too, does the need to focus on security. Recent events have demonstrated that the failure to adequately protect these resources can have significant consequences.
Writing for InfoWorld, industry expert John Matthew Holt recently singled out the need for organizations using Java to rethink their approach to application security. In particular, he emphasized the value of preemptive solutions, such as static code analysis tools.
According to Holt, Java-based application development presents a number of unique, difficult challenges. For one thing, he pointed out that Java programmers typically import thousands of lines of code from external library sources. The problem with this strategy is that no one is tasked with ensuring that this code has received sufficient security scrutiny.
"Therefore, vulnerabilities can be repeatedly introduced into in-house code through this 'imported code backdoor,'" Holt explained. "These vulnerabilities may be unknown to the enterprise, but well-known to attackers."
The writer further noted that there are a number of exploits that cyberattackers can use to gain access to corporate networks in these cases. For example, cybercriminals may deploy SQL injection attacks.
Further compounding these issues is the fact that Java usually centers on either network-based or testing-based efforts, and neither of these has proven sufficiently effective to protect companies from external threats.
While not a complete solution in and of itself, Holt argued that application testing tools can play a major role in securing Java applications. He noted that these resources can prove highly educational for developers, identifying vulnerabilities in the code that would otherwise go unnoticed.
To fully take advantage of these capabilities and protect their Java-based development efforts, though, it is critical for businesses to look for and implement the best available application security testing tools.
Static analysis is a case in point. These tools are key for preventing code flaws from developing into full-blown security issues. With static analysis resources in place, firms can reduce the cost of testing by identifying potential defects as early as possible in the code's lifecycle. This has the further benefit of maximizing developers' productivity, allowing them to focus more on improving and introducing new features, rather than dealing with the minutia of eliminating security flaws.
Beyond static analysis tools, firms relying on Java application development should also deploy network-based defenses. These resources, including firewalls and intrusion prevention systems, can prevent malicious outsiders from gaining access to the company's network, thereby protecting production systems from serious threats.
However, as the writer noted, these efforts have a number of shortcomings that can compromise their effectiveness. Most notably, these tools cannot simply block all traffic, or else the company would lose access to legitimate incoming information. Obviously, this would create a host of other problems.
This issue highlights just what a challenge application security can prove to be for a company, and why advanced static code analysis and related tools are so essential.
• Recognize, understand, and combat injection attacks by taking this online course (one of the many free courses offered in our Secure Coding Learning Center)
• See how static analysis detects vulnerabilities on the OWASP Top Ten list of common exploits