Java Security Explained
Exploring security in the Java ecosystem
Java makes up a large portion of today’s applications and software. Because of its popularity, Java application security affects countless users and development teams. The good news is that the Java Developer Kit (JDK) comes with some impressively robust security features — Sun Microsystems (now Oracle) really did design Java with security in mind.
However, Java web application security still has limitations. Organizations need to understand which security features are built into Java and which ones are not. So, in this article, we’ll cover what is — and isn’t — inside the Java Security package.
The basics of Java security
What is Java security?
Java security includes three layers — tools, APIs & libraries, and Java language & runtime security. Although it has great platform security by default, some of its other security features need to be understood and enabled by developers.
Is Java secure by default?
The Java security package offers features like cryptography, authentication, and public key infrastructure. Plus, Java code security is inherently stronger than some other coding languages because of its strong data typing and other built-in security measures. The JDK maintainers are also great at releasing timely security updates.For example, new Java 17 features included the ability to combat the ongoing problem of insecure deserialization.
What security features does Java have?
Both the Java language itself, along with additional features offered inside the Java Security package, make it an overall secure platform to use.
Java platform security
The Java language itself is inherently secure in many ways. A few of its features include:
Automatic memory management- Java’s garbage collection memory management automatically disposes of objects, ensuring that code is as clean and robust as possible. This helps with security because clean code makes testing easier and minimizes the chances of vulnerabilities.
Strong data typing- Because it’s a strongly-typed language, Java requires that developers stay within strict code parameters. This minimizes bugs and the security vulnerabilities that could come with them.
Bytecode verification- When compiling code, Java converts code into platform-agnostic bytecode. Built-in bytecode verification ensures that bytecode is checked before execution, minimizing the chance of malicious bytecode getting put into the mix.
Secure class loading- Dynamic class loading is an important Java feature because it means that software components can be installed at runtime. But this mechanism could also allow attackers to load files straight into your running application. Luckily, the JDK team thought of this possibility. Secure class loaders allow each class file to be assessed by the virtual machine’s access controller, then apply policy standards that are related to the context of the request. They also enforce rules about the class files’ namespaces, which helps to prevent malicious actors from forging classes and running them through your system.
But these security features are only helpful if teams stay up to date on the version of Java they use. Outdated Java versions typically don’t receive any updates, including security fixes, unless you work with an outside vendor that has longer support windows. There are currently two different Java versions available for teams to choose from. Developers can either opt for the latest Non-LTS Java version, which will follow a regular release cadence (every 6 months). Or they can choose to use Java LTS, which will have longer support and updates. The bottom line: Teams need to pick a model that works for them and enables them to keep their release updated. Otherwise, they won’t stay up to date on security features, which could lead to vulnerabilities.
Java security features
In addition to the Java platform’s built-in security measures, there are also a few Java security features that can be added by developers as they build applications. All these features are offered in the Java Security Package (package java.security). The Java Security Package includes classes for:
Cryptography- The Java Cryptography Architecture supports several APIs that enable digital signatures, message digests, ciphers, message authentication codes, and key generation. Cryptography lowers the risk of sensitive data exposure.
Authentication- A collection of APIs called Java Authentication and Authorization Service (JAAS) helps to ensure that trustworthy sources are executing Java code. They enable security functions such as single sign-on (SSO), fine-grained access to sensitive resources, and identification measures to verify users. In addition, Java has a few other pluggable login modules that can be used for authentication.
Authorization- JAAS also authorizes whether users have access control rights to perform a particular action.
Public Key Infrastructure (PKI)- Java offers tools and APIs with features that make it easier to develop and deploy PKI applications. A PKI framework uses digital certificates to secure the communication between server and client.
Secure communication- Java also provides features to protect the integrity and privacy of data transfer between peers on an untrusted network. For example, the JSSE standard API enables secure sockets for TLS/DTLS data, SunJSSE offers cryptographic services, and Java Simple Authentication and Security Layer (SASL) creates an authentication protocol and offers an additional layer of security between client and server applications.
XML signatures- Java also enables XML signatures, which verify the integrity of any given data by providing documentation that proves a data set’s validity.
Most of these features either focus on strong access control (ensuring that every entity has the right to access the data that they’re trying to interact with) or secure data transfer. Strengthening access control and data transfer drastically improves overall security posture. Java makes it easy for developers to do so.
For a quick sense check on the security of your Java code, try out our code checker tool.
Security for Spring-based applications
The Spring Security framework provides some additional security features, making it easier for developers to create secure, Spring-based applications.
Spring Security includes features focused on authentication and authorization, supported in both Servlet and WebFlux environments. Mainly, it offers secure mechanisms for storing passwords, which helps with authentication.
Spring Security also includes defenses against common exploits, such as:
Cross-site request forgery (CSRF) protection-This attack happens when a bad actor forges a trusted website, redirects a user to this site, and then manipulates the user to give up personal information or funds. Spring prevents this by providing two mechanisms: the synchronizer token and a requirement to specify the SameSite Attribute on each session cookie. Both authenticate a site’s identity by requiring evidence of trustworthiness to be present in requests.
Security HTTP response headers- Spring Security provides support for several HTTP response headers. These security headers help to protect end users from a variety of attacks such as cross-site scripting, man-in-the-middle attacks, and clickjacking. Security HTTP response headers are one of the most simple, but powerful, ways to restrict suspicious activities between the server and web browser.
Redirect to HTTPS- Spring Security can be configured to perform a redirect to HTTPS whenever a client uses HTTP. This also prevents suspicious activities from interfering with the communication between the server and web browser.
Using Snyk to secure your Java application
Many Java applications are built using large frameworks like Spring or Quarkus. These bring in a lot of dependencies so scanning these for vulnerabilities is essential. Our new State of Open Source report shows that the average amount of vulnerabilities (in the dependencies) for a Java application is quite high. Scanning with Snyk Open Source — on your local system, in your pipeline, and your repository — is essential.
Securing your Java apps with Snyk is simple, as the platform can be installed and configured within minutes. Snyk exists to equip you with Java security best practices for every stage of your software development lifecycle (SDLC), so you can build a better, and more secure, Java application for your users.
Even with the best language, you can make mistakes. With Snyk Code, you can find security issues in your custom code quite easily. Check out these examples of how Snyk solved Java security issues in Spring and IntelliJ IDEA.
Secure Java code as you develop
Find and fix security issues in your application code in real-time during the development process.