Efficient creation of secure Java applications, part 2nd

Maximizing the security of Java Web applications using Rational AppScan

This is the 2nd part of a series of tutorials that uses rational®application Developer, Data Studio, and Rational AppScan to create secure, java® based WEB applications. In part 1th, you have developed a Java WEB application using Rational application Developer, and then deployed this Java server on the WebSphere application server Pag ES (JSP) technology developed applications.

Before you start

This article applies to Web application developers, Web application testers, quality assurance teams, information security professionals, and anyone who wants to ensure that their Web applications are protected from all known network security attacks. This tutorial will show you how to use IBM Rational AppScan to achieve this goal.

About this series

The goal of these two tutorials is to enhance your WEB application development skills through the use of rational application Developer, Data Studio, and rational appscan.

Part 1th uses the pureQuery features of Rational application Developer and Data Studio to effectively create a java-based wealth management Web application.

In part 2nd, you will take advantage of the features provided by many of the Rational AppScan, enhance or ensure the security of your Java applications, and fix the defects found.

About Tutorials

This tutorial will show you how to install, configure, and use Rational AppScan to scan the Java WEB application created in part 1th. You will use the Rational AppScan scan to ensure that your Web application is far from being plagued by network security attacks. Learning from this article, you will learn how to implement:

customizing a scan template;

Perform one scan;

Interpreting the scan results and obtaining information from them;

Generate scan reports;

Use Rational appscan extension;

This tutorial starts with an overview of WEB application security. The importance of using Rational AppScan is explained in the overview to ensure that network security flaws can be eliminated during application development. In addition, we have introduced the deployment and licensing of rational appscan to help you maximize the use of the functions of rational appscan.

System Requirements

To complete the procedures in this article, you need to:

An IBM Rational appscan Standard Edition. A complete or temporary Rational AppScan license. The trial version of Rational AppScan only allows you to find a default Web site. You can contact your IBM rational vendor for a temporary short-term Rational appscan license.

A notebook computer that can connect to a workstation or server that is part of the 1th Tutorial series.

Security overview for Rational AppScan and WEB applications

In this section, we will look at the general state of WEB application security and the role that Rational AppScan plays in enhancing the security of your network programs.

Network Program Security Overview

With the explosion of Web applications and Web 2.0 on the Internet, the functionality of increasingly rich Web applications has led to the emergence of large and complex web applications that have never been created, especially on e-commerce sites and social networking sites. At the same time, another trend is growing that code flaws in WEB applications are increasingly being attacked by hackers.

There is evidence that the number of attacks on the Web application layer appears to be on the rise, unlike the traditional attacks that occur above the network layer. Any network infrastructure oriented to network solutions is as important as ever, but we have now reached a new platform. As a result, hackers have now put their focus on areas with richer security flaws, the code in WEB applications. Hackers target High-value data that is controlled by WEB applications.

Given the surrounding firewalls, it provides protection against network layer attacks, but the network firewall has almost no protection against WEB application layer defects. For example, a firewall may only allow HTTPS networks to access the WEB server, but the firewall does not check the contents of the actual HTML Web application, which may be a formal problem. The impact is enormous, even the slightest flaw in the WEB application code, such as the legality of the input box, can lead to business-critical flaws, resulting in significant financial and customer credibility losses.

The typical consequence of hacking attacks on Web application code is to allow attackers to bypass the login system, steal user network sessions, and directly query, access, and manipulate the backend database.

The risk of launching an attack against a flaw in a WEB application is real, especially when the application's data is associated with a high-value business (for example, payment card information), even sensitive personal data is valuable for sale. Due to the destruction of data, legal, regulatory and industrial standards require a large amount of fines. Keep in mind that once you put a WEB application on the Internet, anyone has the ability to access it, including, of course, the hateful hackers. These hackers have plenty of time to discover and explore flaws and vulnerabilities in WEB application code. Considering that the Web application created in this tutorial has a financial theme and sensitive information, it is important to ensure that the wealth Web application is free of defects before it is published.

Given this background and increasing data security requirements, developing a WEB application without security flaws is a critical requirement and basic goal. In this tutorial, you will use IBM's Rational AppScan to ensure that the wealth Java Web application created in part 1th is far from a security flaw, ensuring that Web applications are securely placed on the Internet.