March/April 2006 Book Review

Core Security PatternsBook:          Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management
Author/s:    Christopher Steel, Ramesh Nagappan, Ray Lai
Publisher:  Prentice Hall PTR (October 14, 2005)
ISBN:          0-13-146307-1
Pages:       1039

If you are involved in java/ Java 2 Platform, Enterprise Edition (J2EE) development/architecture design or security testing, this book is a must to have. Written by three of the top security gurus in the field, it contains everything you might need to know on security aspects in the Java/J2EE environment.

Although it is a technical book, the way the authors explain their subject matter makes this book valuable to all, not only to the J2EE/Java specialists amongst us. It does, however, require basic knowledge of the environment and implementation architectures. The book is definitely written for developers and architects.

Having read other books on patterns in the J2EE environment, this is definitely the best example-oriented security book (I have read) for demonstrating how patterns can be applied in enterprise application security situations.

Core Security Patterns is very comprehensive – containing 1039 pages – and is packed with practical examples. It starts off with the basics of security, and ends with the use of smartcards and biometrics for secure personal identification.

I have included the table of contents to give you a glimpse of what to expect:

Part I:  Introduction
Chapter 1.  Security by Default
Chapter 2.  Basics of Security

Part II:  Java Security Architecture and Technologies
Chapter 3.  The Java 2 Platform Security
Chapter 4.  Java Extensible Security Architecture and APIs
Chapter 5.  J2EE Security Architecture

Part III:  Web Services Security and Identity Management
Chapter 6.  Web Services Security–Standards and Technologies
Chapter 7.  Identity Management Standards and Technologies

Part IV:  Security Design Methodology, Patterns, and Reality Checks
Chapter 8.  The Alchemy of Security Design–Methodology, Patterns, and Reality Checks

Part V:  Design Strategies and Best Practices
Chapter 9.  Securing the Web Tier–Design Strategies and Best Practices
Chapter 10.  Securing the Business Tier–Design Strategies and Best Practices
Chapter 11.  Securing Web Services–Design Strategies and Best Practices
Chapter 12.  Securing the Identity–Design Strategies and Best Practices
Chapter 13.  Secure Service Provisioning–Design Strategies and Best Practices

Part VI:  Putting It All Together
Chapter 14.  Building End-to-End Security Architecture–A Case Study

Part VII:  Personal Identification Using Smart Cards and Biometrics
Chapter 15.  Secure Personal Identification Strategies Using Smart Cards and Contents:

The authors start each section with a clear explanation of the issues involved in security for the given subject. They then explain the different technologies that can be used to address the discussed issues.

Enough code is provided for the reader to understand the underlying concepts. After presentation of the issues and options, a presentation of security patterns that can be applied to a number of application scenarios follows.

Some of the important concepts covered from the perspective of a security consultant are:

  1. When and how to use Java Security APIs (application programming interfaces) – JCE (Java Cryptography Extension), JCA (J2EE connector architecture), JSSE (Java Secure Socket Extension), JAAS (Java Authentication and Authorisation Service), SASL (simple authentication and security layer)
  2. Implementing security with JSP (Java server pages)/Servlets/EJB (Enterprise Java Beans)/JDBC (Java database connectivity)/JMS (Java messaging service)/J2EE connectors/Java ACC (Authorisation Contract for Containers), etc.
  3. J2EE network topology options and how to design the network deployment for security and scalability
  4. How to secure thick/thin clients, J2ME (Java2 Micro Edition) clients interacting with server-side J2EE apps
  5. Practical scenarios for using WS-Security (Web Services Security), XML (Extensible Markup Language) Signature, XML Encryption, XKMS (XML Key Management Specification), and XML Firewalls
  6. Enabling single sign-on and when to use SAML (Security Assertion Markup Language), Liberty ID-*, XACML (eXtensible Access Control Markup Language)
  7. Security architecture, patterns, best practices, and pitfalls to consider in designing and deploying Web-based and EJB applications, Web services, Identity management, and user account provisioning
  8. RUP (Rational Unified Process) based Application security methodology, risk analysis, trade-off analysis, policy design, testing, and reality checks to consider before implementation
  9. How to use crypto for obfuscating, and securely logging and auditing data within J2EE applications
  10. How to use PKI (public key infrastructure), hardware tokens, and smartcards in Java based applications
  11. How to incorporate smartcards and biometric authentication technologies in J2EE applications
  12. Real-world case study architecture (for a web portal) showing how to demonstrate end-to-end security using patterns and best practices.

The typical security issues a java developer deals with on a day-to-day basis are covered and very well explained. This will allow a team to develop secure applications from the word ‘go’ rather than having security built in after completion of the security assessment of the application.

I would definitely advise each J2EE development team to at least have one copy of this book in its library (and have all team members be familiar with the content). This book is a must have if you are involved in any security testing in a Java/J2EE architecture environment.

Henk Coetzee