Awesome

A curated list of awesome Java security-related resources.

List inspired by the awesome list thing.

Supported by: GuardRails.io

Contents

• Tools
• Educational
• Other

Tools

Web Framework Hardening

• Apache Shiro - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
• JJWT - Java JWT: JSON Web Token for Java and Android.
• OWASP ESAPI Java - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
• PAC4J - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
• Spring Security - A powerful and highly customizable authentication and access-control framework.
• Spring Security Oauth - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

Multi tools

• hawkeye - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java.
• GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.

Static Code Analysis

• Spotbugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
• Find Security Bugs - SpotBugs plugin for security audits of Java web applications and Android applications.
• Detect Secrets - An enterprise friendly way of detecting and preventing secrets in code.
• Gitrob - Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
• Sonarqube - SonarQube provides the capability to show the health of an application and highlight newly introduced issues.
• Oversecured - A static analyzer for Android apps (APK files), searches for security vulnerabilities. Contains 90+ vulnerability categories.
• Bearer - A static code security analyzer to discover, filter and prioritize security and privacy risks.

Runtime Analysis

• Code Pulse - Code Pulse is a real-time code coverage tool for penetration testing activities.
• OWASP ZAP - Helps automatically find security vulnerabilities in your web applications.
• Contrast Community Edition - Free runtime protection and vulnerability detection tool, identifying issues in running applications.

Vulnerabilities and Security Advisories

• OWASP Dependency-Check - Detects publicly disclosed vulnerabilities in application dependencies.
• Snyk - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies.
• Snyk Vulnerability DB - Commercial but free listing of known vulnerabilities in libraries.
• Common Vulnerabilities and Exposures - Vulnerabilities that were assigned a CVE. Covers the language and packages.
• National Vulnerability Database - Java known vulnerabilities in the National Vulnerability Database.
• Contrast Community Edition - Free tool to locate CVEs and outdated dependencies in libraries.

Cryptography

• Bouncy Castle - Java implementation of cryptographic algorithms.
• Conscrypt - Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension.
• Cryptomator - Multi-platform transparent client-side encryption of your files in the cloud.
• Keyczar - Easy-to-use crypto toolkit by Google.
• Keywhiz - System for distributing and managing secrets.
• Tink - Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
• ACME4J - Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA.

Educational

Hacking Playground

• BodgeIt Store - A vulnerable web application aimed at people who are new to pen testing.
• OWASP Benchmark - A Java test suite designed to verify the speed and accuracy of vulnerability detection tools.
• Security Shepherd - Web and mobile application security training platform.
• WebGoat - A deliberately insecure Java Web Application.

Articles, Guides & Talks

• Java Platform, Standard Edition Security Developer’s Guide - This guide covers major Java Standard Edition security components: Java Cryptography Architecture (JCA), Java Authentication and Authorization Service (JAAS) and Java Secure Socket Extensions (JSSE)
• Application Security Verification Standard - (PDF) The standard is a list of application security requirements that can be used by developers.
• Spring Security CSRF - A Guide to CSRF Protection in Spring Security.
• Secure Coding Guidelines - Secure Coding Guidelines for Java SE
• Securing a Web Application - This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security.
• Spring Security Guides - Step by step guides on how to use Spring Security.
• Prevent cross-site scripting (XSS) attacks - This article explains how XSS attacks work and suggests a methodology to block XSS attacks.
• Java Security Resource Center - A collection of security details for different users of the Java Platform.

Practices

• Encrypting with SSL/TLS Step by step guide for encrypting client and server communication

Specifications

• JSR 115: Java Authorization Contract for Containers
• JSR 196: Java Authentication Service Provider Interface for Containers
• JSR 375: Java EE Security API

Other

Reporting Bugs

• Java Security Reporting

Contributing

Found an awesome project, package, article, or another type of resources related to Java Security? Open a pull request! Just follow the guidelines. Thank you!

License