Awesome
<br/> <div align="center">A curated list of awesome Java security-related resources.
List inspired by the awesome list thing.
Supported by: GuardRails.io
</div> <br/>Contents
Tools
Web Framework Hardening
- Apache Shiro - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
- JJWT - Java JWT: JSON Web Token for Java and Android.
- OWASP ESAPI Java - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
- PAC4J - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
- Spring Security - A powerful and highly customizable authentication and access-control framework.
- Spring Security Oauth - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
Multi tools
- hawkeye - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java.
- GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.
Static Code Analysis
- Spotbugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
- Find Security Bugs - SpotBugs plugin for security audits of Java web applications and Android applications.
- Detect Secrets - An enterprise friendly way of detecting and preventing secrets in code.
- Gitrob - Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
- Sonarqube - SonarQube provides the capability to show the health of an application and highlight newly introduced issues.
- Oversecured - A static analyzer for Android apps (APK files), searches for security vulnerabilities. Contains 90+ vulnerability categories.
- Bearer - A static code security analyzer to discover, filter and prioritize security and privacy risks.
Runtime Analysis
- Code Pulse - Code Pulse is a real-time code coverage tool for penetration testing activities.
- OWASP ZAP - Helps automatically find security vulnerabilities in your web applications.
- Contrast Community Edition - Free runtime protection and vulnerability detection tool, identifying issues in running applications.
Vulnerabilities and Security Advisories
- OWASP Dependency-Check - Detects publicly disclosed vulnerabilities in application dependencies.
- Snyk - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies.
- Snyk Vulnerability DB - Commercial but free listing of known vulnerabilities in libraries.
- Common Vulnerabilities and Exposures - Vulnerabilities that were assigned a CVE. Covers the language and packages.
- National Vulnerability Database - Java known vulnerabilities in the National Vulnerability Database.
- Contrast Community Edition - Free tool to locate CVEs and outdated dependencies in libraries.
Cryptography
- Bouncy Castle - Java implementation of cryptographic algorithms.
- Conscrypt - Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension.
- Cryptomator - Multi-platform transparent client-side encryption of your files in the cloud.
- Keyczar - Easy-to-use crypto toolkit by Google.
- Keywhiz - System for distributing and managing secrets.
- Tink - Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
- ACME4J - Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA.
Educational
Hacking Playground
- BodgeIt Store - A vulnerable web application aimed at people who are new to pen testing.
- OWASP Benchmark - A Java test suite designed to verify the speed and accuracy of vulnerability detection tools.
- Security Shepherd - Web and mobile application security training platform.
- WebGoat - A deliberately insecure Java Web Application.
Articles, Guides & Talks
- Java Platform, Standard Edition Security Developer’s Guide - This guide covers major Java Standard Edition security components: Java Cryptography Architecture (JCA), Java Authentication and Authorization Service (JAAS) and Java Secure Socket Extensions (JSSE)
- Application Security Verification Standard - (PDF) The standard is a list of application security requirements that can be used by developers.
- Spring Security CSRF - A Guide to CSRF Protection in Spring Security.
- Secure Coding Guidelines - Secure Coding Guidelines for Java SE
- Securing a Web Application - This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security.
- Spring Security Guides - Step by step guides on how to use Spring Security.
- Prevent cross-site scripting (XSS) attacks - This article explains how XSS attacks work and suggests a methodology to block XSS attacks.
- Java Security Resource Center - A collection of security details for different users of the Java Platform.
Practices
- Encrypting with SSL/TLS Step by step guide for encrypting client and server communication
Specifications
- JSR 115: Java Authorization Contract for Containers
- JSR 196: Java Authentication Service Provider Interface for Containers
- JSR 375: Java EE Security API
Other
Reporting Bugs
Contributing
Found an awesome project, package, article, or another type of resources related to Java Security? Open a pull request! Just follow the guidelines. Thank you!