implementing parameterised dynamic statements are of particular interest to me..
does anyone know how i can achieve paramterised dynamic statements with hibernate?? Many Thanks to Wes for the advice on hardening Tomcat Martin Gainty ______________________________________________ Please do not modify or disrupt this transmission. Thank You > Date: Mon, 22 Mar 2010 17:01:22 -0400 > Subject: Re: About bank application using Struts 2 > From: w...@wantii.com > To: user@struts.apache.org > > There are quite a few good books about general security practices for > software development... > > There used to be a library that you can use to help secure your web-app > > ...looking... > > http://www.hdiv.org/ > > They used to support an s2 plugin, but I'm not sure which version it > works with. > > In general, you want to treat security as something you approach in > layers. Obviously, you want to encrypt communications that might > expose sensitive information (apply ssl), and you want to utilize an > authentication and authorization mechanism (spring-security). After > that, you want to treat all user input as unsafe/tainted (escape > before displaying to other users, use parameterized sql statements > rather than constructing strings of sql) and make sure that you pay > close attention that you try not to put sensitive data on the URL > string (using form method="GET" for form-based authentication). > > In addition, it may not hurt and would probably be worth the money to > involve a security professional to perform audits or to participate in > code reviews. There are new attack mechanisms that crop up all the > time and a lot of times security pros can point out things that you > didn't know where potential problems. > > Lastly, make sure you secure your application server... There is a > guide to hardening Tomcat here - > > http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.servers.web.apache > > If you are not using tomcat, make sure you know enough about your > application server that you don't open up attack vectors at the > server. > > -Wes > > On Mon, Mar 22, 2010 at 4:28 PM, Oscar <oscar.kalde...@gmail.com> wrote: > > Hi to all, right now i'm going to develop something like bank application to > > enable users to manage their accounts, transfer money, pay services and so > > on, and really i have no experience developing applications like that (where > > security is reeeeeally important) so i don't know if exists some book about > > critical applications development with struts 2 or you can give me some tips > > to develop a secure application, also tips about struts and ssl, or if you > > know internet resources that talk about that. > > > > Thanks in advance. > > > > -- > > Oscar > > > > > > -- > Wes Wannemacher > > Head Engineer, WanTii, Inc. > Need Training? Struts, Spring, Maven, Tomcat... > Ask me for a quote! > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > _________________________________________________________________ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:WL:en-US:WM_HMP:032010_3
