Thanks for the tips Wes, unfortunately we can't use Spring because the time, but i going to read about ssl in struts and the security in server (Glassfish in my case).
For Martin, Hibernate doesn´t handle by default parametizered statements? 2010/3/22 Martin Gainty <mgai...@hotmail.com> > > implementing parameterised dynamic statements are of particular interest to > me.. > > does anyone know how i can achieve paramterised dynamic statements with > hibernate?? > > > Many Thanks to Wes for the advice on hardening Tomcat > Martin Gainty > ______________________________________________ > Please do not modify or disrupt this transmission. Thank You > > > > > > > > Date: Mon, 22 Mar 2010 17:01:22 -0400 > > Subject: Re: About bank application using Struts 2 > > From: w...@wantii.com > > To: user@struts.apache.org > > > > There are quite a few good books about general security practices for > > software development... > > > > There used to be a library that you can use to help secure your web-app > > > > ...looking... > > > > http://www.hdiv.org/ > > > > They used to support an s2 plugin, but I'm not sure which version it > > works with. > > > > In general, you want to treat security as something you approach in > > layers. Obviously, you want to encrypt communications that might > > expose sensitive information (apply ssl), and you want to utilize an > > authentication and authorization mechanism (spring-security). After > > that, you want to treat all user input as unsafe/tainted (escape > > before displaying to other users, use parameterized sql statements > > rather than constructing strings of sql) and make sure that you pay > > close attention that you try not to put sensitive data on the URL > > string (using form method="GET" for form-based authentication). > > > > In addition, it may not hurt and would probably be worth the money to > > involve a security professional to perform audits or to participate in > > code reviews. There are new attack mechanisms that crop up all the > > time and a lot of times security pros can point out things that you > > didn't know where potential problems. > > > > Lastly, make sure you secure your application server... There is a > > guide to hardening Tomcat here - > > > > > http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.servers.web.apache > > > > If you are not using tomcat, make sure you know enough about your > > application server that you don't open up attack vectors at the > > server. > > > > -Wes > > > > On Mon, Mar 22, 2010 at 4:28 PM, Oscar <oscar.kalde...@gmail.com> wrote: > > > Hi to all, right now i'm going to develop something like bank > application to > > > enable users to manage their accounts, transfer money, pay services and > so > > > on, and really i have no experience developing applications like that > (where > > > security is reeeeeally important) so i don't know if exists some book > about > > > critical applications development with struts 2 or you can give me some > tips > > > to develop a secure application, also tips about struts and ssl, or if > you > > > know internet resources that talk about that. > > > > > > Thanks in advance. > > > > > > -- > > > Oscar > > > > > > > > > > > -- > > Wes Wannemacher > > > > Head Engineer, WanTii, Inc. > > Need Training? Struts, Spring, Maven, Tomcat... > > Ask me for a quote! > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > For additional commands, e-mail: user-h...@struts.apache.org > > > > _________________________________________________________________ > The New Busy is not the old busy. Search, chat and e-mail from your inbox. > > http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:WL:en-US:WM_HMP:032010_3 -- Oscar
