Tips to power-up your Java security
- Protect against SQL injections by binding variables in prepared statements, using the prepareStatement() function to validate inputs.
- Returning mutable objects leaves you vulnerable to unexpected changes in your class state. Instead, use an unmodifiable/immutable collection or a copy of a mutable object to return.
- Avoid including XSS characters in log messages. Manually sanitize each parameter and configure your logger service to replace such characters.
- Always validate user input, especially when dealing with files whose location might be specified by user input.
- Replace predictable random values (java.util.Random) based on clock tickets or other predictable parameters with a secure random class and functions.
- Eliminate dynamic class loading.
Full post here, 4 mins read