There are quite a few good books about general security practices for software development...
There used to be a library that you can use to help secure your web-app ...looking... http://www.hdiv.org/ They used to support an s2 plugin, but I'm not sure which version it works with. In general, you want to treat security as something you approach in layers. Obviously, you want to encrypt communications that might expose sensitive information (apply ssl), and you want to utilize an authentication and authorization mechanism (spring-security). After that, you want to treat all user input as unsafe/tainted (escape before displaying to other users, use parameterized sql statements rather than constructing strings of sql) and make sure that you pay close attention that you try not to put sensitive data on the URL string (using form method="GET" for form-based authentication). In addition, it may not hurt and would probably be worth the money to involve a security professional to perform audits or to participate in code reviews. There are new attack mechanisms that crop up all the time and a lot of times security pros can point out things that you didn't know where potential problems. Lastly, make sure you secure your application server... There is a guide to hardening Tomcat here - http://cisecurity.org/en-us/?route=downloads.browse.category.benchmarks.servers.web.apache If you are not using tomcat, make sure you know enough about your application server that you don't open up attack vectors at the server. -Wes On Mon, Mar 22, 2010 at 4:28 PM, Oscar <oscar.kalde...@gmail.com> wrote: > Hi to all, right now i'm going to develop something like bank application to > enable users to manage their accounts, transfer money, pay services and so > on, and really i have no experience developing applications like that (where > security is reeeeeally important) so i don't know if exists some book about > critical applications development with struts 2 or you can give me some tips > to develop a secure application, also tips about struts and ssl, or if you > know internet resources that talk about that. > > Thanks in advance. > > -- > Oscar > -- Wes Wannemacher Head Engineer, WanTii, Inc. Need Training? Struts, Spring, Maven, Tomcat... Ask me for a quote! --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
