Best practices for Java web application security

Lilli Salo
Lilli Salo
On Apr 30, 2024 3:37:12 PM

Java is platform-independent, robust, and scalable – and it’s widely used across business and enterprise. But is Java secure? 

At Vaadin, we know that Java is secure by design, but we also know that, just like any other component of the secure development process, security comes down to how Java is implemented. 

Web application security matters because web apps are, by nature, exposed to the outside world. Insecure apps can lead to catastrophic breaches. 

For example, in 2017, the personal financial data of 148 million Americans was compromised because the attacker penetrated a credit bureau's system through unpatched vulnerable code in a consumer complaints web portal.

So, in this article, we examine why Java is inherently secure but also discuss a few best practice points that companies should consider when developing Java web applications.

Developers hands coding on a laptop's keyboard.

First and foremost: why is Java secure?

Every programming language functions differently, with pros, cons, quirks, and flaws. Java is no different, but it does have the distinction that the way it works means that programmers are less likely to write application code containing obvious mistakes that later turn into application security flaws.

For example, Java automatically checks the boundaries of arrays, which means that a security flaw such as a buffer overflow is impossible to exploit in Java. 

Similarly, Java’s memory management uses automatic garbage collection to reclaim memory no longer used by the application, reducing the risk of memory leaks and limiting security vulnerabilities associated with memory management.

Java imposes strong type checking and exception handling, which can help catch programming errors during compilation and runtime (and the associated vulnerabilities). It also lacks direct pointer access – something that you’ll find in C and C++ – which can be a source of vulnerabilities.

Finally, some argue that Java’s use of the JVM (Java Virtual Machine) is its biggest security advantage. The JVM Security Manager enforces security policies and rules that block unauthorized code from running. The JVM also implies a “sandbox” model, isolating the Java code so that it doesn’t interact with the underlying OS.

Understanding Java web application security vulnerabilities

So, programming in Java is intrinsically quite secure. But you’re likely using Java code within a much wider environment—that’s certainly the case if you’re developing a Java web app. 

For that reason, the security of a Java app always comes down to the finer details around implementation best practice. Where do the risks lie? Vulnerabilities worth looking out for include:

  1. Cross-site scripting (XSS): Attackers can insert malicious scripts right into a website’s database (think of a comment in a forum post, for example). When other users view the content, the script executes the user side in the browser, which can lead to the theft of cookies, session data, etc.
  2. Data exposure: Insufficient encryption throughout the app can mean that passwords, credit card numbers, and other sensitive data are exposed. Likewise, hardcoded credentials inside code can be exposed if an attacker gains access to a server.
  3. SQL injection: If a web app fails to sanitize user input, attackers can insert malicious SQL statements into database queries, gaining access to data or injecting arbitrary code for execution on the server.
  4. Insufficient access control: Failing to restrict URL access can mean that unauthorized users access protected resources simply by guessing a URL, while if a web app directly exposes internal object identifiers, attackers can gain access to data they shouldn’t be able to reach.
  5. Outdated, vulnerable components: Attackers can target Java web apps that use outdated third-party frameworks, the Log4j vulnerabilities being a prime example. 

The usual array of security malpractice also causes risks – lack of strong passwords, no use of MFA, and reliance on default settings. Revealing too much information in error messages sent to users is also a danger.

Bar chart showing the top motivators for application modernization.The 2023 State of Java in the Enterprise Report identified maintainability and security concerns as the main drivers for modernization.

Security best practices for Java web applications

Again, the pertinent factor is that Java is executed in the context of a wider environment. Many Java web app security risks can be corrected simply by good practice – good practice that also applies to web apps in the broad.

For example, a simple vulnerability in Twitter’s web app allowed a hacker to enter the company’s systems and compromise user credentials. It most likely wouldn’t have happened if Twitter had consistently applied good practice. If you’re developing Java web apps, we recommend the following specific good practice steps:

1. Input validation

Sanitize and validate all user-generated content to prevent attackers from injecting malicious scripts into web pages, and thoroughly validate and sanitize all user input before using it in the application. Doing so prevents attacks like SQL injection and cross-site scripting (XSS). 

When interacting with databases, use parameterized queries or prepared statements instead of concatenating user input directly into SQL statements. 

2. Regularly update dependencies 

Keep third-party libraries updated and use only reputable and well-maintained libraries. Even then, use third-party libraries judiciously, because all frameworks introduce potential vulnerabilities. 

At all times, remain aware of the entire software supply chain, including maintaining a software bill of materials (SBOM) so you know what to update.

Stay up to date on security patches for your frameworks, libraries, and the Java runtime itself, and have a process to apply these quickly. Even when using a trusted framework, make sure you update it – for example, just as NPR migrated from Vaadin 8 to 14 for enhanced security

Regularly update the Java Development Kit (JDK) and Java Runtime Environment (JRE) to the latest versions and apply security patches promptly. This helps address known vulnerabilities. 

3. Authentication and authorization

Use robust authentication mechanisms like multi-factor authentication (MFA) or OAuth to ensure that only authorized users can access sensitive functionalities or data.

Credentials can be compromised nonetheless, so use role-based access control (RBAC) to define roles and permissions for users within the application to prevent attackers from traversing. Restrict access to certain functionalities or data based on user roles to minimize the risk of unauthorized access. 

Employ secure session management techniques, such as using secure cookies with HttpOnly and Secure flags, to prevent session hijacking and session fixation attacks. Set appropriate security headers in the application's responses, such as Content Security Policy (CSP), X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options.

Screenshot of a UI View in NPR's ContentDepot.

NPR's Content Depot was upgraded from Vaadin 8 to Vaadin 14 to ensure ongoing security patches.

Build secure Java enterprise applications with Vaadin

As always, the aim is to shift security left, identifying and preventing more risks at the development stage and discovering as few flaws as possible at the deployment or run stage. It saves time, money, and your reputation. 

Vaadin helps you get it right from the outset in a couple of ways. First, Vaadin Flow is intrinsically secure due to its server-centric architecture. Your application's core logic, state management, and UI reside securely on the server, with data transmitted across a robust secure connection. This differs from client-heavy frameworks because it reduces the exposure of sensitive code to potential browser-based attacks.

Next, Vaadin Flow supports various popular Java security frameworks (Spring Security, JAAS, Apache Shiro, and more), while its built-in security helpers provide exceptional convenience and robust protection when used alongside Spring Security.  This approach accelerates your security implementation while minimizing the risk of common security pitfalls.

We also provide Vaadin users with an AppSec Kit, which is a great tool for monitoring an application’s dependencies for any vulnerabilities. The AppSec Kit provides actionable reports and helps you build an SBOM.

Secure by design, integrating common security frameworks, and helping you get security tasks done faster. Vaadin will support your best practice efforts to help you build Java-based web apps that are toughened against even the most hardened cyber criminals.

Discover how NPR enhanced security by migrating from Vaadin 8 to 14.

Lilli Salo
Lilli Salo
Lilli joined Vaadin in 2021 after delivering content for various international SaaS startups. She enjoys the creative challenge of transforming complicated topics into clear and concise written material that provide value to the reader.
Other posts by Lilli Salo