There have been a number of tool releases featured on TheServerSide.com lately that may be helpful for developers building security in to applications.
The first is iScreen – a Java object validation framework. iScreen allows you to centrally create a definition of what values are “valid” for object properties and then programmatically enforce that standard. This can be helpful in avoiding security bugs that are based on an attacker’s ability to put your application objects in an incorrect or inconsistent state.
Next up is Jasypt – a library to help simplify the use of encryption in Java software. The really exciting aspect of this is that it integrates with Hibernate to make application data encryption transparent. Encrypting data while at rest is crucial for providing software security defense in depth. I have been thinking for a while that having a transparent encryption layer for Hibernate would be a Good Idea. Bravo to the Jasypt team for actually doing something about it.
Finally there was a release about the HTTP Data Integrity Validator (hdiv) – a set of extensions to the Struts framework that help prevent a number of parameter tampering attacks. It takes the “state” of a page when it is rendered and checks the following request to make sure that parameters passed in to the follow-on request are not invalid given the context of the originally rendered page. This can help to foil certain parameter tampering and forceful browsing attacks. It has the ability to do this state maintenance either client side (kind of like ASP.NET ViewState) or on the server side. They have pretty extensive documentation of how the internals work as well as a very cool paper outlining some performance benchmarks.
These tools are pretty new – Jasypt and hdiv were just released and iScreen was first released in August of 2006 – but they address some interesting areas in the realm of software security. Hopefully over the next week or two I will have some time to do more in-depth work with the tools and will be able to report back on my experiences.
dan _at_ denimgroup.com