├── CONTRIBUTING.MD ├── README.md └── code-of-conduct.md /CONTRIBUTING.MD: -------------------------------------------------------------------------------- 1 | # Contribution Guidelines 2 | 3 | 1. Read and adhere to the [Code-of-Conduct](./code-of-conduct.md) 4 | 2. Make sure you put things in the right category! 5 | 3. Always add your items to the end of a list. To be fair, the order is first-come-first-serve. 6 | 4. If you think something belongs in the wrong category, or think there needs to be a new category, feel free to edit things too. 7 | 8 | Please ensure your pull request adheres to the following guidelines: 9 | 10 | - Search previous suggestions before making a new one, as yours may be a duplicate. 11 | - Suggested READMEs should be beautiful or stand out in some way. 12 | - Make an individual pull request for each suggestion. 13 | - New categories, or improvements to the existing categorization are welcome. 14 | - Keep descriptions short and simple, but descriptive. 15 | - Start the description with a capital and end with a full stop/period. 16 | - Check your spelling and grammar. 17 | - Make sure your text editor is set to remove trailing whitespace. 18 | 19 | Thank you for your suggestions! 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 |
3 | 4 | A curated list of awesome Java security-related resources. 5 | 6 | [![Awesome](https://awesome.re/badge.svg)](https://awesome.re) 7 | 8 | _List inspired by the [awesome](https://github.com/sindresorhus/awesome) list thing._ 9 | 10 | Supported by: [GuardRails.io](https://www.guardrails.io) 11 | 12 |
13 |
14 | 15 | # Contents 16 | - [Tools](#tools) 17 | - [Educational](#educational) 18 | - [Other](#other) 19 | 20 | # Tools 21 | 22 | ## Web Framework Hardening 23 | 24 | - [Apache Shiro](https://shiro.apache.org/) - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. 25 | - [JJWT](https://github.com/jwtk/jjwt) - Java JWT: JSON Web Token for Java and Android. 26 | - [OWASP ESAPI Java](https://github.com/ESAPI/esapi-java-legacy) - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. 27 | - [PAC4J](https://github.com/pac4j/pac4j) - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services. 28 | - [Spring Security](https://github.com/spring-projects/spring-security) - A powerful and highly customizable authentication and access-control framework. 29 | - [Spring Security Oauth](https://github.com/spring-projects/spring-security-oauth) - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications. 30 | 31 | ## Multi tools 32 | 33 | - [hawkeye](https://github.com/hawkeyesec/scanner-cli) - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java. 34 | - [GuardRails](https://github.com/apps/guardrails) - A GitHub App that gives you instant security feedback in your Pull Requests. 35 | 36 | ## Static Code Analysis 37 | 38 | - [Spotbugs](https://github.com/spotbugs/spotbugs) - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code. 39 | - [Find Security Bugs](https://github.com/find-sec-bugs/find-sec-bugs/) - SpotBugs plugin for security audits of Java web applications and Android applications. 40 | - [Detect Secrets](https://libraries.io/pypi/detect-secrets) - An enterprise friendly way of detecting and preventing secrets in code. 41 | - [Gitrob](https://github.com/michenriksen/gitrob) - Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. 42 | - [Sonarqube](https://github.com/SonarSource/sonarqube) - SonarQube provides the capability to show the health of an application and highlight newly introduced issues. 43 | - [Oversecured](https://oversecured.com/) - A static analyzer for Android apps (APK files), searches for security vulnerabilities. Contains 90+ vulnerability categories. 44 | - [Bearer]([https://oversecured.com/](https://github.com/Bearer/bearer)) - A static code security analyzer to discover, filter and prioritize security and privacy risks. 45 | 46 | ## Runtime Analysis 47 | 48 | - [Code Pulse](https://github.com/codedx/codepulse) - Code Pulse is a real-time code coverage tool for penetration testing activities. 49 | - [OWASP ZAP](https://github.com/zaproxy/zaproxy) - Helps automatically find security vulnerabilities in your web applications. 50 | - [Contrast Community Edition](https://www.contrastsecurity.com/contrast-community-edition) - Free runtime protection and vulnerability detection tool, identifying issues in running applications. 51 | 52 | ## Vulnerabilities and Security Advisories 53 | 54 | - [OWASP Dependency-Check](https://github.com/jeremylong/DependencyCheck) - Detects publicly disclosed vulnerabilities in application dependencies. 55 | - [Snyk](https://github.com/snyk/snyk) - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies. 56 | - [Snyk Vulnerability DB](https://snyk.io/vuln?type=maven) - Commercial but free listing of known vulnerabilities in libraries. 57 | - [Common Vulnerabilities and Exposures](https://www.cvedetails.com/product/19117/Oracle-JRE.html?vendor_id=93) - Vulnerabilities that were assigned a CVE. Covers the language and packages. 58 | - [National Vulnerability Database](https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=java&search_type=all) - Java known vulnerabilities in the National Vulnerability Database. 59 | - [Contrast Community Edition](https://www.contrastsecurity.com/contrast-community-edition) - Free tool to locate CVEs and outdated dependencies in libraries. 60 | 61 | ## Cryptography 62 | 63 | - [Bouncy Castle](https://www.bouncycastle.org/java.html) - Java implementation of cryptographic algorithms. 64 | - [Conscrypt](https://github.com/google/conscrypt) - Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension. 65 | - [Cryptomator](https://github.com/cryptomator/cryptomator) - Multi-platform transparent client-side encryption of your files in the cloud. 66 | - [Keyczar](https://github.com/google/keyczar) - Easy-to-use crypto toolkit by Google. 67 | - [Keywhiz](https://github.com/square/keywhiz) - System for distributing and managing secrets. 68 | - [Tink](https://github.com/google/tink) - Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse. 69 | - [ACME4J](https://github.com/shred/acme4j) - Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA. 70 | 71 | # Educational 72 | 73 | ## Hacking Playground 74 | 75 | - [BodgeIt Store](https://github.com/psiinon/bodgeit) - A vulnerable web application aimed at people who are new to pen testing. 76 | - [OWASP Benchmark](https://github.com/OWASP/Benchmark) - A Java test suite designed to verify the speed and accuracy of vulnerability detection tools. 77 | - [Security Shepherd](https://github.com/OWASP/SecurityShepherd) - Web and mobile application security training platform. 78 | - [WebGoat](https://github.com/WebGoat/WebGoat) - A deliberately insecure Java Web Application. 79 | 80 | ## Articles, Guides & Talks 81 | 82 | - [Java Platform, Standard Edition Security Developer’s Guide](https://docs.oracle.com/javase/10/security/toc.htm) - This guide covers major Java Standard Edition security components: Java Cryptography Architecture (JCA), Java Authentication and Authorization Service (JAAS) and Java Secure Socket Extensions (JSSE) 83 | - [Application Security Verification Standard](https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf) - (PDF) The standard is a list of application security requirements that can be used by developers. 84 | - [Spring Security CSRF](https://www.baeldung.com/spring-security-csrf) - A Guide to CSRF Protection in Spring Security. 85 | - [Secure Coding Guidelines](https://www.oracle.com/technetwork/java/seccodeguide-139067.html) - Secure Coding Guidelines for Java SE 86 | - [Securing a Web Application](https://spring.io/guides/gs/securing-web/) - This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security. 87 | - [Spring Security Guides](https://docs.spring.io/spring-security/site/docs/current/guides/html5/index.html) - Step by step guides on how to use Spring Security. 88 | - [Prevent cross-site scripting (XSS) attacks](https://www.ibm.com/developerworks/library/se-prevent-cross-site-scripting-attacks/index.html) - This article explains how XSS attacks work and suggests a methodology to block XSS attacks. 89 | - [Java Security Resource Center](https://www.oracle.com/technetwork/java/javase/overview/security-2043272.html) - A collection of security details for different users of the Java Platform. 90 | 91 | ## Practices 92 | 93 | - [Encrypting with SSL/TLS](https://github.com/Hakky54/mutual-tls-ssl) Step by step guide for encrypting client and server communication 94 | 95 | ## Specifications 96 | 97 | - [JSR 115: Java Authorization Contract for Containers](https://jcp.org/en/jsr/detail?id=115) 98 | - [JSR 196: Java Authentication Service Provider Interface for Containers](https://www.jcp.org/en/jsr/detail?id=196) 99 | - [JSR 375: Java EE Security API](https://jcp.org/en/jsr/detail?id=375) 100 | 101 | # Other 102 | 103 | ## Reporting Bugs 104 | 105 | - [Java Security Reporting](https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html) 106 | 107 | ## Contributing 108 | 109 | Found an awesome project, package, article, or another type of resources related to Java Security? Open a pull request! 110 | Just follow the [guidelines](/CONTRIBUTING.MD). Thank you! 111 | 112 | 113 | ## License 114 | 115 | [![CC0](http://mirrors.creativecommons.org/presskit/buttons/88x31/svg/cc-zero.svg)](http://creativecommons.org/publicdomain/zero/1.0/) 116 | -------------------------------------------------------------------------------- /code-of-conduct.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at [support@guardrails.io](mailto:support@guardrails.io). All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | 75 | For answers to common questions about this code of conduct, see 76 | https://www.contributor-covenant.org/faq 77 | --------------------------------------------------------------------------------