├── .gitignore
├── LICENSE
├── README.md
├── code-of-conduct.md
├── contributing.md
└── img
    └── Java-Logo.png


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Compiled class file
 2 | *.class
 3 | 
 4 | # Log file
 5 | *.log
 6 | 
 7 | # BlueJ files
 8 | *.ctxt
 9 | 
10 | # Mobile Tools for Java (J2ME)
11 | .mtj.tmp/
12 | 
13 | # Package Files #
14 | *.jar
15 | *.war
16 | *.nar
17 | *.ear
18 | *.zip
19 | *.tar.gz
20 | *.rar
21 | 
22 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
23 | hs_err_pid*
24 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Paul Veillard, P. Eng
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | 
  2 | # Java Security
  3 | 
  4 | ###### Welcome to the World of Java:
  5 | > An ongoing collection of java language tools and frameworks, software, libraries, learning tutorials, frameworks, academic and practical resources.
  6 | > Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.
  7 | 
  8 | 
  9 | ![java](https://github.com/paulveillard/cybersecurity-java-security/blob/main/img/Java-Logo.png)
 10 | 
 11 | ## `Table of Contents`
 12 | - [Tools](#tools)
 13 | - [Educational](#educational)
 14 | - [Other](#other)
 15 | 
 16 | ## `Tools`
 17 | 
 18 | ## `Web Framework Hardening`
 19 | 
 20 | - [Apache Shiro](https://shiro.apache.org/) - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
 21 | - [JJWT](https://github.com/jwtk/jjwt) - Java JWT: JSON Web Token for Java and Android.
 22 | - [OWASP ESAPI Java](https://github.com/ESAPI/esapi-java-legacy) - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
 23 | - [PAC4J](https://github.com/pac4j/pac4j) - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
 24 | - [Spring Security](https://github.com/spring-projects/spring-security) - A powerful and highly customizable authentication and access-control framework.
 25 | - [Spring Security Oauth](https://github.com/spring-projects/spring-security-oauth) - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
 26 | 
 27 | ## `Multi tools`
 28 | 
 29 | - [hawkeye](https://github.com/hawkeyesec/scanner-cli) - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java.
 30 | - [GuardRails](https://github.com/apps/guardrails) - A GitHub App that gives you instant security feedback in your Pull Requests.
 31 | 
 32 | ## `Static Code Analysis`
 33 | 
 34 | - [Spotbugs](https://github.com/spotbugs/spotbugs) - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
 35 | - [Find Security Bugs](https://github.com/find-sec-bugs/find-sec-bugs/) - SpotBugs plugin for security audits of Java web applications and Android applications.
 36 | - [Detect Secrets](https://libraries.io/pypi/detect-secrets) - An enterprise friendly way of detecting and preventing secrets in code.
 37 | - [Gitrob](https://github.com/michenriksen/gitrob) - Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
 38 | - [Sonarqube](https://github.com/SonarSource/sonarqube) - SonarQube provides the capability to show the health of an application and highlight newly introduced issues.
 39 | - [Oversecured](https://oversecured.com/) - A static analyzer for Android apps (APK files), searches for security vulnerabilities. Contains 90+ vulnerability categories.
 40 | 
 41 | ## Runtime Analysis
 42 | 
 43 | - [Code Pulse](https://github.com/codedx/codepulse) - Code Pulse is a real-time code coverage tool for penetration testing activities.
 44 | - [OWASP ZAP](https://github.com/zaproxy/zaproxy) -  Helps automatically find security vulnerabilities in your web applications.
 45 | - [Contrast Community Edition](https://www.contrastsecurity.com/contrast-community-edition) - Free runtime protection and vulnerability detection tool, identifying issues in running applications.
 46 | 
 47 | ## Vulnerabilities and Security Advisories
 48 | 
 49 | - [OWASP Dependency-Check](https://github.com/jeremylong/DependencyCheck) - Detects publicly disclosed vulnerabilities in application dependencies.
 50 | - [Snyk](https://github.com/snyk/snyk) - CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies.
 51 | - [Snyk Vulnerability DB](https://snyk.io/vuln?type=maven) - Commercial but free listing of known vulnerabilities in libraries.
 52 | - [Common Vulnerabilities and Exposures](https://www.cvedetails.com/product/19117/Oracle-JRE.html?vendor_id=93) - Vulnerabilities that were assigned a CVE. Covers the language and packages.
 53 | - [National Vulnerability Database](https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=java&search_type=all) - Java known vulnerabilities in the National Vulnerability Database.
 54 | - [Contrast Community Edition](https://www.contrastsecurity.com/contrast-community-edition) - Free tool to locate CVEs and outdated dependencies in libraries.
 55 | 
 56 | ## Cryptography
 57 | 
 58 | - [Bouncy Castle](https://www.bouncycastle.org/java.html) - Java implementation of cryptographic algorithms.
 59 | - [Conscrypt](https://github.com/google/conscrypt) - Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension.
 60 | - [Cryptomator](https://github.com/cryptomator/cryptomator) - Multi-platform transparent client-side encryption of your files in the cloud.
 61 | - [Keyczar](https://github.com/google/keyczar) - Easy-to-use crypto toolkit by Google.
 62 | - [Keywhiz](https://github.com/square/keywhiz) - System for distributing and managing secrets.
 63 | - [Tink](https://github.com/google/tink) - Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
 64 | - [ACME4J](https://github.com/shred/acme4j) - Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA.
 65 | 
 66 | # Educational
 67 | 
 68 | ## Hacking Playground
 69 | 
 70 | - [BodgeIt Store](https://github.com/psiinon/bodgeit) - A vulnerable web application aimed at people who are new to pen testing.
 71 | - [OWASP Benchmark](https://github.com/OWASP/Benchmark) - A Java test suite designed to verify the speed and accuracy of vulnerability detection tools.
 72 | - [Security Shepherd](https://github.com/OWASP/SecurityShepherd) - Web and mobile application security training platform.
 73 | - [WebGoat](https://github.com/WebGoat/WebGoat) - A deliberately insecure Java Web Application.
 74 | 
 75 | ## Articles, Guides & Talks
 76 | 
 77 | - [Java Platform, Standard Edition Security Developer’s Guide](https://docs.oracle.com/javase/10/security/toc.htm) - This guide covers major Java Standard Edition security components: Java Cryptography Architecture (JCA), Java Authentication and Authorization Service (JAAS) and Java Secure Socket Extensions (JSSE)
 78 | - [Application Security Verification Standard](https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf) - (PDF) The standard is a list of application security requirements that can be used by developers.
 79 | - [Spring Security CSRF](https://www.baeldung.com/spring-security-csrf) - A Guide to CSRF Protection in Spring Security.
 80 | - [Secure Coding Guidelines](https://www.oracle.com/technetwork/java/seccodeguide-139067.html) - Secure Coding Guidelines for Java SE
 81 | - [Securing a Web Application](https://spring.io/guides/gs/securing-web/) - This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security.
 82 | - [Spring Security Guides](https://docs.spring.io/spring-security/site/docs/current/guides/html5/index.html) - Step by step guides on how to use Spring Security.
 83 | - [Prevent cross-site scripting (XSS) attacks](https://www.ibm.com/developerworks/library/se-prevent-cross-site-scripting-attacks/index.html) - This article explains how XSS attacks work and suggests a methodology to block XSS attacks.
 84 | - [Java Security Resource Center](https://www.oracle.com/technetwork/java/javase/overview/security-2043272.html) - A collection of security details for different users of the Java Platform.
 85 | 
 86 | ## Practices
 87 | 
 88 | - [Encrypting with SSL/TLS](https://github.com/Hakky54/mutual-tls-ssl) Step by step guide for encrypting client and server communication
 89 | 
 90 | ## Specifications
 91 | 
 92 | - [JSR 115: Java Authorization Contract for Containers](https://jcp.org/en/jsr/detail?id=115)
 93 | - [JSR 196: Java Authentication Service Provider Interface for Containers](https://www.jcp.org/en/jsr/detail?id=196)
 94 | - [JSR 375: Java EE Security API](https://jcp.org/en/jsr/detail?id=375)
 95 | 
 96 | # Other
 97 | 
 98 | ## Reporting Bugs
 99 | 
100 | - [Java Security Reporting](https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html)
101 | 
102 | ## Contributing
103 | 
104 | Found an awesome project, package, article, or another type of resources related to Java Security? Open a pull request!
105 | 
106 | ## `License`
107 | MIT License & [cc](https://creativecommons.org/licenses/by/4.0/) license
108 | 
109 | <a rel="license" href="http://creativecommons.org/licenses/by/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 International License</a>.
110 | 
111 | To the extent possible under law, [Paul Veillard](https://github.com/paulveillard/) has waived all copyright and related or neighboring rights to this work.
112 | Just follow the [guidelines](/CONTRIBUTING.MD). Thank you!
113 | 


--------------------------------------------------------------------------------
/code-of-conduct.md:
--------------------------------------------------------------------------------
  1 | # Contributor Covenant Code of Conduct
  2 | 
  3 | ## Our Pledge
  4 | 
  5 | We as members, contributors, and leaders pledge to make participation in 
  6 | ansible-security-hardening project and our community a harassment-free 
  7 | experience for everyone, regardless of age, body size, visible or invisible 
  8 | disability, ethnicity, sex characteristics, gender identity and expression, 
  9 | level of experience, education, socio-economic status, nationality, personal 
 10 | appearance, race, religion, or sexual identity and orientation.
 11 | 
 12 | We pledge to act and interact in ways that contribute to an open, welcoming,
 13 | diverse, inclusive, and healthy community.
 14 | 
 15 | ## Our Standards
 16 | 
 17 | Examples of behavior that contributes to a positive environment for our
 18 | community include:
 19 | 
 20 | * Demonstrating empathy and kindness toward other people
 21 | * Being respectful of differing opinions, viewpoints, and experiences
 22 | * Giving and gracefully accepting constructive feedback
 23 | * Accepting responsibility and apologizing to those affected by our mistakes,
 24 |   and learning from the experience
 25 | * Focusing on what is best not just for us as individuals, but for the
 26 |   overall community
 27 | 
 28 | Examples of unacceptable behavior include:
 29 | 
 30 | * The use of sexualized language or imagery, and sexual attention or
 31 |   advances of any kind
 32 | * Trolling, insulting or derogatory comments, and personal or political attacks
 33 | * Public or private harassment
 34 | * Publishing others' private information, such as a physical or email
 35 |   address, without their explicit permission
 36 | * Other conduct which could reasonably be considered inappropriate in a
 37 |   professional setting
 38 | 
 39 | ## Enforcement Responsibilities
 40 | 
 41 | Community leaders are responsible for clarifying and enforcing our standards of
 42 | acceptable behavior and will take appropriate and fair corrective action in
 43 | response to any behavior that they deem inappropriate, threatening, offensive,
 44 | or harmful.
 45 | 
 46 | Community leaders have the right and responsibility to remove, edit, or reject
 47 | comments, commits, code, wiki edits, issues, and other contributions that are
 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation
 49 | decisions when appropriate.
 50 | 
 51 | ## Scope
 52 | 
 53 | This Code of Conduct applies within all community spaces, and also applies when
 54 | an individual is officially representing the community in public spaces.
 55 | Examples of representing our community include using an official e-mail address,
 56 | posting via an official social media account, or acting as an appointed
 57 | representative at an online or offline event.
 58 | 
 59 | ## Enforcement
 60 | 
 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
 62 | reported to the community leaders responsible for enforcement at info@paulveillard.com.
 63 | All complaints will be reviewed and investigated promptly and fairly.
 64 | 
 65 | All community leaders are obligated to respect the privacy and security of the
 66 | reporter of any incident.
 67 | 
 68 | ## Enforcement Guidelines
 69 | 
 70 | Community leaders will follow these Community Impact Guidelines in determining
 71 | the consequences for any action they deem in violation of this Code of Conduct:
 72 | 
 73 | ### 1. Correction
 74 | 
 75 | **Community Impact**: Use of inappropriate language or other behavior deemed
 76 | unprofessional or unwelcome in the community.
 77 | 
 78 | **Consequence**: A private, written warning from community leaders, providing
 79 | clarity around the nature of the violation and an explanation of why the
 80 | behavior was inappropriate. A public apology may be requested.
 81 | 
 82 | ### 2. Warning
 83 | 
 84 | **Community Impact**: A violation through a single incident or series
 85 | of actions.
 86 | 
 87 | **Consequence**: A warning with consequences for continued behavior. No
 88 | interaction with the people involved, including unsolicited interaction with
 89 | those enforcing the Code of Conduct, for a specified period of time. This
 90 | includes avoiding interactions in community spaces as well as external channels
 91 | like social media. Violating these terms may lead to a temporary or
 92 | permanent ban.
 93 | 
 94 | ### 3. Temporary Ban
 95 | 
 96 | **Community Impact**: A serious violation of community standards, including
 97 | sustained inappropriate behavior.
 98 | 
 99 | **Consequence**: A temporary ban from any sort of interaction or public
100 | communication with the community for a specified period of time. No public or
101 | private interaction with the people involved, including unsolicited interaction
102 | with those enforcing the Code of Conduct, is allowed during this period.
103 | Violating these terms may lead to a permanent ban.
104 | 
105 | ### 4. Permanent Ban
106 | 
107 | **Community Impact**: Demonstrating a pattern of violation of community
108 | standards, including sustained inappropriate behavior,  harassment of an
109 | individual, or aggression toward or disparagement of classes of individuals.
110 | 
111 | **Consequence**: A permanent ban from any sort of public interaction within
112 | the community.
113 | 
114 | ## Attribution
115 | 
116 | This Code of Conduct is adapted from the [Contributor Covenant][homepage],
117 | version 2.0, available at
118 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
119 | 
120 | Community Impact Guidelines were inspired by [Mozilla's code of conduct
121 | enforcement ladder](https://github.com/mozilla/diversity).
122 | 
123 | [homepage]: https://www.contributor-covenant.org
124 | 
125 | For answers to common questions about this code of conduct, see the FAQ at
126 | https://www.contributor-covenant.org/faq. Translations are available at
127 | https://www.contributor-covenant.org/translations.
128 | 


--------------------------------------------------------------------------------
/contributing.md:
--------------------------------------------------------------------------------
 1 | # Contribution 
 2 | 
 3 | This project welcomes contributions from the community.  All contributions to this repository must be
 4 | signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on
 5 | as an open-source patch.
 6 | 
 7 | ## Contribution Flow
 8 | 
 9 | This is a rough outline of what a contributor's workflow looks like:
10 | 
11 | - Create a topic branch from where you want to base your work
12 | - Make commits of logical units
13 | - Make sure your commit messages are in the proper format (see below)
14 | - Push your changes to a topic branch in your fork of the repository
15 | - Submit a pull request
16 | 
17 | Example:
18 | 
19 | ``` shell
20 | git remote add upstream https://github.com/paulveillard/<repos-name>
21 | git checkout -b my-new-feature master
22 | git commit -a
23 | git push origin my-new-feature
24 | ```
25 | 
26 | ### Staying In Sync With Upstream
27 | 
28 | When your branch gets out of sync with the paulveillard/master branch, use the following to update:
29 | 
30 | ``` shell
31 | git checkout my-new-feature
32 | git fetch -a
33 | git pull --rebase upstream master
34 | git push --force-with-lease origin my-new-feature
35 | ```
36 | 
37 | ### Updating pull requests
38 | 
39 | If your PR fails to pass CI or needs changes based on code review, you'll most likely want to squash these changes into
40 | existing commits.
41 | 
42 | If your pull request contains a single commit or your changes are related to the most recent commit, you can simply
43 | amend the commit.
44 | 
45 | ``` shell
46 | git add .
47 | git commit --amend
48 | git push --force-with-lease origin my-new-feature
49 | ```
50 | 
51 | If you need to squash changes into an earlier commit, you can use:
52 | 
53 | ``` shell
54 | git add .
55 | git commit --fixup <commit>
56 | git rebase -i --autosquash master
57 | git push --force-with-lease origin my-new-feature
58 | ```
59 | 
60 | Be sure to add a comment to the PR indicating your new changes are ready to review, as GitHub does not generate a
61 | notification when you git push.
62 | 
63 | ### Code Style
64 | 
65 | ### Formatting Commit Messages
66 | 
67 | We follow the conventions on [How to Write a Git Commit Message](http://chris.beams.io/posts/git-commit/).
68 | 
69 | Be sure to include any related GitHub issue references in the commit message.  See
70 | [GFM syntax](https://guides.github.com/features/mastering-markdown/#GitHub-flavored-markdown) for referencing issues
71 | and commits.
72 | 
73 | ## Reporting Bugs and Creating Issues
74 | 
75 | When opening a new issue, try to roughly follow the commit message format conventions above.
76 | 


--------------------------------------------------------------------------------
/img/Java-Logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/paulveillard/cybersecurity-java-security/0968c5eaeda2e0d68c0e5a1a05a8603e90b1817c/img/Java-Logo.png


--------------------------------------------------------------------------------