Praise for Core Security Patterns

Java provides the application developer with essential security mechanisms and support in avoiding critical security bugs common in other languages. A language, however, can only go so far. The developer must understand the security requirements of the application and how to use the features Java provides in order to meet those requirements. Core Security Patterns addresses both aspects of security and will be a guide to developers everywhere in creating more secure applications.

--Whitfield Diffie, inventor of Public-Key Cryptography

A comprehensive book on Security Patterns, which are critical for secure programming.

--Li Gong, former Chief Java Security Architect, Sun Microsystems, and coauthor of Inside Java 2 Platform Security

As developers of existing applications, or future innovators that will drive the next generation of highly distributed applications, the patterns and best practices outlined in this book will be an important asset to your development efforts.

--Joe Uniejewski, Chief Technology Officer and Senior Vice President, RSA Security, Inc.

This book makes an important case for taking a proactive approach to security rather than relying on the reactive security approach common in the software industry.

--Judy Lin, Executive Vice President, VeriSign, Inc.

Core Security Patterns provides a comprehensive patterns-driven approach and methodology for effectively incorporating security into your applications. I recommend that every application developer keep a copy of this indispensable security reference by their side.

--Bill Hamilton, author of ADO.NET Cookbook, ADO.NET in a Nutshell, and NUnit Pocket Reference

As a trusted advisor, this book will serve as a Java developers security handbook, providing applied patterns and design strategies for securing Java applications.

--Shaheen Nasirudheen, CISSP,Senior Technology Officer, JPMorgan Chase

Like Core J2EE Patterns, this book delivers a proactive and patterns-driven approach for designing end-to-end security in your applications. Leveraging the authors strong security experience, they created a must-have book for any designer/developer looking to create secure applications.

--John Crupi, Distinguished Engineer, Sun Microsystems, coauthor of Core J2EE Patterns

Core Security Patterns is the hands-on practitioners guide to building robust end-to-end security into J2EE™ enterprise applications, Web services, identity management, service provisioning, and personal identification solutions. Written by three leading Java security architects, the patterns-driven approach fully reflects todays best practices for security in large-scale, industrial-strength applications.

The authors explain the fundamentals of Java application security from the ground up, then introduce a powerful, structured security methodology; a vendor-independent security framework; a detailed assessment checklist; and twenty-three proven security architectural patterns. They walk through several realistic scenarios, covering architecture and implementation and presenting detailed sample code. They demonstrate how to apply cryptographic techniques; obfuscate code; establish secure communication; secure J2ME™ applications; authenticate and authorize users; and fortify Web services, enabling single sign-on, effective identity management, and personal identification using Smart Cards and Biometrics.

Core Security Patterns covers all of the following, and more:

• What works and what doesnt: J2EE application-security best practices, and common pitfalls to avoid

• Implementing key Java platform security features in real-world applications

• Establishing Web Services security using XML Signature, XML Encryption, WS-Security, XKMS, and WS-I Basic security profile

• Designing identity management and service provisioning systems using SAML, Liberty, XACML, and SPML

• Designing secure personal identification solutions using Smart Cards and Biometrics

• Security design methodology, patterns, best practices, reality checks, defensive strategies, and evaluation checklists

• End-to-end security architecture case study: architecting, designing, and implementing an end-to-end security solution for large-scale applications

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 31 Ratings

Poorly written - 2007-11-19
Reviewer Rating:
Our book discussion group selected this book to review. Unfortunately after a couple months we agreed the value of this book was not sufficient to continue reading and discussing it. (We gave up in Chapter 9 - after skipping chapters 5, 6 and 7 because too many of the group were losing patience and wanted to get deeper into the book where we might find something of value.)

Many interesting subjects are touched on, but nothing has enough depth to be of serious value. This is further hampered by poor writing and editing. There is a fair amount of "duplication" in this book where the same "nothing" is sometimes repeated. The code snippets are weak and not of much value.

The bottom line is that while the subject is very interesting, the presentation in this book is so poor that it doesn't justify reading 1000+ dull pages. This book doesn't seem to have a target audience, it's too high level for developers, but gets into too low level details for management. It fails to be a good technical reference and at the same time fails as a concise overview to educate management decision makers. (Hint for authors: if your audience is management, keep it brief and to the point, management doesn't have time to read page after page of trivial commentary. If your audience is developers, the book needs to deliver solid technical information.)

Best Java Security Book for J2EE and Web Services. - 2007-09-23
Reviewer Rating:
This is a great book - by far the best security design book for Java and J2EE (including Java SE 6 and Java EE 5) I have read to date. When I first heard about my coworkers talking about this book, I thought "oh great, another J2EE book!" Much to my surprise, this book is not just a how-to security API or patterns recipe book but much more than that - I see it as a collection of valuable suggestions and examples on how to choose security mechanisms and use them in J2EE applications and web services. Moreover, it tells you what the bestpractices, pitfalls and tradeoffs are for each design pattern option you take. Particularly, You will find this book as an ideal companion for CORE J2EE PATTERNS - Deepak Alur et al, which is my favorite for designing J2EE applications.

This book is as close to size of a pillow and I do understand why the authors gave only code snippets for selected examples instead of full implementation. The case study is just right, it discusses the scenario and how to incorporate the patterns right in to the application design..which is just right for a Java developer who is involved with Java enterprise applications and web services. The best practices and security checklist detailed in this book - helps a lot during development and when you want to deploy a J2EE application/web service in production.

Having said that, I prefer this book as a must-have for any serious Java developer/designer/architect who wants to build Security from understanding basics of WHAT and know WHY you should architect your J2EE system in a particular way using best practices (a long list) and not just HOW. Ultimately you will find this book as an onestop reference for building security in J2EE applications and web services.

Very practical security book for java architects - 2008-02-23
Reviewer Rating:
This is a great book - by far the best security design book for Java and J2EE I have read to date. When I first heard about my coworkers talking about this book, I thought "oh great, another J2EE book!" Much to my surprise, this book is not just a how-to security API or patterns recipe book but much more than that - I see it as a collection of valuable suggestions and examples on how to choose security mechanisms and use them in J2EE applications and web services. Moreover, it tells you what the bestpractices, pitfalls and tradeoffs are for each design pattern option you take. Particularly, You will find this book as an ideal companion for CORE J2EE PATTERNS - Deepak Alur et al, which is my favorite for designing J2EE applications.

This book is as close to size of a pillow and I do understand why the authors gave only code snippets for selected examples instead of full implementation. The case study is just right, it discusses the scenario and how to incorporate the patterns right in to the application design..which is just right for an experienced developer but a budding developer may find it uncomfortable.

Having said that, I prefer this book as a must-have for any serious J2EE developer/designer/architect who wants to build Security from understanding basics of WHAT and know WHY you should architect your J2EE system in a particular way and not just HOW. Ultimately you will find this book as an onestop reference for building security in J2EE applications.

Excellent Security Book for Java/J2EE Programmers and Architects - 2007-11-22
Reviewer Rating:
This is a very comprehensive, well written and well-organized guide for securing Java and J2EE. Yes, it has everything - all done well - definitely worth a buy. If you are into Java based applications development and planning to work on application security assessment, development, testing ....and planning to live by it every day, you will learn a lot from this book, to re-evaluate the things with patterns and best-practices, and to genuinely improve your results knowing the pitfalls. If you are a Java applications developer, this book *will* help you guide with Java security mechanisms and where and apply them for building secure applications. If you are a security enthusiast, you will genuinely enjoy the time spent with this book, and you will find this brick handy more often than previously imagined.

I strongly recommend this book for budding and experienced Java developers/architects who are involved with Java applications development, J2EE based web applications and web services. This book covers security mechanisms including Java 6 and Java EE5.

Java security made easy. Excellent title worth investing on. - 2007-09-18
Reviewer Rating:
If you ever want to understand about security and its role in the development of J2EE enterprise-level applications, then you should consider buying this book from your local bookstore.

The authors have done an excellent job in explaining the basics of security as it applies to the most common business practices, as well as deliver intricate details on the inner workings of the Java platform security architecture. Even though this book covers in its majority Java technologies, you don't have to be a Java developer or architect to appreciate it.

The book is divided in 7 major parts:

Part 1: Introduction and Basics of Security

Part 2: Java Security Architecture and Technologies

Part 3: Web Services Security and Identity Management

Part 4: Security Design Methodology, Patterns, and Reality Checks

Part 5: Design Strategies and Best Practices

Part 6: Putting it all together

Part 7: Personal Identification using Smart Cards and Biometrics



Parts 1-5 provide reams of detail about the fundamentals of security, the J2EE security architecture, and the technologies used to enable Web services security. In addition, there is a comprehensive explanation of patterns and practices for J2EE developers, as well as design strategies and best practices for securing J2EE Web components and web-based applications.

Web developers might want to pay special attention to Part 3 of the book because it gives an insight on fortifying Web services, authenticating and authorizing end users, and applying the latest cryptographic techniques. XML is described in detail as the encoding for messages between parties using a Web Service.

Note that this book does not explain the specific JAVA APIs needed for basic J2EE application development. Twenty-three proven security architectural patterns are discussed and presented through several realistic scenarios, covering architecture and implementation and presenting detailed sample code.

Part 6 of the book describes how to use this newly acquired knowledge in the implementation of real-world security scenarios.

Finally, we found the last part of this book as the most intriguing. It provides an in-depth coverage on Personal Identification using Smart Cards and Biometrics, their role in physical and logical access control, and the different technologies used in their implementation. Best practices and common pitfalls that might arise when implementing security using smart cards and biometrics are also discussed.

Overall we believe this is excellent book for the security enthusiast who wants to build robust end-to-end security into J2EE enterprise applications.

Browse Similar Topics

Top Level Categories:
Programming

Sub-Categories:
Programming > Java