Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your email address or mobile phone number.

Iron-Clad Java: Building Secure Web Applications (Oracle Press) 1st Edition

4.7 out of 5 stars 15 customer reviews
ISBN-13: 978-0071835886
ISBN-10: 0071835881
Why is ISBN important?
ISBN
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Trade in your item
Get a $8.77
Gift Card.
Have one to sell? Sell on Amazon
Try the eBook for free On clicking this link, a new layer will be open
$0.00 On clicking this link, a new layer will be open
Buy used On clicking this link, a new layer will be open
$19.79 On clicking this link, a new layer will be open
Buy new On clicking this link, a new layer will be open
$30.09 On clicking this link, a new layer will be open
More Buying Choices
41 New from $23.56 18 Used from $19.79
Free Two-Day Shipping for College Students with Amazon Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student


2016 Book Awards
Browse award-winning titles. See all 2016 winners
$30.09 FREE Shipping. In Stock. Ships from and sold by Amazon.com. Gift-wrap available.
click to open popover

Frequently Bought Together

  • Iron-Clad Java: Building Secure Web Applications (Oracle Press)
  • +
  • The Java EE Architect's Handbook, Second Edition: How to be a successful application architect for Java EE applications
Total price: $57.74
Buy the selected items together

Editorial Reviews

About the Author

Jim Manico (Hawaii) is an independent software security educator. He has more than 18 years' experience with the Java programming language. Jim is also a global board member for the OWASP foundation.

August Detlefsen (San Francisco, CA) is a senior application security consultant with more than 18 years’ experience in software development, enterprise application architecture, and information security. He is an active member of OWASP.

NO_CONTENT_IN_FEATURE


Product Details

  • Series: Oracle Press
  • Paperback: 304 pages
  • Publisher: McGraw-Hill Education; 1 edition (September 9, 2014)
  • Language: English
  • ISBN-10: 0071835881
  • ISBN-13: 978-0071835886
  • Product Dimensions: 7.4 x 0.7 x 9.1 inches
  • Shipping Weight: 7 ounces (View shipping rates and policies)
  • Average Customer Review: 4.7 out of 5 stars  See all reviews (15 customer reviews)
  • Amazon Best Sellers Rank: #231,545 in Books (See Top 100 in Books)

Customer Reviews

Top Customer Reviews

Format: Paperback
It's taken me a while to write a review of “Iron-Clad Java: Building Secure Web Applications” because it motivated me to fix two security vulnerabilities in CodeRanch – clickjacking and brute force login. (and I didn't want to post this review until they were deployed)

The concepts were explained clearly in addition to tactics and patterns/anti-patterns. I particularly liked the emphasis on security vs usability. The explanation for the different types of XSS attacks and using encoding appropriate to the context was excellent. I like that there was a whole chapter on logging.

I learned a lot reading this book; even about topics I thought I knew a lot about. I hadn't known oWASP had an HTML validator. I hadn't heard of null byte attacks.

For many of the vulnerabilities, the book suggests libraries you can use to help. I hadn't heard of Apache Shiro. I was surprised OWASP's CSRF filter wasn't mentioned though.

The book targets Java developers, project managers, web security penetration testers and technical managers. I was skeptical that a book with so much code could be useful to managers. After reading the book, I'm convinced. Skipping over the coding sections gives managers an appreciation and the vocabulary for discussion security with their staff.

If you have a web app, you should definitely get this book.
---
Disclosure: I received a copy of this book from the publisher in exchange for writing this review on behalf of CodeRanch.
Comment 8 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback Verified Purchase
Concise coverage of all the essential topics. Iron-Clad Java is a winner. If you are looking for advice on current secure software development best practices, this book is invaluable. The writing style stays conversational, while delivering the specific facts a developer needs to implement the recommendations.
Comment 7 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Kindle Edition Verified Purchase
I really liked this book. It brings a lot of issues together, than one otherwise should look up in too many different sources.
The writing style is also great.

That being said, I don't like so much the presentation of CSRF. I believe the discussion of this problem should start by describing the "same-origin policy", cos this is where the problem but also the solutions start. CSRF is a case where the "same-origin policy" does not apply. The "Synchronizer token" offers effective protection cos the attacker cannot retrieve the token by doing a GET request before the POST request that would submit the token,because of the "same-origin policy". And in the "double submit cookies" solution, the attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy, and not because the cookie is HttpOnly, as the authors put it. On the contrary, this cookie should not be HttpOnly, so that javascript frameworks such as AngularJS and DWR can manipulate it.
I think that the chapter of CSRF should be rewritten around the "same-origin policy".

One other place I disagree with the authors is the presentation of the "Insecure Direct Object Reference" Attack as a special case of SQL injection. Specifically, the authors present a special case of SQL injection where the injected part is the "order by clause" as the "Insecure Direct Object Reference" Attack. However, the later is not related to SQL injection.
2 Comments 4 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
I recently read Iron-Clad Java by Jim Manico and August Detlefsen and was very impressed by it’s quality and contextual advice. Typically these kinds of books start very basic and then ramp up so quickly to insanely complex code snippets without any explanation, that the reader is left scratching their head trying to figure out where the bus went that just ran them over. This book is written in such a way that it is approachable for Java developers new to security, or for those looking to bring existing security expertise to the Java world, or even those that might be a little inexperienced at both while still providing some really useful nuggets for experienced Java security folks.

One of the biggest things I liked about this book was the extremely clear explanation of why we need to implement a specific control for a given issue, how we do it and what the impacts are. This is what many security professionals miss when speaking to developers. It’s not enough to tell a developer they should use parameterized queries, but why and how to do so in a way that makes sense for developers. Presented in this way it becomes very clear why developers should use PBKDF2 for password storage, or how and why specific access control characteristics need to be defined. What is RBAC or ABAC? Which do I want to use it in my app and how would I do it? What are the trade-offs? These questions and so much more are answered within these pages. This is a timely and relevant book that makes an excellent entry in any Java developer’s arsenal. Do yourself a favor and buy it now!
Comment 7 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback Verified Purchase
This is a must-have book for anyone architecting or developing webapps in Java. The advice is solid, un-biased, and framework agnostic, so the lessons learned from it should apply to any project. The takeaways from reading it will be a solid understanding of what is wrong with many webapps (in general) and corrective measures you can take to mitigate the issues. I highly encourage dev teams to collaborate on the examples in the book.
1 Comment 4 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse

Most Recent Customer Reviews

Set up an Amazon Giveaway

Iron-Clad Java: Building Secure Web Applications (Oracle Press)
Amazon Giveaway allows you to run promotional giveaways in order to create buzz, reward your audience, and attract new followers and customers. Learn more
This item: Iron-Clad Java: Building Secure Web Applications (Oracle Press)