Secure coding techniques in Java

3 min readJan 26, 2021

In this article, I’m going to tell secure coding practices in Java. Since Java is most widely used in enterprise application development. Hence, it is on target of bad actors.

1. SQL Injection

In SQL injection, the bad actor tries to inject malicious code in your SQL queries.

For example:

String query = "SELECT * FROM Users WHERE Username = '" + request.getParameter("username") + "' AND Pass = '" + request.getParameter("pass") + "'";
try {
    Statement statement = connection.createStatement( ... );
    ResultSet results = statement.executeQuery( query );
}
...

If a bad actor enters the username ' or ‘’ = ‘ and password ' or ‘’ = ‘.

Then query becomes SELECT * FROM Users WHERE Username = '' or '' = '' AND Pass = '' or '' = '' . And bad actor will able to bypass login form.

To prevent it following techniques can be used:-

Use of Prepared Statements (with Parameterized Queries)
Hibernate Query Language (HQL) Prepared Statement (Named Parameters)
Use of Stored Procedures
Whitelist validation - the practice of only accepting input that is known to be good

2. Sensitive Data Leak

There could be various type of sensitive data in our application whose leakage should be prevented. Some sensitive data could be:-

Regulatory Data - data controlled by the government or any other authority.
Personally identifiable information (PII) - any data that can be used to identify a specific individual.
Health Information
Confidential Information - It varies for a different organization. It could be Financial Information of users, Employee Data of that company etc.

Leake of sensitive data could be prevented in the following ways:-

2.1. Log Message

Logs are very helpful to debug our application. But it could become a source of information leakage.

To prevent this we should log only necessary information and obfuscate the sensitive data.

For example, Instead of the logging email address of the user, log cryptographically hashed value of email address.

A cryptographic hash function converts a string into an encoded string. But the reverse is not possible.

In below example, I’m going to use SHA256 Hashing to hash the e-mail address of the user.

public String sha256Encode(String data) {
    MessageDigest digest = MessageDigest.getInstance("SHA-256");
    byte[] encodedhash = digest.digest(data.getBytes(StandardCharsets.UTF_8));
    return new String(Hex.encodeHex(encodedhash));
}
...
...
LOGGER.debug(sha256Encode(user.getEmail()) + " bought 2 apples.");

For user with e-mail name@company.com, the log will be as below:

35d973d929271059529ef0c0e2f12ac4fb7f871600a9409751bce1eb0c2a7687 bought 2 apples.

And you can find the user using below given SQL query:

SELECT * FROM Users WHERE SHA256(email) = "35d973d929271059529ef0c0e2f12ac4fb7f871600a9409751bce1eb0c2a7687";

NOTE: For different SQL database, the SQL query may vary.

All cryptographic hashing algorithms are one-sided, this means that even if logs got leaked out then no one can convert hashed/encoded string to its original value.

2.2. Error Handling

Handling bad state can also lead to data leakage. It could be through an incorrect error message.

For example: On password reset page showing an error message that no account exists for the entered e-mail address. In this way, the bad actor will find out which e-mail address have an account on this site. And take advantage of this information by brute-forcing, sending phishing e-mail etc.

3. Other Vulnerabilities

Do not display stack traces.
Do not display information system on which application is hosted.
Avoid the use of vulnerable libraries and software.
Do not use the default database password.
Actively looks for Common Vulnerabilities and Exposures (CVE). CVEs is a list of publicly disclosed computer security flaws.

Bonus Tips!

Securely store information like password in hashed form.
Everywhere use input validation.
Write test cases to test vulnerabilities such as SQL injection, data leakage through logs etc.
Run dependency check plugin to find the vulnerable dependencies.
Use static code analysis tool to check security flaw.