Software Security for Developers you own this product

With examples in Java and Spring

Adib Saikali, Laurențiu Spilcă

MEAP began November 2021
Last updated October 2025
Publication in April 2026 (estimated)

ISBN 9781617298585
525 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development / Software Engineering / Security and Privacy / Cloud Application Security

resources: Source code Book forum Source code on GitHub

table of content

PART I: APPLICATION SECURITY THE BIG PICTURE

1 Making Sense of Application Security

1.1 Today’s reality – tradeoffs and costs

1.2 Roles and responsibilities in security

1.3 What you will learn in this book

1.4 Summary

2 Standards for implementing authentication

2.1 Logging users in

2.1.1 Customer authentication

2.1.2 Employee authentication

2.1.3 Partner authentication

2.1.4 Phishing resistant authentication

2.1.5 Authentication technology from a developer’s perspective

2.1.6 Exercises

2.2 Securing application credentials

2.2.1 Exercises

2.3 Exercise Answers

2.4 Summary

3 Service-to-service communication

3.1 Securing the service-to-service call chain

3.1.1 Propagating user identity through the service call chain

3.1.2 Determining service identity

3.1.3 Exercises

3.2 Securely running services on Kubernetes

3.2.1 Exercises

3.3 Security technologies every developer should know

3.3.1 Exercises

3.4 Exercise Answers

3.5 Summary

PART 2: CRYPTOGRAPHY FOUNDATIONS

4 Message Integrity and Authentication

4.1 The goals of cryptography

4.2 Cryptographic hash functions

4.2.1 Secure Hash Algorithm (SHA)

4.2.2 Verifying integrity using a cryptographic hash function

4.2.3 Design for hash function change

4.2.4 Exercises

4.3 Java cryptography architecture and extensions

4.4 Implementing message integrity in Java

4.5 Message Authentication Code (MAC)

4.5.1 Hashed Message Authentication Code (HMAC)

4.5.2 Java Support for HMAC

4.5.3 Exercises

4.6 Guaranteeing authenticity using HMAC

4.7 Exercise answers

4.8 Summary

5 Advanced Encryption Standard

5.1 Advanced Encryption Standard Overview

5.2 Modes of operation

5.2.1 Cipher Block Chaining (CBC) mode

5.2.2 Authenticated encryption

5.2.3 Galois Counter Mode (GCM)

5.2.4 Exercises

5.3 Java Support for AES

5.3.1 The ACME Inc. Scenario

5.3.2 Implementing the ACME Inc. Scenario

5.4 Authenticated Encryption with Associated Data (AEAD)

5.4.1 Exercises

5.5 AES Best Practices

5.5.1 Selecting the AES key size

5.5.2 Checklist for using AES-GCM correctly in Java

5.5.3 Exercises

5.6 Answers to exercises

5.7 Summary

6 Public Key Encryption and Digital Signatures: Unleashing RSA

6.1 The secret key distribution problem

6.1.1 Exercises

6.2 Public key cryptosystems

6.2.1 Exercises

6.3 RSA public key cryptosystem

6.3.1 Configuring RSA

6.3.2 Hybrid Encryption

6.3.3 Signing data with RSA

6.3.4 Exercises

6.4 Java Support for RSA

6.5 Answers to exercises

6.6 Summary

7 Public Key Encryption and Digital Signatures: Using ECC

7.1 Elliptic curve public key cryptosystems

7.1.1 Configuring ECC

7.1.2 Diffie-Helman key agreement

7.1.3 Exercises

7.2 Java support for elliptic curves

7.2.1 Java support for encryption with elliptic curves

7.2.2 Java support for signing with elliptic curves

7.3 RSA vs. ECC

7.3.1 Exercises

7.4 Answers to exercises

7.5 Summary

PART 3: SECURING COMMUNICATION CHANNELS

8 Public Key Infrastructure and X.509 Digital Certificates: know who you are talking to

8.1 Inspecting X.509 Digital Certificates

8.1.1 Inspecting X.509 certificates with OpenSSL CLI

8.1.2 Downloading a Website’s X.509 Digital Certificate Using OpenSSL CLI

8.1.3 Viewing The Fields of an X.509 Digital Certificate

8.1.4 Subject fields: Identify the public key and its owner.

8.1.5 Issuer Field: Identifies who created the certificate

8.1.6 Validity Fields

8.1.7 X.509 Digital Certificate Encoding Formats

8.1.8 Exercises

8.2 Verifying X.509 Digital Certificates

8.2.1 Verifying the GitHub.com X.509 Certificate

8.2.2 Exercises

8.3 Answers to exercises

8.4 Summary

9 Working with X.509 Certificates: Lifecycle and Self-Signing

9.1 Certificate Lifecycle: Issuance to revocation

9.1.1 Creating a keypair

9.1.2 Creating a Certificate Signing Request (CSR)

9.1.3 CSR Validation

9.1.4 Certificate Issuance

9.1.5 Certificate Revocation

9.1.6 Exercises

9.2 Private Certificate Authority for Local Development

9.2.1 Create a Self-Signed Root Certificate

9.2.2 Install the Certificate Authority into the Operating System Trust Store

9.2.3 Issue a certificate using the personal certificate authority

9.2.4 Exercises

9.3 Answers to exercises

9.4 Summary

10 Transport Layer Security (TLS): How the internet is secured

10.1 Securing communication with TLS

10.1.1 How it all started

10.1.2 TLS and mTLS

10.1.3 Exercises

10.2 What TLS actually protects you against

10.2.1 Protection from eavesdropping

10.2.2 Making sure there’s no tempering

10.2.3 Avoiding impersonation

10.2.4 Exercises

10.3 TLS in practice

10.3.1 Exercises

10.4 Answers to exercises

10.5 Summary

PART 4: MODERN AUTHENTICATION AND IDENTITY

11 JSON Object Signing and Encryption (JOSE)

11.1 The Standards Layer Cake

11.2 The problem solved by JSON Web Algorithms (JWA)

11.2.1 Exercises

11.3 JSON Web Key (JWK)

11.3.1 Exercises

11.4 JSON Web Signature (JWS)

11.4.1 JSON Web Object (JWS) Structure

11.4.2 Creating and verifying a JWS object

11.4.3 The credit card refunds scenario with JWS

11.4.4 Exercises

11.5 JSON Web Encryption (JWE)

11.5.1 JWE Structure

11.5.2 Creating and verifying JWE objects

11.5.3 Exercises

11.6 JSON Web Token (JWT)

11.6.1 Exercises

11.7 Answers to exercises

11.8 Summary

12 Single Sign On (SSO) using OAuth2 and OpenID Connect

12.1 Splitting security data management responsibilities

12.1.1 Exercises

12.2 Using authentication flows

12.2.1 The authorization code grant type

12.2.2 What actually are the tokens?

12.2.3 The client credentials grant type

12.2.4 Exercises

12.3 Applying OpenID Connect to Acme Inc.

12.3.1 Answers to exercises

12.4 Summary

13 Deepening security with OpenID Connect

13.1 Augmenting the authorization code grant type with PKCE

13.1.1 Exercises

13.2 Using refresh tokens to simplify authentication

13.2.1 Exercises

13.3 Supporting identity management with OpenID Connect

13.3.1 The Identity Layer and ID Token

13.3.2 The UserInfo Endpoint

13.3.3 Protection Against Replay Attacks and CSRF

13.3.4 Session management and logout

13.3.5 Exercises

13.4 Using multitenancy

13.4.1 Exercises

13.5 Answers to exercises

13.6 Summary

14 Passwordless login: Using Magic links and OTPs

14.1 The real magic of magic links authentication

14.1.1 Exercises

14.2 Authentication through One-Time Passwords (OTPs)

14.2.1 Exercises

14.3 Answers to exercises

14.4 Summary

15 Passwordless login: WebAuthn and hardware authentication

15.1 Biometric authentication

15.1.1 Fingerprint Scanning (Most Common)

15.1.2 Facial Recognition (Rapidly Growing)

15.1.3 Iris & Retina Scanning (Highly Secure)

15.1.4 Voice Recognition (Used in Call Centers & Virtual Assistants)

15.1.5 Palm Vein Recognition (High Security, Less Common)

15.1.6 Exercises

15.2 Authenticating using hardware keys

15.2.1 Exercises

15.3 Implementing WebAuthn authentication

15.3.1 Exercises

15.4 Answers to exercises

15.5 Summary

PART 5: SECURING SERVICE-TO-SERVICE CALL CHAIN

16 Implementing service identity

16.1 What service identity is

16.1.1 Exercises

16.2 Implementing service authorization at the application level

16.2.1 Using the OAuth2 client credentials grant type

16.2.2 Using API Keys

16.2.3 Using custom authorization logic

16.2.4 Exercises

16.3 Implementing service authorization at the infra-level

16.3.1 Exercises

16.4 Answers to exercises

16.5 Summary

17 Taming authorization: RBAC, ABAC, ReBAC

17.1 What are core authorization models

17.1.1 Role-Based Access Control (RBAC)

17.1.2 Attribute-Based Access Control (ABAC)

17.1.3 Relationship-Based Access Control (ReBAC)

17.1.4 Exercises

17.2 Authorization in real-world architectures

17.2.1 Authorization within monoliths

17.2.2 Service-oriented authorization

17.2.3 Exercises

17.3 Answers to questions

17.4 Summary

Appendix

Appendix A: Installation and Setup

A.1 Setting up Java Development Environment

A.1.1 Setup Java 11

A.1.2 Setup A Java IDE

A.2 Obtaining the Book Samples

Overview

1 Making Sense of Application Security

Modern software operates in a threat-filled world where breaches are frequent, costly, and no longer limited to application code—hardware flaws and vulnerabilities exist at every layer of the stack. Security is a shared responsibility across everyone who builds and runs systems, and its business impact has elevated security leadership and accountability. For developers, this translates into clear expectations: use security features correctly across all products and services, meet corporate standards and audits, design and implement with security in mind, and embrace DevSecOps practices to integrate security throughout delivery pipelines.

Achieving real security requires more than relying on libraries and tools; it depends on understanding the standards, protocols, and patterns those tools implement. Developers often struggle with security frameworks because they lack this foundation, but mastering concepts like TLS and OpenID Connect makes libraries far easier to configure, debug, and apply effectively. The chapter also highlights software supply chain risk: widespread dependency reuse can introduce severe vulnerabilities, making continuous scanning, rapid patching, automated upgrades, and disciplined use of public APIs essential to managing third-party components safely.

Security spans a continuum of roles—from mathematicians and cryptographers to standards authors, implementers, framework builders, corporate security teams, and auditors—each contributing different expertise. Developers don’t need deep mathematical knowledge, but they do need to understand what algorithms and standards do, when to use them, and how to integrate them properly to pass audits and protect users. This book focuses on that practical developer skill set: building a clear mental model of security, applying core cryptography, using common protocols and identity patterns, securing service-to-service communication, avoiding common coding pitfalls, and collaborating effectively with InfoSec to ship trustworthy software.

Headlines showcasing major recent data breaches and security vulnerabilities, emphasizing the widespread impact on millions of users and the persistent threat to digital security.

Layers at the top depend on the layers below them. All the layers are required to produce secure application. The standards, protocols, and patterns used to secure applications are the primary focus of this book, they are the foundation that you need to use security libraries in your application effectively.

While developers often focus on libraries, frameworks, and tools at the mid-level, true security stems from foundational knowledge of standards, protocols, and patterns, as well as adherence to corporate and industry security practices. Bridging the gap between these layers leads to more effective and secure development.

The spectrum of technical roles involved in computer security roles and responsibilities

Summary

Security vulnerabilities can exist at every layer of the stack, from hardware (e.g., Meltdown, Specter) to application code.
Security is everyone’s responsibility, not just InfoSec teams - developers play a central role.
The business impact of breaches is massive (e.g., Marriott, Equifax), often costing millions or even billions.
CISOs expect developers to:

Use all product security features
Follow corporate security standards
Design and implement secure applications
Embrace DevSecOps practices

Security libraries (like Spring Security) are essential but hard to use unless you understand the underlying standards and protocols.
Supply chain attacks (e.g., Equifax Apache Struts, Event-Stream Bitcoin theft) highlight the need for vigilance in managing dependencies.
Automated vulnerability scanning in CI/CD pipelines is a best practice to detect and fix issues quickly.
Stick to published APIs in libraries to ensure maintainability and security over time.
Different roles contribute to security: mathematicians, cryptographers, standards engineers, framework engineers, InfoSec teams, auditors, and developers.
Developers don’t need deep expertise in all these roles, but they must understand enough to apply standards and use libraries correctly.
This book teaches developers the foundations (cryptography, protocols, standards) so they can confidently build secure, reliable applications.

FAQ

Why is application security everyone’s responsibility, not just the security team’s?

Because weaknesses exist at every layer—from CPU hardware to browser JavaScript—anyone who designs, builds, deploys, or operates software can introduce or mitigate risk. Shared responsibility reduces blind spots and raises the baseline across the stack.

What are the real business impacts of security breaches?

Breaches routinely cost organizations millions in response, fines, and lost trust. For example, the average breach cost is measured in the millions, some incidents have exposed hundreds of millions of records, and cleanup for high‑profile cases has exceeded a billion dollars. Security can be a company‑ending risk.

How do CISO priorities change what developers must do day to day?

Expectations include: using security features in every product you adopt, conforming to corporate standards and passing audits, designing and implementing with security by default, and embracing DevSecOps practices that integrate security into development and operations workflows.

Why aren’t security libraries alone sufficient to secure an app?

Libraries enforce mechanics (e.g., TLS handshakes), but overall safety depends on secure design, coding, configuration, and maintenance. Process matters: reviews, static analysis, threat‑aware design, secure defaults, and ongoing patching are essential.

Why should developers learn standards, protocols, and patterns (like TLS and OpenID Connect)?

Understanding the foundations makes frameworks easier to configure, reduces trial‑and‑error, speeds up debugging, and helps you justify choices to auditors. With the “why” clear, the “how” in libraries becomes straightforward.

What is software supply chain risk, and why is it growing?

Modern apps depend on hundreds of third‑party components. A single vulnerable or malicious dependency can compromise the whole system, as seen in widely publicized incidents. Attackers target supply chains because the blast radius is large and defenses are uneven.

How can teams manage and reduce dependency vulnerabilities effectively?

- Use automated scanners to inventory dependencies (direct and transitive) and flag known CVEs
- Run scans on every commit; fail builds on high‑risk issues
- Rescan when vulnerability databases update
- Enable automated upgrade PRs and, where safe, auto‑merge with test coverage
- Wire fixes into CI/CD so patches ship quickly

How do we avoid being trapped on outdated, risky libraries?

Code only against public, supported APIs; avoid internal or undocumented interfaces. Maintain regular upgrade cadences, allocate time for refactoring, and keep tests strong so you can adopt new versions confidently.

Who does what in security, and where should developers focus?

- Mathematicians and cryptographers create the theory and primitives
- Standards engineers define interoperable protocols (e.g., TLS, OIDC)
- Implementers and framework authors build libraries and tooling
- Corporate InfoSec sets policies and advises teams; auditors verify compliance
- Developers should master applying standards via libraries, secure design, and meeting corporate controls.

What core security skills should application developers have?

- Big‑picture understanding of risks and tradeoffs
- Cryptography basics (what to use, when, and how to configure)
- Practical use of standards/protocols (TLS, OAuth/OIDC)
- Identity, authentication, and authorization design
- Secure service‑to‑service communication
- Code hygiene: spotting and fixing common flaws
- Supply chain security and tooling (scanners, CI/CD gates)
- Audit readiness and effective collaboration with InfoSec.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $35.99

you save $12.00 (25%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $35.99

you save $12.00 (25%)

eBook

pdf, ePub, online

$47.99 $35.99

you save $12.00 (25%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more