SlideShare uma empresa Scribd logo

Secure code with 3rd party libraries

Transferir como PPTX, PDF
FKM Naimul Huda, PMP
FKM Naimul Huda, PMP

A presentation created for in-house secure code training.

Software
1 de 7
Secure code with 3rd Party Library ● Avoid rolling your own cryptographic code (read - this to know why) ● Don’t reinvent the wheel! - Always follow DRY, KISS approach ● Less is better - Use of tried-and-tested 3rd party libraries means you will have less things to worry; your code will have less number of bugs. Also read the secure code guild from Oracle: http://www.oracle.com/technetwork/java/seccodeguide-139067.html Find the commons mistakes developers make http://find-sec-bugs.github.io/bugs.htm
Secure code with 3rd Party Library Some very common 3rd party libraries - ● Apache commons Lang and IO ● Google Guava to compliment Java Collections API ● Joda Datetime Library (for Java Version <= 7) ● And many more Some sample code snippets from our repository where we could have used 3rd library methods -
commons.lang.StringEscapeUtils Before: After: StringEscapeUtils.escapeXml(value); StringBuilder result = new StringBuilder(value.length()); for (int i = 0; i < value.length(); ++i) { switch (value.charAt(i)) { case '<': result.append("&lt;"); break; case '>': result.append("&gt;"); break; case '"': result.append("&quot;"); break; default: result.append(value.charAt(i)); break; } } return result.toString(); Also hundreds of practical uses of String manipulation (join, replace, conversion, etc) from: http://commons.apache.org/proper/commons-lang/javadocs/api- 3.1/org/apache/commons/lang3/StringUtils.html http://docs.spring.io/spring/docs/current/javadoc- api/org/springframework/util/StringUtils.html
org.apache.commons.io.IOUtils (similar FileUtils) Before : After: IOUtils.copy(new FileReader(indexFile), sw); StringWriter sw = new StringWriter(); PrintWriter out = new PrintWriter(sw); BufferedReader in = null; try { in = new BufferedReader(new FileReader(indexFile)); String line = in.readLine(); while (line != null) { out.println(line); line = in.readLine(); } } finally { if (in != null) { try { in.close(); } catch (Exception t) { log.warn("", t); } finally { in = null; } } out.close(); } More from: https://commons.apache.org/proper/commons-io/bestpractices.html
After: Date firstDayOfMonth = new DateTime().withTimeAtStartOfDay() .dayOfMonth().withMinimumValue() .toDate(); Date lastDayOfMonth = new DateTime().withTimeAtStartOfDay() .dayOfMonth().withMaximumValue() .toDate(); org.joda.DateTime (or Java 8 Date API) Before: Calendar fromCal = Calendar.getInstance(); fromCal.set(Calendar.DAY_OF_MONTH, 1); if (spec.getMonth() > 0) { fromCal.set(Calendar.MONTH, spec.getMonth() - 1); } if (spec.getYear() > 0) { fromCal.set(Calendar.YEAR, spec.getYear()); } fromCal.set(Calendar.HOUR_OF_DAY, 0); fromCal.set(Calendar.MINUTE, 0); fromCal.set(Calendar.SECOND, 0); fromCal.set(Calendar.MILLISECOND, 0); Calendar toCal = Calendar.getInstance(); if (spec.getMonth() > 0) { toCal.set(Calendar.MONTH, spec.getMonth() - 1); } toCal.set(Calendar.DAY_OF_MONTH, toCal.getActualMaximum(Calendar.DAY_OF_MONTH)); if (spec.getYear() > 0) { toCal.set(Calendar.YEAR, spec.getYear()); } toCal.set(Calendar.HOUR_OF_DAY, 0); toCal.set(Calendar.MINUTE, 0); toCal.set(Calendar.SECOND, 0); toCal.set(Calendar.MILLISECOND, 0); More from: http://stackoverflow.com/questions/589870/should-i-use-java- date-and-time-classes-or-go-with-a-3rd-party-library-like-joda
After: filterMap = Splitter.on(",").withKeyValueSeparator("=") .split(Globals.getProperty(commaSepKeyVals)); Google Guava: com.google.common.base.Splitter Before: Sample value prop1=value1,prop2=value2,prop3=value3 HashSet set = new HashSet(); String property = Globals.getProperty(commaSepKeyVals); if(property != null && property.length() > 0) { Vector v = RegexUtil.split("/,/", property); set.addAll(v); } Iterator<String> iter = set.iterator(); while (iter.hasNext()) { String paramFilterKeyVal = iter.next(); String[] keyValue = paramFilterKeyVal.split("="); if (keyValue.length == 2) { filterMap.put(keyValue[0], keyValue[1]); } } More from: http://stackoverflow.com/questions/3759440/the-guava-library-for-java-what- are-its-most-useful-and-or-hidden-features
Thanks Naimul Huda mdnhuda@gmail.com

Recomendados

Gsummit apis-2012
Gsummit apis-2012Gsummit apis-2012
Gsummit apis-2012Gluster.org
 
java copy file program
java copy file programjava copy file program
java copy file programGlen Pais
 
Multi threading
Multi threadingMulti threading
Multi threadingMaryam Ansari
 
Xitrum internals
Xitrum internalsXitrum internals
Xitrum internalsNgoc Dao
 
File io
File io File io
File io نورا احمد
 
Gsummit apis-2013
Gsummit apis-2013Gsummit apis-2013
Gsummit apis-2013Gluster.org
 
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017Codemotion
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Codemotion
 

Recomendados

Gsummit apis-2012
Gsummit apis-2012Gsummit apis-2012
Gsummit apis-2012Gluster.org
 
java copy file program
java copy file programjava copy file program
java copy file programGlen Pais
 
Multi threading
Multi threadingMulti threading
Multi threadingMaryam Ansari
 
Xitrum internals
Xitrum internalsXitrum internals
Xitrum internalsNgoc Dao
 
File io
File io File io
File io نورا احمد
 
Gsummit apis-2013
Gsummit apis-2013Gsummit apis-2013
Gsummit apis-2013Gluster.org
 
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017
Asynchronous IO in Rust - Enrico Risa - Codemotion Rome 2017Codemotion
 
Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Briefly Rust - Daniele Esposti - Codemotion Rome 2017
Briefly Rust - Daniele Esposti - Codemotion Rome 2017Codemotion
 
Why learn Internals?
Why learn Internals?Why learn Internals?
Why learn Internals?Shaul Rosenzwieg
 
Rust All Hands Winter 2011
Rust All Hands Winter 2011Rust All Hands Winter 2011
Rust All Hands Winter 2011Patrick Walton
 
Node intro
Node introNode intro
Node introcloudhead
 
Virtual domains
Virtual domainsVirtual domains
Virtual domainsLuca Pescatore
 
Spark Day 2017- Spark 의 과거, 현재, 미래
Spark Day 2017- Spark 의 과거, 현재, 미래Spark Day 2017- Spark 의 과거, 현재, 미래
Spark Day 2017- Spark 의 과거, 현재, 미래Moon Soo Lee
 
Matthew Vignau: Memory Management in SharePoint 2007 Development
Matthew Vignau: Memory Management in SharePoint 2007 DevelopmentMatthew Vignau: Memory Management in SharePoint 2007 Development
Matthew Vignau: Memory Management in SharePoint 2007 DevelopmentSharePoint Saturday NY
 
#win8acad : Building Metro Style Apps with XAML for .NET Developers
#win8acad : Building Metro Style Apps with XAML for .NET Developers#win8acad : Building Metro Style Apps with XAML for .NET Developers
#win8acad : Building Metro Style Apps with XAML for .NET DevelopersFrederik De Bruyne
 
Logging, Serilog, Structured Logging, Seq
Logging, Serilog, Structured Logging, SeqLogging, Serilog, Structured Logging, Seq
Logging, Serilog, Structured Logging, SeqDoruk Uluçay
 
Calling python from r
Calling python from rCalling python from r
Calling python from rBarry DeCicco
 
Codigo java
Codigo javaCodigo java
Codigo javaweberson2012
 
Configuring Syslog by Octavio
Configuring Syslog by OctavioConfiguring Syslog by Octavio
Configuring Syslog by OctavioRowell Dionicio
 
Workshop@naha val3
Workshop@naha val3Workshop@naha val3
Workshop@naha val3Shusaku Fukumine
 
Macros in nemerle
Macros in nemerleMacros in nemerle
Macros in nemerleKota Mizushima
 
Kick-off Project 2: Presentatie Linux
Kick-off Project 2: Presentatie LinuxKick-off Project 2: Presentatie Linux
Kick-off Project 2: Presentatie LinuxPatrick Koning
 
Restinio (actual aug 2018)
Restinio (actual aug 2018)Restinio (actual aug 2018)
Restinio (actual aug 2018)Nicolai Grodzitski
 
Logstash: Get to know your logs
Logstash: Get to know your logsLogstash: Get to know your logs
Logstash: Get to know your logsSmartLogic
 
Sphinx && Perl Houston Perl Mongers - May 8th, 2014
Sphinx && Perl Houston Perl Mongers - May 8th, 2014Sphinx && Perl Houston Perl Mongers - May 8th, 2014
Sphinx && Perl Houston Perl Mongers - May 8th, 2014Brett Estrade
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslogamiable_indian
 
Pharo Hands-On: 02 syntax
Pharo Hands-On: 02 syntaxPharo Hands-On: 02 syntax
Pharo Hands-On: 02 syntaxPharo
 
Scheming Defaults
Scheming DefaultsScheming Defaults
Scheming DefaultsAshton Williams
 
Story_2_Kosciuszko_Bridge
Story_2_Kosciuszko_BridgeStory_2_Kosciuszko_Bridge
Story_2_Kosciuszko_BridgeTheresa Casey, FSMPS, CPSM
 
CADA UM NA SUA
CADA UM NA SUACADA UM NA SUA
CADA UM NA SUACLAUCRUZ
 

Mais conteúdo relacionado

Mais procurados

Rust All Hands Winter 2011
Rust All Hands Winter 2011Rust All Hands Winter 2011
Rust All Hands Winter 2011Patrick Walton
 
Spark Day 2017- Spark 의 과거, 현재, 미래
Spark Day 2017- Spark 의 과거, 현재, 미래Spark Day 2017- Spark 의 과거, 현재, 미래
Spark Day 2017- Spark 의 과거, 현재, 미래Moon Soo Lee
 
Matthew Vignau: Memory Management in SharePoint 2007 Development
Matthew Vignau: Memory Management in SharePoint 2007 DevelopmentMatthew Vignau: Memory Management in SharePoint 2007 Development
Matthew Vignau: Memory Management in SharePoint 2007 DevelopmentSharePoint Saturday NY
 
#win8acad : Building Metro Style Apps with XAML for .NET Developers
#win8acad : Building Metro Style Apps with XAML for .NET Developers#win8acad : Building Metro Style Apps with XAML for .NET Developers
#win8acad : Building Metro Style Apps with XAML for .NET DevelopersFrederik De Bruyne
 
Logging, Serilog, Structured Logging, Seq
Logging, Serilog, Structured Logging, SeqLogging, Serilog, Structured Logging, Seq
Logging, Serilog, Structured Logging, SeqDoruk Uluçay
 
Calling python from r
Calling python from rCalling python from r
Calling python from rBarry DeCicco
 
Configuring Syslog by Octavio
Configuring Syslog by OctavioConfiguring Syslog by Octavio
Configuring Syslog by OctavioRowell Dionicio
 
Kick-off Project 2: Presentatie Linux
Kick-off Project 2: Presentatie LinuxKick-off Project 2: Presentatie Linux
Kick-off Project 2: Presentatie LinuxPatrick Koning
 
Logstash: Get to know your logs
Logstash: Get to know your logsLogstash: Get to know your logs
Logstash: Get to know your logsSmartLogic
 
Sphinx && Perl Houston Perl Mongers - May 8th, 2014
Sphinx && Perl Houston Perl Mongers - May 8th, 2014Sphinx && Perl Houston Perl Mongers - May 8th, 2014
Sphinx && Perl Houston Perl Mongers - May 8th, 2014Brett Estrade
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslogamiable_indian
 
Pharo Hands-On: 02 syntax
Pharo Hands-On: 02 syntaxPharo Hands-On: 02 syntax
Pharo Hands-On: 02 syntaxPharo
 

Mais procurados (20)

Why learn Internals?
Why learn Internals?Why learn Internals?
Why learn Internals?
 
Rust All Hands Winter 2011
Rust All Hands Winter 2011Rust All Hands Winter 2011
Rust All Hands Winter 2011
 
Node intro
Node introNode intro
Node intro
 
Virtual domains
Virtual domainsVirtual domains
Virtual domains
 
Spark Day 2017- Spark 의 과거, 현재, 미래
Spark Day 2017- Spark 의 과거, 현재, 미래Spark Day 2017- Spark 의 과거, 현재, 미래
Spark Day 2017- Spark 의 과거, 현재, 미래
 
Matthew Vignau: Memory Management in SharePoint 2007 Development
Matthew Vignau: Memory Management in SharePoint 2007 DevelopmentMatthew Vignau: Memory Management in SharePoint 2007 Development
Matthew Vignau: Memory Management in SharePoint 2007 Development
 
#win8acad : Building Metro Style Apps with XAML for .NET Developers
#win8acad : Building Metro Style Apps with XAML for .NET Developers#win8acad : Building Metro Style Apps with XAML for .NET Developers
#win8acad : Building Metro Style Apps with XAML for .NET Developers
 
Logging, Serilog, Structured Logging, Seq
Logging, Serilog, Structured Logging, SeqLogging, Serilog, Structured Logging, Seq
Logging, Serilog, Structured Logging, Seq
 
Calling python from r
Calling python from rCalling python from r
Calling python from r
 
Codigo java
Codigo javaCodigo java
Codigo java
 
Configuring Syslog by Octavio
Configuring Syslog by OctavioConfiguring Syslog by Octavio
Configuring Syslog by Octavio
 
Workshop@naha val3
Workshop@naha val3Workshop@naha val3
Workshop@naha val3
 
Macros in nemerle
Macros in nemerleMacros in nemerle
Macros in nemerle
 
Kick-off Project 2: Presentatie Linux
Kick-off Project 2: Presentatie LinuxKick-off Project 2: Presentatie Linux
Kick-off Project 2: Presentatie Linux
 
Restinio (actual aug 2018)
Restinio (actual aug 2018)Restinio (actual aug 2018)
Restinio (actual aug 2018)
 
Logstash: Get to know your logs
Logstash: Get to know your logsLogstash: Get to know your logs
Logstash: Get to know your logs
 
Sphinx && Perl Houston Perl Mongers - May 8th, 2014
Sphinx && Perl Houston Perl Mongers - May 8th, 2014Sphinx && Perl Houston Perl Mongers - May 8th, 2014
Sphinx && Perl Houston Perl Mongers - May 8th, 2014
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslog
 
Pharo Hands-On: 02 syntax
Pharo Hands-On: 02 syntaxPharo Hands-On: 02 syntax
Pharo Hands-On: 02 syntax
 
Scheming Defaults
Scheming DefaultsScheming Defaults
Scheming Defaults
 

Destaque

CADA UM NA SUA
CADA UM NA SUACADA UM NA SUA
CADA UM NA SUACLAUCRUZ
 
Trabajo sebastian gonzalez 2c
Trabajo sebastian gonzalez 2cTrabajo sebastian gonzalez 2c
Trabajo sebastian gonzalez 2cseba123
 
RESUME_December2014
RESUME_December2014RESUME_December2014
RESUME_December2014Nick Brower
 
CustomCertificatelevel2
CustomCertificatelevel2CustomCertificatelevel2
CustomCertificatelevel2Vinnie Lester
 
Ch fr comb_seniors_2014
Ch fr comb_seniors_2014Ch fr comb_seniors_2014
Ch fr comb_seniors_2014emiliomerayo
 
Comunidades Virtuales
Comunidades VirtualesComunidades Virtuales
Comunidades Virtualeskeiner monroy
 
Combat Lifesavers Course - Advanced lifesaving techniques for c
Combat Lifesavers Course - Advanced lifesaving techniques for cCombat Lifesavers Course - Advanced lifesaving techniques for c
Combat Lifesavers Course - Advanced lifesaving techniques for cMarcus Walters
 
Webflyer poster roadshow entreprise blue
Webflyer poster roadshow entreprise blueWebflyer poster roadshow entreprise blue
Webflyer poster roadshow entreprise blueAntoine GRATIAN
 
Folha Dominical - 26.09.11 Nº 391
Folha Dominical - 26.09.11 Nº 391Folha Dominical - 26.09.11 Nº 391
Folha Dominical - 26.09.11 Nº 391Comunidades Vivas
 
حربي محمد..تطور الحركة الوطنية في ايران من سنة 1890 حتى سنة 1953
حربي محمد..تطور الحركة الوطنية في ايران من سنة 1890 حتى سنة 1953حربي محمد..تطور الحركة الوطنية في ايران من سنة 1890 حتى سنة 1953
حربي محمد..تطور الحركة الوطنية في ايران من سنة 1890 حتى سنة 1953Mountasser Choukri
 
Calendario escolar cra 16 17
Calendario escolar cra 16 17Calendario escolar cra 16 17
Calendario escolar cra 16 17crasadaba
 
Projeto mural escolar estágios do desenvolvimento humano
Projeto mural escolar estágios do desenvolvimento humanoProjeto mural escolar estágios do desenvolvimento humano
Projeto mural escolar estágios do desenvolvimento humanoMaike Zaniolo
 

Destaque (18)

Story_2_Kosciuszko_Bridge
Story_2_Kosciuszko_BridgeStory_2_Kosciuszko_Bridge
Story_2_Kosciuszko_Bridge
 
CADA UM NA SUA
CADA UM NA SUACADA UM NA SUA
CADA UM NA SUA
 
Teksec Velogate
Teksec VelogateTeksec Velogate
Teksec Velogate
 
Trabajo sebastian gonzalez 2c
Trabajo sebastian gonzalez 2cTrabajo sebastian gonzalez 2c
Trabajo sebastian gonzalez 2c
 
RM120_e
RM120_eRM120_e
RM120_e
 
RESUME_December2014
RESUME_December2014RESUME_December2014
RESUME_December2014
 
2
22
2
 
CustomCertificatelevel2
CustomCertificatelevel2CustomCertificatelevel2
CustomCertificatelevel2
 
Ch fr comb_seniors_2014
Ch fr comb_seniors_2014Ch fr comb_seniors_2014
Ch fr comb_seniors_2014
 
Calendario2012 2013-1
Calendario2012 2013-1Calendario2012 2013-1
Calendario2012 2013-1
 
Comunidades Virtuales
Comunidades VirtualesComunidades Virtuales
Comunidades Virtuales
 
Combat Lifesavers Course - Advanced lifesaving techniques for c
Combat Lifesavers Course - Advanced lifesaving techniques for cCombat Lifesavers Course - Advanced lifesaving techniques for c
Combat Lifesavers Course - Advanced lifesaving techniques for c
 
kevins-kudos-page
kevins-kudos-pagekevins-kudos-page
kevins-kudos-page
 
Webflyer poster roadshow entreprise blue
Webflyer poster roadshow entreprise blueWebflyer poster roadshow entreprise blue
Webflyer poster roadshow entreprise blue
 
Folha Dominical - 26.09.11 Nº 391
Folha Dominical - 26.09.11 Nº 391Folha Dominical - 26.09.11 Nº 391
Folha Dominical - 26.09.11 Nº 391
 
حربي محمد..تطور الحركة الوطنية في ايران من سنة 1890 حتى سنة 1953
حربي محمد..تطور الحركة الوطنية في ايران من سنة 1890 حتى سنة 1953حربي محمد..تطور الحركة الوطنية في ايران من سنة 1890 حتى سنة 1953
حربي محمد..تطور الحركة الوطنية في ايران من سنة 1890 حتى سنة 1953
 
Calendario escolar cra 16 17
Calendario escolar cra 16 17Calendario escolar cra 16 17
Calendario escolar cra 16 17
 
Projeto mural escolar estágios do desenvolvimento humano
Projeto mural escolar estágios do desenvolvimento humanoProjeto mural escolar estágios do desenvolvimento humano
Projeto mural escolar estágios do desenvolvimento humano
 

Semelhante a Secure code with 3rd party libraries

Python for Security Professionals
Python for Security ProfessionalsPython for Security Professionals
Python for Security ProfessionalsAditya Shankar
 
Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Hermann Hueck
 
.NET Multithreading/Multitasking
.NET Multithreading/Multitasking.NET Multithreading/Multitasking
.NET Multithreading/MultitaskingSasha Kravchuk
 
These questions will be a bit advanced level 2
These questions will be a bit advanced level 2These questions will be a bit advanced level 2
These questions will be a bit advanced level 2sadhana312471
 
Java IO Streams V4
Java IO Streams V4Java IO Streams V4
Java IO Streams V4Sunil OS
 
Lambda Chops - Recipes for Simpler, More Expressive Code
Lambda Chops - Recipes for Simpler, More Expressive CodeLambda Chops - Recipes for Simpler, More Expressive Code
Lambda Chops - Recipes for Simpler, More Expressive CodeIan Robertson
 
The Ring programming language version 1.10 book - Part 59 of 212
The Ring programming language version 1.10 book - Part 59 of 212The Ring programming language version 1.10 book - Part 59 of 212
The Ring programming language version 1.10 book - Part 59 of 212Mahmoud Samir Fayed
 
The genesis of clusterlib - An open source library to tame your favourite sup...
The genesis of clusterlib - An open source library to tame your favourite sup...The genesis of clusterlib - An open source library to tame your favourite sup...
The genesis of clusterlib - An open source library to tame your favourite sup...Arnaud Joly
 
Hands on Session on Python
Hands on Session on PythonHands on Session on Python
Hands on Session on PythonSumit Raj
 
File Handling in Java.pdf
File Handling in Java.pdfFile Handling in Java.pdf
File Handling in Java.pdfSudhanshiBakre1
 
15 Text files
15 Text files15 Text files
15 Text filesmaznabili
 

Semelhante a Secure code with 3rd party libraries (20)

Java 7 & 8 New Features
Java 7 & 8 New FeaturesJava 7 & 8 New Features
Java 7 & 8 New Features
 
Python for web security - beginner
Python for web security - beginnerPython for web security - beginner
Python for web security - beginner
 
concurrency
concurrencyconcurrency
concurrency
 
Python for Security Professionals
Python for Security ProfessionalsPython for Security Professionals
Python for Security Professionals
 
15. text files
15. text files15. text files
15. text files
 
Java sockets
Java socketsJava sockets
Java sockets
 
Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8
 
.NET Multithreading/Multitasking
.NET Multithreading/Multitasking.NET Multithreading/Multitasking
.NET Multithreading/Multitasking
 
These questions will be a bit advanced level 2
These questions will be a bit advanced level 2These questions will be a bit advanced level 2
These questions will be a bit advanced level 2
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Java IO Streams V4
Java IO Streams V4Java IO Streams V4
Java IO Streams V4
 
Lambda Chops - Recipes for Simpler, More Expressive Code
Lambda Chops - Recipes for Simpler, More Expressive CodeLambda Chops - Recipes for Simpler, More Expressive Code
Lambda Chops - Recipes for Simpler, More Expressive Code
 
The Ring programming language version 1.10 book - Part 59 of 212
The Ring programming language version 1.10 book - Part 59 of 212The Ring programming language version 1.10 book - Part 59 of 212
The Ring programming language version 1.10 book - Part 59 of 212
 
Thread
ThreadThread
Thread
 
The genesis of clusterlib - An open source library to tame your favourite sup...
The genesis of clusterlib - An open source library to tame your favourite sup...The genesis of clusterlib - An open source library to tame your favourite sup...
The genesis of clusterlib - An open source library to tame your favourite sup...
 
Hands on Session on Python
Hands on Session on PythonHands on Session on Python
Hands on Session on Python
 
Introduzione al TDD
Introduzione al TDDIntroduzione al TDD
Introduzione al TDD
 
Java Concurrency
Java ConcurrencyJava Concurrency
Java Concurrency
 
File Handling in Java.pdf
File Handling in Java.pdfFile Handling in Java.pdf
File Handling in Java.pdf
 
15 Text files
15 Text files15 Text files
15 Text files
 

Último

Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Anthony Dahanne
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxRTS corp
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identityteam-WIBU
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 

Último (20)

Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024VictoriaMetrics Anomaly Detection Updates: Q1 2024
VictoriaMetrics Anomaly Detection Updates: Q1 2024
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024Not a Kubernetes fan? The state of PaaS in 2024
Not a Kubernetes fan? The state of PaaS in 2024
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptxThe Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
The Role of IoT and Sensor Technology in Cargo Cloud Solutions.pptx
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
Post Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on IdentityPost Quantum Cryptography – The Impact on Identity
Post Quantum Cryptography – The Impact on Identity
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 

Secure code with 3rd party libraries

  • 1. Secure code with 3rd Party Library ● Avoid rolling your own cryptographic code (read - this to know why) ● Don’t reinvent the wheel! - Always follow DRY, KISS approach ● Less is better - Use of tried-and-tested 3rd party libraries means you will have less things to worry; your code will have less number of bugs. Also read the secure code guild from Oracle: http://www.oracle.com/technetwork/java/seccodeguide-139067.html Find the commons mistakes developers make http://find-sec-bugs.github.io/bugs.htm
  • 2. Secure code with 3rd Party Library Some very common 3rd party libraries - ● Apache commons Lang and IO ● Google Guava to compliment Java Collections API ● Joda Datetime Library (for Java Version <= 7) ● And many more Some sample code snippets from our repository where we could have used 3rd library methods -
  • 3. commons.lang.StringEscapeUtils Before: After: StringEscapeUtils.escapeXml(value); StringBuilder result = new StringBuilder(value.length()); for (int i = 0; i < value.length(); ++i) { switch (value.charAt(i)) { case '<': result.append("&lt;"); break; case '>': result.append("&gt;"); break; case '"': result.append("&quot;"); break; default: result.append(value.charAt(i)); break; } } return result.toString(); Also hundreds of practical uses of String manipulation (join, replace, conversion, etc) from: http://commons.apache.org/proper/commons-lang/javadocs/api- 3.1/org/apache/commons/lang3/StringUtils.html http://docs.spring.io/spring/docs/current/javadoc- api/org/springframework/util/StringUtils.html
  • 4. org.apache.commons.io.IOUtils (similar FileUtils) Before : After: IOUtils.copy(new FileReader(indexFile), sw); StringWriter sw = new StringWriter(); PrintWriter out = new PrintWriter(sw); BufferedReader in = null; try { in = new BufferedReader(new FileReader(indexFile)); String line = in.readLine(); while (line != null) { out.println(line); line = in.readLine(); } } finally { if (in != null) { try { in.close(); } catch (Exception t) { log.warn("", t); } finally { in = null; } } out.close(); } More from: https://commons.apache.org/proper/commons-io/bestpractices.html
  • 5. After: Date firstDayOfMonth = new DateTime().withTimeAtStartOfDay() .dayOfMonth().withMinimumValue() .toDate(); Date lastDayOfMonth = new DateTime().withTimeAtStartOfDay() .dayOfMonth().withMaximumValue() .toDate(); org.joda.DateTime (or Java 8 Date API) Before: Calendar fromCal = Calendar.getInstance(); fromCal.set(Calendar.DAY_OF_MONTH, 1); if (spec.getMonth() > 0) { fromCal.set(Calendar.MONTH, spec.getMonth() - 1); } if (spec.getYear() > 0) { fromCal.set(Calendar.YEAR, spec.getYear()); } fromCal.set(Calendar.HOUR_OF_DAY, 0); fromCal.set(Calendar.MINUTE, 0); fromCal.set(Calendar.SECOND, 0); fromCal.set(Calendar.MILLISECOND, 0); Calendar toCal = Calendar.getInstance(); if (spec.getMonth() > 0) { toCal.set(Calendar.MONTH, spec.getMonth() - 1); } toCal.set(Calendar.DAY_OF_MONTH, toCal.getActualMaximum(Calendar.DAY_OF_MONTH)); if (spec.getYear() > 0) { toCal.set(Calendar.YEAR, spec.getYear()); } toCal.set(Calendar.HOUR_OF_DAY, 0); toCal.set(Calendar.MINUTE, 0); toCal.set(Calendar.SECOND, 0); toCal.set(Calendar.MILLISECOND, 0); More from: http://stackoverflow.com/questions/589870/should-i-use-java- date-and-time-classes-or-go-with-a-3rd-party-library-like-joda
  • 6. After: filterMap = Splitter.on(",").withKeyValueSeparator("=") .split(Globals.getProperty(commaSepKeyVals)); Google Guava: com.google.common.base.Splitter Before: Sample value prop1=value1,prop2=value2,prop3=value3 HashSet set = new HashSet(); String property = Globals.getProperty(commaSepKeyVals); if(property != null && property.length() > 0) { Vector v = RegexUtil.split("/,/", property); set.addAll(v); } Iterator<String> iter = set.iterator(); while (iter.hasNext()) { String paramFilterKeyVal = iter.next(); String[] keyValue = paramFilterKeyVal.split("="); if (keyValue.length == 2) { filterMap.put(keyValue[0], keyValue[1]); } } More from: http://stackoverflow.com/questions/3759440/the-guava-library-for-java-what- are-its-most-useful-and-or-hidden-features