Software Security for Developers you own this product

With examples in Java and Spring

Adib Saikali, Laurențiu Spilcă

MEAP began November 2021
Last updated March 2026
Publication in June 2026 (estimated)

ISBN 9781617298585
360 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development / Software Engineering / Security and Privacy / Cloud Application Security

resources: Source code Book forum Source code on GitHub

table of content

Part 1: Application Security the Big Picture

1 Making Sense of Application Security

1.1 Developers’ responsibility in software security

1.1.1 What does secure development actually look like?

1.1.2 How security expectations shape the developer’s role

1.2 Securing the supply chain risk

1.3 Roles and responsibilities in security

1.4 What you will learn in this book

1.5 Summary

2 Standards for implementing authentication

2.1 Logging users in

2.1.1 Customer authentication

2.1.2 Employee authentication

2.1.3 Partner authentication

2.1.4 Phishing resistant authentication

2.1.5 Authentication technology from a developer’s perspective

2.1.6 Exercises

2.2 Securing application credentials

2.2.1 Exercises

2.3 Exercise Answers

2.4 Summary

3 Service-to-service communication

3.1 Securing the service-to-service call chain

3.1.1 Propagating user identity through the service call chain

3.1.2 Determining service identity

3.1.3 Exercises

3.2 Securely running services on Kubernetes

3.2.1 Exercises

3.3 Security technologies every developer should know

3.3.1 Exercises

3.4 Exercise Answers

3.5 Summary

Part 2: Cryptography foundations

4 Message Integrity and Authentication

4.1 The goals of cryptography

4.2 Cryptographic hash functions

4.2.1 Secure Hash Algorithm (SHA)

4.2.2 Verifying integrity using a cryptographic hash function

4.2.3 Design for hash function change

4.2.4 Exercises

4.3 Java cryptography architecture and extensions

4.4 Implementing message integrity in Java

4.5 Message Authentication Code (MAC)

4.5.1 Hashed Message Authentication Code (HMAC)

4.5.2 Java Support for HMAC

4.5.3 Exercises

4.6 Guaranteeing authenticity using HMAC

4.7 Exercise answers

4.8 Summary

5 Advanced Encryption Standard

5.1 Advanced Encryption Standard Overview

5.2 Modes of operation

5.2.1 Cipher Block Chaining (CBC) mode

5.2.2 Authenticated encryption

5.2.3 Galois Counter Mode (GCM)

5.2.4 Exercises

5.3 Java Support for AES

5.3.1 The ACME Inc. Scenario

5.3.2 Implementing the ACME Inc. Scenario

5.4 Authenticated Encryption with Associated Data (AEAD)

5.4.1 Exercises

5.5 AES Best Practices

5.5.1 Selecting the AES key size

5.5.2 Checklist for using AES-GCM correctly in Java

5.5.3 Exercises

5.6 Answers to exercises

5.7 Summary

6 Public Key Encryption and Digital Signatures: Unleashing RSA

6.1 The secret key distribution problem

6.1.1 Exercises

6.2 Public key cryptosystems

6.2.1 Exercises

6.3 RSA public key cryptosystem

6.3.1 Configuring RSA

6.3.2 Hybrid Encryption

6.3.3 Signing data with RSA

6.3.4 Exercises

6.4 Java Support for RSA

6.5 Answers to exercises

6.6 Summary

7 Public Key Encryption and Digital Signatures: Using ECC

7.1 Elliptic curve public key cryptosystems

7.1.1 Configuring ECC

7.1.2 Diffie-Helman key agreement

7.1.3 Exercises

7.2 Java support for elliptic curves

7.2.1 Java support for encryption with elliptic curves

7.2.2 Java support for signing with elliptic curves

7.3 RSA vs. ECC

7.3.1 Exercises

7.4 Answers to exercises

7.5 Summary

Part 3: Securing communication channels

8 Public Key Infrastructure and X.509 Digital Certificates: know who you are talking to

8.1 Inspecting X.509 Digital Certificates

8.1.1 Inspecting X.509 certificates with OpenSSL CLI

8.1.2 Downloading a Website’s X.509 Digital Certificate Using OpenSSL CLI

8.1.3 Viewing The Fields of an X.509 Digital Certificate

8.1.4 Subject fields: Identify the public key and its owner.

8.1.5 Issuer Field: Identifies who created the certificate

8.1.6 Validity Fields

8.1.7 X.509 Digital Certificate Encoding Formats

8.1.8 Exercises

8.2 Verifying X.509 Digital Certificates

8.2.1 Verifying the GitHub.com X.509 Certificate

8.2.2 Exercises

8.3 Answers to exercises

8.4 Summary

9 Working with X.509 Certificates: Lifecycle and Self-Signing

9.1 Certificate Lifecycle: Issuance to revocation

9.1.1 Creating a keypair

9.1.2 Creating a Certificate Signing Request (CSR)

9.1.3 CSR Validation

9.1.4 Certificate Issuance

9.1.5 Certificate Revocation

9.1.6 Exercises

9.2 Private Certificate Authority for Local Development

9.2.1 Create a Self-Signed Root Certificate

9.2.2 Install the Certificate Authority into the Operating System Trust Store

9.2.3 Issue a certificate using the personal certificate authority

9.2.4 Exercises

9.3 Answers to exercises

9.4 Summary

10 Transport Layer Security (TLS): How the internet is secured

10.1 Securing communication with TLS

10.1.1 How it all started

10.1.2 TLS and mTLS

10.1.3 Exercises

10.2 What TLS actually protects you against

10.2.1 Protection from eavesdropping

10.2.2 Making sure there’s no tampering

10.2.3 Avoiding impersonation

10.2.4 Exercises

10.3 TLS in practice

10.3.1 Exercises

10.4 Answers to exercises

10.5 Summary

Part 4: Modern Authentication and Identity

11 JSON Object Signing and Encryption (JOSE)

11.1 The Standards Layer Cake

11.2 The problem solved by JSON Web Algorithms (JWA)

11.2.1 Exercises

11.3 JSON Web Key (JWK)

11.3.1 Exercises

11.4 JSON Web Signature (JWS)

11.4.1 JSON Web Object (JWS) Structure

11.4.2 Creating and verifying a JWS object

11.4.3 The credit card refunds scenario with JWS

11.4.4 Exercises

11.5 JSON Web Encryption (JWE)

11.5.1 JWE Structure

11.5.2 Creating and verifying JWE objects

11.5.3 Exercises

11.6 JSON Web Token (JWT)

11.6.1 Exercises

11.7 Answers to exercises

11.8 Summary

12 Single Sign On (SSO) using OAuth2 and OpenID Connect

12.1 Splitting security data management responsibilities

12.1.1 Exercises

12.2 Using authentication flows

12.2.1 The authorization code grant type

12.2.2 What actually are the tokens?

12.2.3 The client credentials grant type

12.2.4 Exercises

12.3 Applying OpenID Connect to Acme Inc.

12.3.1 Answers to exercises

12.4 Summary

13 Deepening security with OpenID Connect

13.1 Augmenting the authorization code grant type with PKCE

13.1.1 Exercises

13.2 Using refresh tokens to simplify authentication

13.2.1 Exercises

13.3 Supporting identity management with OpenID Connect

13.3.1 The Identity Layer and ID Token

13.3.2 The UserInfo Endpoint

13.3.3 Protection Against Replay Attacks and CSRF

13.3.4 Session management and logout

13.3.5 Exercises

13.4 Using multitenancy

13.4.1 Exercises

13.5 Answers to exercises

13.6 Summary

14 Passwordless login: Using Magic links and OTPs

14.1 The real magic of magic links authentication

14.1.1 Exercises

14.2 Authentication through One-Time Passwords (OTPs)

14.2.1 Exercises

14.3 Answers to exercises

14.4 Summary

15 Passwordless login: WebAuthn and hardware authentication

15.1 Biometric authentication

15.1.1 Fingerprint Scanning (Most Common)

15.1.2 Facial Recognition (Rapidly Growing)

15.1.3 Iris & Retina Scanning (Highly Secure)

15.1.4 Voice Recognition (Used in Call Centers & Virtual Assistants)

15.1.5 Palm Vein Recognition (High Security, Less Common)

15.1.6 Exercises

15.2 Authenticating using hardware keys

15.2.1 Exercises

15.3 Implementing WebAuthn authentication

15.3.1 Exercises

15.4 Answers to exercises

15.5 Summary

Part 5: Securing service-to-service call chain

16 Implementing service identity

16.1 What service identity is

16.1.1 Exercises

16.2 Implementing service authorization at the application level

16.2.1 Using the OAuth2 client credentials grant type

16.2.2 Using API Keys

16.2.3 Using custom authorization logic

16.2.4 Exercises

16.3 Implementing service authorization at the infra-level

16.3.1 Exercises

16.4 Answers to exercises

16.5 Summary

17 Taming authorization: RBAC, ABAC, ReBAC

17.1 What are core authorization models

17.1.1 Role-Based Access Control (RBAC)

17.1.2 Attribute-Based Access Control (ABAC)

17.1.3 Relationship-Based Access Control (ReBAC)

17.1.4 Exercises

17.2 Authorization in real-world architectures

17.2.1 Authorization within monoliths

17.2.2 Service-oriented authorization

17.2.3 Exercises

17.3 Answers to questions

17.4 Summary

Appendix

Appendix A: Installation and Setup

A.1 Setting up Java Development Environment

A.1.1 Setup Java 11

A.1.2 Setup A Java IDE

A.2 Obtaining the Book Samples

Overview

14 Passwordless login: Using Magic links and OTPs

Passwordless authentication removes the friction and fragility of memorized secrets by replacing passwords with sign-in actions tied to possession and intent. This chapter explains two widely deployed approaches—magic links and one-time passwords (OTPs)—showing how they improve usability while stressing that security depends on careful implementation and user awareness. It highlights common pitfalls such as account enumeration, phishing, token reuse, and weak delivery channels, and frames passwordless as part of a broader journey toward stronger, phishing-resistant methods like WebAuthn.

With magic links, a user submits an email address and receives a short‑lived, cryptographically signed token embedded in a link. The application must prevent email enumeration with generic responses; generate tokens with strong signing, explicit expiration, and a nonce; store and invalidate tokens on first use to stop replay; throttle requests; and monitor for anomalies. Delivery should be clearly branded, and the token should not appear as plaintext to avoid leakage via previews, forwarding, or logs. On click, the app verifies signature, expiry, and one‑time use, then establishes a session. Because email compromise and phishing remain real threats, domain checks, user education, and optional MFA can meaningfully raise the bar.

OTPs follow a similar pattern but require users to enter a short code that is randomly generated, time‑bound, and single‑use, then validated for correctness and expiry before issuing a session. Their benefits include being ephemeral, not requiring memory, and working across channels (SMS, email, or authenticator apps), making them a strong fit for MFA as “something you have.” Risks include SMS interception (e.g., SIM swap), phishing, and brute force—mitigated by using cryptographically secure generation, short lifetimes, rate limiting on requests and entry attempts, monitoring for suspicious activity, favoring app‑based TOTPs over SMS, and providing safe fallbacks. Compared with magic links, OTPs trade a little convenience for flexibility; both can deliver secure, user‑friendly logins when paired with strict expiry, one‑time semantics, throttling, auditing, and phishing defenses.

Authenticating through magic links. Upon the user’s request, the app generates a unique link and sends it to the user by email. The user clicks on the link to authenticate.

A malicious individual might send a fake but realistically looking email between steps 3 and 4 of the process. An inattentive user could be fooled into clicking the wrong link.

Security is only as strong as its weakest link. You can have the best defenses, but if you leave the key under the rug… well, good luck!

The OTP authentication process. The app generates a random OTP and sends it to the user. The user uses the received OTP to authenticate.

Summary

Passwordless authentication improves security and convenience by eliminating weak or reused passwords. This chapter explored Magic Links, OTPs, Biometric Authentication, and Hardware Security Keys as alternatives. Each method has its advantages and risks.
Magic links allow users to log in via a one-time link sent to their email. However, they are vulnerable to phishing and email compromise. Using short-lived, cryptographically signed tokens and preventing email enumeration helps mitigate risks.
OTPs provide temporary numeric codes via SMS, email, or authenticator apps. They are susceptible to SIM-swapping, phishing, and brute-force attacks. Using app-based OTPs (Google Authenticator, Authy) and limiting OTP requests increases security.
Passwordless authentication reduces phishing, credential leaks, and login friction, but no single method fits all use cases. Choosing the right approach depends on security needs, usability, and risk factors.
Proper implementation is key—even the most secure authentication method can be exploited if configured poorly. Following best practices, encryption standards, and secure handling of authentication data ensures a stronger, safer login experience.

FAQ

What is a magic link and how does it authenticate users?

Users enter their email, the app generates a signed, short‑lived token embedded in a URL, and emails the link. When clicked, the app verifies the token’s signature, expiration, and that it hasn’t been used, then creates a session and invalidates the token.

Why shouldn’t my app reveal whether an email address exists?

Disclosing account existence enables email enumeration. Attackers can confirm valid users and launch targeted phishing, credential stuffing, or brute‑force attempts. Use generic responses like “If an account exists, we’ve sent a link.”

How do I generate a secure magic link token?

Create a cryptographically signed token (e.g., JWT or HMAC) that includes user ID/email, an expiration (5–15 minutes), and a nonce to prevent replay. Deliver the link over HTTPS.

Why store magic link tokens in a database or cache?

To mark tokens as used (one‑time use), support revocation, throttle requests, detect abuse (e.g., many tokens for one email), and enable auditing/alerts for unusual activity.

Why shouldn’t the tokenized URL appear in plaintext in the email?

Visible tokens can leak via previews, notifications, forwarding, or logging by email/security tools. Keep the token only in the clickable href and avoid showing it as visible text.

How can I reduce phishing risk in magic link flows?

Use clear branding and familiar templates, verify domains/links, keep links short‑lived and one‑time, warn users about suspicious activity, and consider adding MFA before finalizing login.

How do One-Time Passwords (OTPs) work and what are their benefits?

The app generates a cryptographically random 6–8 digit code with a short expiration. It’s delivered via SMS, email, or an authenticator app, entered by the user, and validated for correctness, expiry, and single use. Benefits: time‑limited, single‑use, no static secret to remember or reuse.

What are common OTP risks and how do I mitigate them?

Risks: SMS interception (SIM swapping, SS7), phishing, and brute‑force guessing. Mitigations: prefer app‑based OTPs, enforce rate limits on requests and entries, short expirations, hash and delete OTPs after use, and monitor for suspicious patterns.

How do OTPs and magic links fit into multi-factor authentication (MFA)?

OTPs often serve as “something you have” alongside a password or biometric. Magic links are typically single‑factor; for higher‑risk actions, pair them with an additional factor.

Should I choose magic links or OTPs for my app?

Choose magic links for a smooth, passwordless experience when email is reliable. Choose OTPs for MFA, TOTP app support, or when email is unreliable. Both require phishing protections, short expirations, one‑time use, and rate limiting.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $23.99

you save $24.00 (50%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $23.99

you save $24.00 (50%)

eBook

pdf, ePub, online

$47.99 $23.99

you save $24.00 (50%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more