Software Security for Developers you own this product

With examples in Java and Spring

Adib Saikali, Laurențiu Spilcă

MEAP began November 2021
Last updated March 2026
Publication in April 2026 (estimated)

ISBN 9781617298585
371 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development / Software Engineering / Security and Privacy / Cloud Application Security

resources: Source code Book forum Source code on GitHub

table of content

Part 1: Application Security the Big Picture

1 Making Sense of Application Security

1.1 Developers’ responsibility in software security

1.1.1 What does secure development actually look like?

1.1.2 How security expectations shape the developer’s role

1.2 Securing the supply chain risk

1.3 Roles and responsibilities in security

1.4 What you will learn in this book

1.5 Summary

2 Standards for implementing authentication

2.1 Logging users in

2.1.1 Customer authentication

2.1.2 Employee authentication

2.1.3 Partner authentication

2.1.4 Phishing resistant authentication

2.1.5 Authentication technology from a developer’s perspective

2.1.6 Exercises

2.2 Securing application credentials

2.2.1 Exercises

2.3 Exercise Answers

2.4 Summary

3 Service-to-service communication

3.1 Securing the service-to-service call chain

3.1.1 Propagating user identity through the service call chain

3.1.2 Determining service identity

3.1.3 Exercises

3.2 Securely running services on Kubernetes

3.2.1 Exercises

3.3 Security technologies every developer should know

3.3.1 Exercises

3.4 Exercise Answers

3.5 Summary

Part 2: Cryptography foundations

4 Message Integrity and Authentication

4.1 The goals of cryptography

4.2 Cryptographic hash functions

4.2.1 Secure Hash Algorithm (SHA)

4.2.2 Verifying integrity using a cryptographic hash function

4.2.3 Design for hash function change

4.2.4 Exercises

4.3 Java cryptography architecture and extensions

4.4 Implementing message integrity in Java

4.5 Message Authentication Code (MAC)

4.5.1 Hashed Message Authentication Code (HMAC)

4.5.2 Java Support for HMAC

4.5.3 Exercises

4.6 Guaranteeing authenticity using HMAC

4.7 Exercise answers

4.8 Summary

5 Advanced Encryption Standard

5.1 Advanced Encryption Standard Overview

5.2 Modes of operation

5.2.1 Cipher Block Chaining (CBC) mode

5.2.2 Authenticated encryption

5.2.3 Galois Counter Mode (GCM)

5.2.4 Exercises

5.3 Java Support for AES

5.3.1 The ACME Inc. Scenario

5.3.2 Implementing the ACME Inc. Scenario

5.4 Authenticated Encryption with Associated Data (AEAD)

5.4.1 Exercises

5.5 AES Best Practices

5.5.1 Selecting the AES key size

5.5.2 Checklist for using AES-GCM correctly in Java

5.5.3 Exercises

5.6 Answers to exercises

5.7 Summary

6 Public Key Encryption and Digital Signatures: Unleashing RSA

6.1 The secret key distribution problem

6.1.1 Exercises

6.2 Public key cryptosystems

6.2.1 Exercises

6.3 RSA public key cryptosystem

6.3.1 Configuring RSA

6.3.2 Hybrid Encryption

6.3.3 Signing data with RSA

6.3.4 Exercises

6.4 Java Support for RSA

6.5 Answers to exercises

6.6 Summary

7 Public Key Encryption and Digital Signatures: Using ECC

7.1 Elliptic curve public key cryptosystems

7.1.1 Configuring ECC

7.1.2 Diffie-Helman key agreement

7.1.3 Exercises

7.2 Java support for elliptic curves

7.2.1 Java support for encryption with elliptic curves

7.2.2 Java support for signing with elliptic curves

7.3 RSA vs. ECC

7.3.1 Exercises

7.4 Answers to exercises

7.5 Summary

Part 3: Securing communication channels

8 Public Key Infrastructure and X.509 Digital Certificates: know who you are talking to

8.1 Inspecting X.509 Digital Certificates

8.1.1 Inspecting X.509 certificates with OpenSSL CLI

8.1.2 Downloading a Website’s X.509 Digital Certificate Using OpenSSL CLI

8.1.3 Viewing The Fields of an X.509 Digital Certificate

8.1.4 Subject fields: Identify the public key and its owner.

8.1.5 Issuer Field: Identifies who created the certificate

8.1.6 Validity Fields

8.1.7 X.509 Digital Certificate Encoding Formats

8.1.8 Exercises

8.2 Verifying X.509 Digital Certificates

8.2.1 Verifying the GitHub.com X.509 Certificate

8.2.2 Exercises

8.3 Answers to exercises

8.4 Summary

9 Working with X.509 Certificates: Lifecycle and Self-Signing

9.1 Certificate Lifecycle: Issuance to revocation

9.1.1 Creating a keypair

9.1.2 Creating a Certificate Signing Request (CSR)

9.1.3 CSR Validation

9.1.4 Certificate Issuance

9.1.5 Certificate Revocation

9.1.6 Exercises

9.2 Private Certificate Authority for Local Development

9.2.1 Create a Self-Signed Root Certificate

9.2.2 Install the Certificate Authority into the Operating System Trust Store

9.2.3 Issue a certificate using the personal certificate authority

9.2.4 Exercises

9.3 Answers to exercises

9.4 Summary

10 Transport Layer Security (TLS): How the internet is secured

10.1 Securing communication with TLS

10.1.1 How it all started

10.1.2 TLS and mTLS

10.1.3 Exercises

10.2 What TLS actually protects you against

10.2.1 Protection from eavesdropping

10.2.2 Making sure there’s no tampering

10.2.3 Avoiding impersonation

10.2.4 Exercises

10.3 TLS in practice

10.3.1 Exercises

10.4 Answers to exercises

10.5 Summary

Part 4: Modern Authentication and Identity

11 JSON Object Signing and Encryption (JOSE)

11.1 The Standards Layer Cake

11.2 The problem solved by JSON Web Algorithms (JWA)

11.2.1 Exercises

11.3 JSON Web Key (JWK)

11.3.1 Exercises

11.4 JSON Web Signature (JWS)

11.4.1 JSON Web Object (JWS) Structure

11.4.2 Creating and verifying a JWS object

11.4.3 The credit card refunds scenario with JWS

11.4.4 Exercises

11.5 JSON Web Encryption (JWE)

11.5.1 JWE Structure

11.5.2 Creating and verifying JWE objects

11.5.3 Exercises

11.6 JSON Web Token (JWT)

11.6.1 Exercises

11.7 Answers to exercises

11.8 Summary

12 Single Sign On (SSO) using OAuth2 and OpenID Connect

12.1 Splitting security data management responsibilities

12.1.1 Exercises

12.2 Using authentication flows

12.2.1 The authorization code grant type

12.2.2 What actually are the tokens?

12.2.3 The client credentials grant type

12.2.4 Exercises

12.3 Applying OpenID Connect to Acme Inc.

12.3.1 Answers to exercises

12.4 Summary

13 Deepening security with OpenID Connect

13.1 Augmenting the authorization code grant type with PKCE

13.1.1 Exercises

13.2 Using refresh tokens to simplify authentication

13.2.1 Exercises

13.3 Supporting identity management with OpenID Connect

13.3.1 The Identity Layer and ID Token

13.3.2 The UserInfo Endpoint

13.3.3 Protection Against Replay Attacks and CSRF

13.3.4 Session management and logout

13.3.5 Exercises

13.4 Using multitenancy

13.4.1 Exercises

13.5 Answers to exercises

13.6 Summary

14 Passwordless login: Using Magic links and OTPs

14.1 The real magic of magic links authentication

14.1.1 Exercises

14.2 Authentication through One-Time Passwords (OTPs)

14.2.1 Exercises

14.3 Answers to exercises

14.4 Summary

15 Passwordless login: WebAuthn and hardware authentication

15.1 Biometric authentication

15.1.1 Fingerprint Scanning (Most Common)

15.1.2 Facial Recognition (Rapidly Growing)

15.1.3 Iris & Retina Scanning (Highly Secure)

15.1.4 Voice Recognition (Used in Call Centers & Virtual Assistants)

15.1.5 Palm Vein Recognition (High Security, Less Common)

15.1.6 Exercises

15.2 Authenticating using hardware keys

15.2.1 Exercises

15.3 Implementing WebAuthn authentication

15.3.1 Exercises

15.4 Answers to exercises

15.5 Summary

Part 5: Securing service-to-service call chain

16 Implementing service identity

16.1 What service identity is

16.1.1 Exercises

16.2 Implementing service authorization at the application level

16.2.1 Using the OAuth2 client credentials grant type

16.2.2 Using API Keys

16.2.3 Using custom authorization logic

16.2.4 Exercises

16.3 Implementing service authorization at the infra-level

16.3.1 Exercises

16.4 Answers to exercises

16.5 Summary

17 Taming authorization: RBAC, ABAC, ReBAC

17.1 What are core authorization models

17.1.1 Role-Based Access Control (RBAC)

17.1.2 Attribute-Based Access Control (ABAC)

17.1.3 Relationship-Based Access Control (ReBAC)

17.1.4 Exercises

17.2 Authorization in real-world architectures

17.2.1 Authorization within monoliths

17.2.2 Service-oriented authorization

17.2.3 Exercises

17.3 Answers to questions

17.4 Summary

Appendix

Appendix A: Installation and Setup

A.1 Setting up Java Development Environment

A.1.1 Setup Java 11

A.1.2 Setup A Java IDE

A.2 Obtaining the Book Samples

Overview

15 Passwordless login: WebAuthn and hardware authentication

Passwordless authentication replaces fragile passwords with strong, device‑bound cryptography. Using WebAuthn, applications authenticate users with public‑key credentials backed by either biometrics (something you are) or hardware security keys (something you have). Because the private key never leaves the device and signatures are tied to the origin, this approach blocks common threats like phishing, credential stuffing, and brute force, while offering a faster, more user‑friendly login experience supported across modern browsers and operating systems.

Biometric authentication verifies identity from fingerprints, faces, irises, voices, or even palm vein patterns. During enrollment, devices store mathematical templates—not raw biometrics—in hardware‑backed secure areas such as TEEs or secure enclaves; subsequent logins match against these templates with a tolerance for variation. While biometrics are quick and convenient, they introduce distinct risks: template theft is irreversible, weak enrollment flows can be abused with deepfakes, and improperly protected data paths enable replay or MITM attacks. Presentation and spoofing attacks further threaten sensors without robust liveness checks. Strong implementations pair secure storage with encryption, anti‑replay measures, liveness detection, and clear user prompts to reduce social‑engineering success.

Hardware security keys implement FIDO2/WebAuthn with on‑device keypair generation, challenge‑response signing, and strict origin binding, making them highly resistant to phishing and secret exfiltration. Their main trade‑offs are operational: users may lose a key and services must support them, so backups and recovery processes matter. Implementing WebAuthn centers on two flows: registration (create credentials and store the public key and credential ID server‑side) and authentication (issue a random challenge, have the authenticator sign it, then verify with the stored public key). Production‑grade deployments require secure contexts (HTTPS or localhost), ephemeral challenge storage with timeouts, rpId/origin verification, horizontal scalability considerations, and reliance on well‑vetted libraries rather than custom cryptographic code.

A three-step process. Initially, a sure needs to register their data. Following registration, the user can try to authenticate and get verified by the system.

Improperly secured transmission and storage of biometric authentication data can expose it to hackers, who may then exploit it in replay attacks.

The authentication process using a hardware key. The app generates a random value and asks the key to sign it with its private key. The app then verifies the signature using its public key. The public key from the pair needs to already be configured at the app level. This configuration happens during the registration step.

Running a local web server using the jwebserver command from the JDK. The server is started in the bin directory of the JDK installation, binding to 127.0.0.1 on port 8000. This allows the HTML page to be served over a secure context (localhost), which is required for WebAuthn functionality.

When the "Register WebAuthn Credential" button is clicked, the browser initiates the WebAuthn registration process. The system prompts the user with a Windows Security dialog to confirm their identity and save a passkey for the specified domain (localhost in this case), using platform authentication.

Output in the browser’s developer console after triggering the WebAuthn registration process. The console displays the attestation object and client data in base64-encoded form, representing the public key credential generated by the browser.

Summary

Passwordless authentication improves security and convenience by eliminating weak or reused passwords.
Spoofing attacks (deepfakes, fake fingerprints) and stolen biometric templates pose risks, such as unauthorized access to sensitive accounts, bypassing multi-factor authentication, and long-term identity compromise
Storing biometric data in secure hardware (TPM, Secure Enclave) and implementing anti-spoofing measures improves security.
Hardware security keys provide the strongest authentication by using public-key cryptography.
Hardware security keys eliminate phishing risks but require physical possession, making backup keys necessary.
Using FIDO2/WebAuthn and enforcing domain binding ensures maximum security.
Passwordless authentication reduces phishing, credential leaks, and login friction.
No single method fits all use cases. Choosing the right approach depends on security needs, usability, and risk factors.
Proper implementation is key—even the most secure authentication method can be exploited if configured poorly.
Following best practices, encryption standards, and secure handling of authentication data ensures a stronger, safer login experience.

FAQ

What is WebAuthn and how does it enable passwordless login?

WebAuthn is a W3C/FIDO standard that replaces passwords with public‑key cryptography. During registration, a device creates a key pair; the private key stays on the device and the public key is stored by the app. At login, the device proves possession of the private key by signing a server challenge. This eliminates reusable secrets and resists phishing, credential stuffing, and brute force.

How do biometrics differ from hardware security keys?

Biometrics verify “something you are” (fingerprint, face, iris, voice) using a platform authenticator built into your device. Hardware security keys verify “something you have” (a physical FIDO2/WebAuthn key). Biometrics are convenient but can face spoofing risks if poorly implemented; hardware keys provide strong, phish‑resistant, device‑bound cryptography and are often considered the most robust option.

How is biometric data stored and protected?

Devices don’t store raw fingerprints or faces. They derive a mathematical template and keep it in a hardware‑backed secure area (e.g., Secure Enclave, TEE, TPM). Matching is done locally; the template never leaves the device. Storing templates outside such hardware or transmitting them exposes users to permanent compromise.

What are common biometric authentication threats and how can I mitigate them?

Threats include spoofing/presentation attacks (fake fingerprints, photos, 3D masks), replay or MITM if data is transmitted insecurely, and token/session theft after authentication. Mitigations: liveness detection, hardware‑backed storage, encrypted transport, anti‑replay with per‑use challenges, strong enrollment and identity verification, origin checks, and user education to avoid social‑engineering prompts.

How do hardware security keys work during login?

They use challenge‑response. The server sends a random challenge; the key signs it with its private key; the server verifies the signature with the stored public key. The private key never leaves the device, so there’s nothing for attackers to reuse or exfiltrate.

How do hardware keys prevent phishing?

Authenticators are bound to the site’s origin (rpId). A key registered for https://securebank.com will refuse to sign for https://fakebank.com, even if the page looks identical. This origin binding makes hardware keys effectively phish‑resistant.

What if I lose my hardware key or my biometric stops working (e.g., I shaved my beard)?

Register at least one backup key and set up a recovery flow. If biometrics fail temporarily, use configured fallbacks (PIN, password, or another factor) and re‑enroll biometrics if needed. Without a backup or recovery, you can be locked out.

Why does WebAuthn require HTTPS or localhost?

WebAuthn APIs only work in a secure context to protect origins and data in transit. HTTPS (or localhost during development) prevents eavesdropping and origin spoofing, which are critical to maintaining WebAuthn’s security guarantees.

What are the main steps of WebAuthn registration and what does the server store?

Steps: the browser requests credential creation; the authenticator creates a key pair; the client returns data (public key, credential ID, client data, optional attestation) to the server. The server stores a mapping of user → credential ID, public key (and algorithm/metadata) for future signature verification.

What is the attestation object in WebAuthn, and do I need it?

The attestation object is authenticator‑provided data (including authenticator info and an attestation statement) proving that a real device generated the key. Many consumer apps set attestation to “none” and don’t strictly verify it. Enterprises may validate attestation to enforce device policies or provenance.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $33.59

you save $14.40 (30%)

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more