Software Security for Developers you own this product

With examples in Java and Spring

Adib Saikali, Laurențiu Spilcă

MEAP began November 2021
Last updated March 2026
Publication in April 2026 (estimated)

ISBN 9781617298585
371 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development / Software Engineering / Security and Privacy / Cloud Application Security

resources: Source code Book forum Source code on GitHub

table of content

Part 1: Application Security the Big Picture

1 Making Sense of Application Security

1.1 Developers’ responsibility in software security

1.1.1 What does secure development actually look like?

1.1.2 How security expectations shape the developer’s role

1.2 Securing the supply chain risk

1.3 Roles and responsibilities in security

1.4 What you will learn in this book

1.5 Summary

2 Standards for implementing authentication

2.1 Logging users in

2.1.1 Customer authentication

2.1.2 Employee authentication

2.1.3 Partner authentication

2.1.4 Phishing resistant authentication

2.1.5 Authentication technology from a developer’s perspective

2.1.6 Exercises

2.2 Securing application credentials

2.2.1 Exercises

2.3 Exercise Answers

2.4 Summary

3 Service-to-service communication

3.1 Securing the service-to-service call chain

3.1.1 Propagating user identity through the service call chain

3.1.2 Determining service identity

3.1.3 Exercises

3.2 Securely running services on Kubernetes

3.2.1 Exercises

3.3 Security technologies every developer should know

3.3.1 Exercises

3.4 Exercise Answers

3.5 Summary

Part 2: Cryptography foundations

4 Message Integrity and Authentication

4.1 The goals of cryptography

4.2 Cryptographic hash functions

4.2.1 Secure Hash Algorithm (SHA)

4.2.2 Verifying integrity using a cryptographic hash function

4.2.3 Design for hash function change

4.2.4 Exercises

4.3 Java cryptography architecture and extensions

4.4 Implementing message integrity in Java

4.5 Message Authentication Code (MAC)

4.5.1 Hashed Message Authentication Code (HMAC)

4.5.2 Java Support for HMAC

4.5.3 Exercises

4.6 Guaranteeing authenticity using HMAC

4.7 Exercise answers

4.8 Summary

5 Advanced Encryption Standard

5.1 Advanced Encryption Standard Overview

5.2 Modes of operation

5.2.1 Cipher Block Chaining (CBC) mode

5.2.2 Authenticated encryption

5.2.3 Galois Counter Mode (GCM)

5.2.4 Exercises

5.3 Java Support for AES

5.3.1 The ACME Inc. Scenario

5.3.2 Implementing the ACME Inc. Scenario

5.4 Authenticated Encryption with Associated Data (AEAD)

5.4.1 Exercises

5.5 AES Best Practices

5.5.1 Selecting the AES key size

5.5.2 Checklist for using AES-GCM correctly in Java

5.5.3 Exercises

5.6 Answers to exercises

5.7 Summary

6 Public Key Encryption and Digital Signatures: Unleashing RSA

6.1 The secret key distribution problem

6.1.1 Exercises

6.2 Public key cryptosystems

6.2.1 Exercises

6.3 RSA public key cryptosystem

6.3.1 Configuring RSA

6.3.2 Hybrid Encryption

6.3.3 Signing data with RSA

6.3.4 Exercises

6.4 Java Support for RSA

6.5 Answers to exercises

6.6 Summary

7 Public Key Encryption and Digital Signatures: Using ECC

7.1 Elliptic curve public key cryptosystems

7.1.1 Configuring ECC

7.1.2 Diffie-Helman key agreement

7.1.3 Exercises

7.2 Java support for elliptic curves

7.2.1 Java support for encryption with elliptic curves

7.2.2 Java support for signing with elliptic curves

7.3 RSA vs. ECC

7.3.1 Exercises

7.4 Answers to exercises

7.5 Summary

Part 3: Securing communication channels

8 Public Key Infrastructure and X.509 Digital Certificates: know who you are talking to

8.1 Inspecting X.509 Digital Certificates

8.1.1 Inspecting X.509 certificates with OpenSSL CLI

8.1.2 Downloading a Website’s X.509 Digital Certificate Using OpenSSL CLI

8.1.3 Viewing The Fields of an X.509 Digital Certificate

8.1.4 Subject fields: Identify the public key and its owner.

8.1.5 Issuer Field: Identifies who created the certificate

8.1.6 Validity Fields

8.1.7 X.509 Digital Certificate Encoding Formats

8.1.8 Exercises

8.2 Verifying X.509 Digital Certificates

8.2.1 Verifying the GitHub.com X.509 Certificate

8.2.2 Exercises

8.3 Answers to exercises

8.4 Summary

9 Working with X.509 Certificates: Lifecycle and Self-Signing

9.1 Certificate Lifecycle: Issuance to revocation

9.1.1 Creating a keypair

9.1.2 Creating a Certificate Signing Request (CSR)

9.1.3 CSR Validation

9.1.4 Certificate Issuance

9.1.5 Certificate Revocation

9.1.6 Exercises

9.2 Private Certificate Authority for Local Development

9.2.1 Create a Self-Signed Root Certificate

9.2.2 Install the Certificate Authority into the Operating System Trust Store

9.2.3 Issue a certificate using the personal certificate authority

9.2.4 Exercises

9.3 Answers to exercises

9.4 Summary

10 Transport Layer Security (TLS): How the internet is secured

10.1 Securing communication with TLS

10.1.1 How it all started

10.1.2 TLS and mTLS

10.1.3 Exercises

10.2 What TLS actually protects you against

10.2.1 Protection from eavesdropping

10.2.2 Making sure there’s no tampering

10.2.3 Avoiding impersonation

10.2.4 Exercises

10.3 TLS in practice

10.3.1 Exercises

10.4 Answers to exercises

10.5 Summary

Part 4: Modern Authentication and Identity

11 JSON Object Signing and Encryption (JOSE)

11.1 The Standards Layer Cake

11.2 The problem solved by JSON Web Algorithms (JWA)

11.2.1 Exercises

11.3 JSON Web Key (JWK)

11.3.1 Exercises

11.4 JSON Web Signature (JWS)

11.4.1 JSON Web Object (JWS) Structure

11.4.2 Creating and verifying a JWS object

11.4.3 The credit card refunds scenario with JWS

11.4.4 Exercises

11.5 JSON Web Encryption (JWE)

11.5.1 JWE Structure

11.5.2 Creating and verifying JWE objects

11.5.3 Exercises

11.6 JSON Web Token (JWT)

11.6.1 Exercises

11.7 Answers to exercises

11.8 Summary

12 Single Sign On (SSO) using OAuth2 and OpenID Connect

12.1 Splitting security data management responsibilities

12.1.1 Exercises

12.2 Using authentication flows

12.2.1 The authorization code grant type

12.2.2 What actually are the tokens?

12.2.3 The client credentials grant type

12.2.4 Exercises

12.3 Applying OpenID Connect to Acme Inc.

12.3.1 Answers to exercises

12.4 Summary

13 Deepening security with OpenID Connect

13.1 Augmenting the authorization code grant type with PKCE

13.1.1 Exercises

13.2 Using refresh tokens to simplify authentication

13.2.1 Exercises

13.3 Supporting identity management with OpenID Connect

13.3.1 The Identity Layer and ID Token

13.3.2 The UserInfo Endpoint

13.3.3 Protection Against Replay Attacks and CSRF

13.3.4 Session management and logout

13.3.5 Exercises

13.4 Using multitenancy

13.4.1 Exercises

13.5 Answers to exercises

13.6 Summary

14 Passwordless login: Using Magic links and OTPs

14.1 The real magic of magic links authentication

14.1.1 Exercises

14.2 Authentication through One-Time Passwords (OTPs)

14.2.1 Exercises

14.3 Answers to exercises

14.4 Summary

15 Passwordless login: WebAuthn and hardware authentication

15.1 Biometric authentication

15.1.1 Fingerprint Scanning (Most Common)

15.1.2 Facial Recognition (Rapidly Growing)

15.1.3 Iris & Retina Scanning (Highly Secure)

15.1.4 Voice Recognition (Used in Call Centers & Virtual Assistants)

15.1.5 Palm Vein Recognition (High Security, Less Common)

15.1.6 Exercises

15.2 Authenticating using hardware keys

15.2.1 Exercises

15.3 Implementing WebAuthn authentication

15.3.1 Exercises

15.4 Answers to exercises

15.5 Summary

Part 5: Securing service-to-service call chain

16 Implementing service identity

16.1 What service identity is

16.1.1 Exercises

16.2 Implementing service authorization at the application level

16.2.1 Using the OAuth2 client credentials grant type

16.2.2 Using API Keys

16.2.3 Using custom authorization logic

16.2.4 Exercises

16.3 Implementing service authorization at the infra-level

16.3.1 Exercises

16.4 Answers to exercises

16.5 Summary

17 Taming authorization: RBAC, ABAC, ReBAC

17.1 What are core authorization models

17.1.1 Role-Based Access Control (RBAC)

17.1.2 Attribute-Based Access Control (ABAC)

17.1.3 Relationship-Based Access Control (ReBAC)

17.1.4 Exercises

17.2 Authorization in real-world architectures

17.2.1 Authorization within monoliths

17.2.2 Service-oriented authorization

17.2.3 Exercises

17.3 Answers to questions

17.4 Summary

Appendix

Appendix A: Installation and Setup

A.1 Setting up Java Development Environment

A.1.1 Setup Java 11

A.1.2 Setup A Java IDE

A.2 Obtaining the Book Samples

Overview

2 Standards for implementing authentication

This chapter frames authentication and secret management as foundational pillars of application security alongside secure transport and hardened runtime environments. It urges teams to stop handling passwords and identity logic inside each app and instead rely on standards-driven Single Sign-On (SSO) and modern, phishing-resistant authenticators. For developers, the core toolbox is OAuth2, OpenID Connect, and WebAuthn, supported by robust libraries across languages, and underpinned by essentials like TLS, JOSE, X.509, and PKI. The overarching message is to centralize trust, reduce custom security code, and raise both security and usability by adopting proven protocols and services.

On user authentication, the guidance spans customers, employees, and partners. For customers, minimize friction while maintaining strong security by supporting social login via OpenID Connect/OAuth2, passwordless biometrics and security keys with WebAuthn, and a multifactor username/password fallback when needed—ideally all fronted by an SSO. For employees, consolidate access to internal apps, SaaS tools, and admin surfaces behind a corporate SSO tied to the directory; prefer OpenID Connect and use protocol bridges if only SAML/LDAP are available. For partners, compare issuing local accounts (simple but risky) versus federating to the partner’s SSO (preferred for clean provisioning and revocation). Because phishing remains a top threat, the chapter highlights WebAuthn and physical security keys that bind authentication to the legitimate site origin, thwarting credential theft.

On securing application credentials, the chapter warns against storing secrets in configuration files due to configuration drift, weak file-level protections, poor auditability, and difficult rotation. It recommends a centralized credential service or vault as the single source of truth to streamline updates and rotation, provide detailed audit logs, and leverage hardware-backed protections. Teams can choose a cloud provider’s key vault, platform-native secrets, or a self-hosted solution, but should avoid building their own. Since no universal API exists for secret stores, applications use provider-specific clients and must solve bootstrap trust—ideally with platform-based identity like SPIFFE. The best practices are clear: externalize authentication to a maintained SSO, adopt WebAuthn for phishing resistance, store all secrets in a credential service, and keep these foundations patched and up to date.

An authentication form, commonly referred to as a login form, serves as the primary interface through which users enter their credentials to authenticate and gain access to the system.

Customer authentication preferences. Some customers want to use biometric authentication features, such as fingerprint scanners and face recognition, on their devices and phones. Some customers want to be able to login using their existing accounts with large online service providers such as Google, and Facebook. Some users want to be able to login using a traditional username and password combination. Single Sign On services can accommodate all these types of authentication preferences and more.

Single Sign On (SSO) Service handles user account creation and authentication. Multiple applications can use the same SSO service, simplifying security for application developers. The SSO service implements support authentication using OAuth2, OpenID Connect, WebAuthn, and multi-factor password-based authentication.

A corporate Sigle Sign On (SSO) service makes it possible for employees to access customer facing apps, internal employee only apps, and external SaaS apps using a single set of credentials

A user has to insert the Yubikey in their laptop, then press the button when on the login screen for a an application that support a physical security key. The Yubikey will check that the URL of the site the user is trying to log into matches the URL stored inside the Yubikey. If the URLs don’t match the login will fail. A Yubikey can protect against phishing attacks such as the one described in the text above.

Externalize application authentication into an SSO service that applications can access using OpenID Connect and WebAuthn. If you know OpenID Connect and WebAuthn, you can use all modern SSO services.

Applications depend on internal and external services that require passwords and API keys. The credentials to access services are extremely sensitive and must be protected. How can an application store and access sensitive credentials it needs to operate?

A credential vault is a centralized store of all sensitive configuration values, such as passwords, API keys, digital certificates, and other secrets the application needs to access at runtime.

A credential management service and a single sign on service are two foundational components for cloud native application security. As a developer you can use the OpenID Connect and WebAuthn protocols to interact with all modern SSO services. However, for credential services there is no industry standard API so you will have to use a proprietary API provided by the credential service implementation.

Summary

Passwords are weak, reused across services, and expensive to store securely, making them poor for both security and user experience.
Externalizing authentication to SSO services improves security, reduces development effort, and provides better user experience across multiple applications.
Modern applications should support OAuth2/OpenID Connect for social login, WebAuthn for biometric authentication, and multifactor password authentication as fallback.
Corporate SSO services enable employees to access internal applications, external SaaS services, and customer-facing apps using unified Active Directory credentials.
Organizations can either provide partner employees with internal accounts or delegate authentication to the partner's own SSO service for better security.
Physical security keys using WebAuthn protocol protect against phishing attacks by validating website URLs before authentication.
OAuth2, OpenID Connect, and WebAuthn are the essential authentication protocols developers need to master for modern applications.
Applications should store sensitive credentials like API keys and passwords in centralized credential services rather than configuration files.
Credential services provide single source of truth, easy updates, simplified rotation, comprehensive audit logs, and hardware security module support.
No industry standard exists for credential service APIs, requiring use of provider-specific APIs and libraries.
Information security engineers choose and configure SSO services, while developers implement OpenID Connect and WebAuthn integration in applications.

FAQ

Why are passwords a poor choice for security and user experience?

They’re hard to remember, so users pick weak ones or reuse them across sites, and securely storing them server-side is complex and costly. A breach or storage mistake can compromise many accounts at once.

Which open standards should I know for modern authentication?

OpenID Connect (OIDC) for delegating login to an SSO and getting identity tokens, OAuth 2.0 as the authorization foundation, and WebAuthn for passwordless, phishing-resistant authentication with biometrics and security keys.

What is OpenID Connect used for in applications?

OIDC lets apps offload login to an external Identity Provider/SSO and receive standardized ID tokens about the user. It simplifies integrating both customer- and employee-facing apps with a single, widely supported protocol.

How does WebAuthn enable passwordless login?

WebAuthn lets users authenticate with device biometrics (face/fingerprint) or FIDO2 security keys. It’s supported by major browsers and mobile/desktop OSes, providing strong, phishing-resistant authentication.

How can I offer customers their preferred login method?

Use an SSO that supports multiple options: social login via OAuth2/OIDC, passwordless biometrics via WebAuthn (passkeys/security keys), and password-based login with optional MFA (authenticator apps or SMS as a fallback).

What’s the recommended approach for employee authentication with Active Directory?

Integrate apps with the corporate SSO using OIDC. If the SSO only supports legacy protocols (e.g., SAML/LDAP), use an OIDC-to-SAML bridge so apps speak OIDC while the SSO continues using existing enterprise standards.

How should I let partners access internal systems securely?

Prefer federation: configure your SSO to trust the partner’s SSO so their employees authenticate with their own accounts. This ensures immediate deprovisioning when access is revoked at the partner.

What is phishing-resistant authentication and how do I enable it?

It prevents credential theft on fake sites. Enable FIDO2/WebAuthn security keys or platform passkeys, which verify the site’s origin (RP ID) before authenticating, blocking most phishing attempts.

Should every application use an SSO service, and what are my options?

Yes—SSO centralizes and hardens authentication while simplifying development. Options include managed cloud SSO, self-hosted products (open source or commercial), and building your own only when truly necessary; keep whatever you choose patched and up to date.

What should developers learn beyond OIDC and WebAuthn?

Master the surrounding foundations: TLS, JOSE (JWT/JWS/JWE), X.509 certificates, and PKI. Then use high-quality language frameworks (e.g., Spring Security) to integrate cleanly with your SSO.

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $33.59

you save $14.40 (30%)

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more