Software Security for Developers you own this product

With examples in Java and Spring

Adib Saikali, Laurențiu Spilcă

MEAP began November 2021
Last updated March 2026
Publication in April 2026 (estimated)

ISBN 9781617298585
371 pages (estimated)

Included with a Manning Online subscription

printed in black & white

catalog / Software Development / Software Engineering / Security and Privacy / Cloud Application Security

resources: Source code Book forum Source code on GitHub

table of content

Part 1: Application Security the Big Picture

1 Making Sense of Application Security

1.1 Developers’ responsibility in software security

1.1.1 What does secure development actually look like?

1.1.2 How security expectations shape the developer’s role

1.2 Securing the supply chain risk

1.3 Roles and responsibilities in security

1.4 What you will learn in this book

1.5 Summary

2 Standards for implementing authentication

2.1 Logging users in

2.1.1 Customer authentication

2.1.2 Employee authentication

2.1.3 Partner authentication

2.1.4 Phishing resistant authentication

2.1.5 Authentication technology from a developer’s perspective

2.1.6 Exercises

2.2 Securing application credentials

2.2.1 Exercises

2.3 Exercise Answers

2.4 Summary

3 Service-to-service communication

3.1 Securing the service-to-service call chain

3.1.1 Propagating user identity through the service call chain

3.1.2 Determining service identity

3.1.3 Exercises

3.2 Securely running services on Kubernetes

3.2.1 Exercises

3.3 Security technologies every developer should know

3.3.1 Exercises

3.4 Exercise Answers

3.5 Summary

Part 2: Cryptography foundations

4 Message Integrity and Authentication

4.1 The goals of cryptography

4.2 Cryptographic hash functions

4.2.1 Secure Hash Algorithm (SHA)

4.2.2 Verifying integrity using a cryptographic hash function

4.2.3 Design for hash function change

4.2.4 Exercises

4.3 Java cryptography architecture and extensions

4.4 Implementing message integrity in Java

4.5 Message Authentication Code (MAC)

4.5.1 Hashed Message Authentication Code (HMAC)

4.5.2 Java Support for HMAC

4.5.3 Exercises

4.6 Guaranteeing authenticity using HMAC

4.7 Exercise answers

4.8 Summary

5 Advanced Encryption Standard

5.1 Advanced Encryption Standard Overview

5.2 Modes of operation

5.2.1 Cipher Block Chaining (CBC) mode

5.2.2 Authenticated encryption

5.2.3 Galois Counter Mode (GCM)

5.2.4 Exercises

5.3 Java Support for AES

5.3.1 The ACME Inc. Scenario

5.3.2 Implementing the ACME Inc. Scenario

5.4 Authenticated Encryption with Associated Data (AEAD)

5.4.1 Exercises

5.5 AES Best Practices

5.5.1 Selecting the AES key size

5.5.2 Checklist for using AES-GCM correctly in Java

5.5.3 Exercises

5.6 Answers to exercises

5.7 Summary

6 Public Key Encryption and Digital Signatures: Unleashing RSA

6.1 The secret key distribution problem

6.1.1 Exercises

6.2 Public key cryptosystems

6.2.1 Exercises

6.3 RSA public key cryptosystem

6.3.1 Configuring RSA

6.3.2 Hybrid Encryption

6.3.3 Signing data with RSA

6.3.4 Exercises

6.4 Java Support for RSA

6.5 Answers to exercises

6.6 Summary

7 Public Key Encryption and Digital Signatures: Using ECC

7.1 Elliptic curve public key cryptosystems

7.1.1 Configuring ECC

7.1.2 Diffie-Helman key agreement

7.1.3 Exercises

7.2 Java support for elliptic curves

7.2.1 Java support for encryption with elliptic curves

7.2.2 Java support for signing with elliptic curves

7.3 RSA vs. ECC

7.3.1 Exercises

7.4 Answers to exercises

7.5 Summary

Part 3: Securing communication channels

8 Public Key Infrastructure and X.509 Digital Certificates: know who you are talking to

8.1 Inspecting X.509 Digital Certificates

8.1.1 Inspecting X.509 certificates with OpenSSL CLI

8.1.2 Downloading a Website’s X.509 Digital Certificate Using OpenSSL CLI

8.1.3 Viewing The Fields of an X.509 Digital Certificate

8.1.4 Subject fields: Identify the public key and its owner.

8.1.5 Issuer Field: Identifies who created the certificate

8.1.6 Validity Fields

8.1.7 X.509 Digital Certificate Encoding Formats

8.1.8 Exercises

8.2 Verifying X.509 Digital Certificates

8.2.1 Verifying the GitHub.com X.509 Certificate

8.2.2 Exercises

8.3 Answers to exercises

8.4 Summary

9 Working with X.509 Certificates: Lifecycle and Self-Signing

9.1 Certificate Lifecycle: Issuance to revocation

9.1.1 Creating a keypair

9.1.2 Creating a Certificate Signing Request (CSR)

9.1.3 CSR Validation

9.1.4 Certificate Issuance

9.1.5 Certificate Revocation

9.1.6 Exercises

9.2 Private Certificate Authority for Local Development

9.2.1 Create a Self-Signed Root Certificate

9.2.2 Install the Certificate Authority into the Operating System Trust Store

9.2.3 Issue a certificate using the personal certificate authority

9.2.4 Exercises

9.3 Answers to exercises

9.4 Summary

10 Transport Layer Security (TLS): How the internet is secured

10.1 Securing communication with TLS

10.1.1 How it all started

10.1.2 TLS and mTLS

10.1.3 Exercises

10.2 What TLS actually protects you against

10.2.1 Protection from eavesdropping

10.2.2 Making sure there’s no tampering

10.2.3 Avoiding impersonation

10.2.4 Exercises

10.3 TLS in practice

10.3.1 Exercises

10.4 Answers to exercises

10.5 Summary

Part 4: Modern Authentication and Identity

11 JSON Object Signing and Encryption (JOSE)

11.1 The Standards Layer Cake

11.2 The problem solved by JSON Web Algorithms (JWA)

11.2.1 Exercises

11.3 JSON Web Key (JWK)

11.3.1 Exercises

11.4 JSON Web Signature (JWS)

11.4.1 JSON Web Object (JWS) Structure

11.4.2 Creating and verifying a JWS object

11.4.3 The credit card refunds scenario with JWS

11.4.4 Exercises

11.5 JSON Web Encryption (JWE)

11.5.1 JWE Structure

11.5.2 Creating and verifying JWE objects

11.5.3 Exercises

11.6 JSON Web Token (JWT)

11.6.1 Exercises

11.7 Answers to exercises

11.8 Summary

12 Single Sign On (SSO) using OAuth2 and OpenID Connect

12.1 Splitting security data management responsibilities

12.1.1 Exercises

12.2 Using authentication flows

12.2.1 The authorization code grant type

12.2.2 What actually are the tokens?

12.2.3 The client credentials grant type

12.2.4 Exercises

12.3 Applying OpenID Connect to Acme Inc.

12.3.1 Answers to exercises

12.4 Summary

13 Deepening security with OpenID Connect

13.1 Augmenting the authorization code grant type with PKCE

13.1.1 Exercises

13.2 Using refresh tokens to simplify authentication

13.2.1 Exercises

13.3 Supporting identity management with OpenID Connect

13.3.1 The Identity Layer and ID Token

13.3.2 The UserInfo Endpoint

13.3.3 Protection Against Replay Attacks and CSRF

13.3.4 Session management and logout

13.3.5 Exercises

13.4 Using multitenancy

13.4.1 Exercises

13.5 Answers to exercises

13.6 Summary

14 Passwordless login: Using Magic links and OTPs

14.1 The real magic of magic links authentication

14.1.1 Exercises

14.2 Authentication through One-Time Passwords (OTPs)

14.2.1 Exercises

14.3 Answers to exercises

14.4 Summary

15 Passwordless login: WebAuthn and hardware authentication

15.1 Biometric authentication

15.1.1 Fingerprint Scanning (Most Common)

15.1.2 Facial Recognition (Rapidly Growing)

15.1.3 Iris & Retina Scanning (Highly Secure)

15.1.4 Voice Recognition (Used in Call Centers & Virtual Assistants)

15.1.5 Palm Vein Recognition (High Security, Less Common)

15.1.6 Exercises

15.2 Authenticating using hardware keys

15.2.1 Exercises

15.3 Implementing WebAuthn authentication

15.3.1 Exercises

15.4 Answers to exercises

15.5 Summary

Part 5: Securing service-to-service call chain

16 Implementing service identity

16.1 What service identity is

16.1.1 Exercises

16.2 Implementing service authorization at the application level

16.2.1 Using the OAuth2 client credentials grant type

16.2.2 Using API Keys

16.2.3 Using custom authorization logic

16.2.4 Exercises

16.3 Implementing service authorization at the infra-level

16.3.1 Exercises

16.4 Answers to exercises

16.5 Summary

17 Taming authorization: RBAC, ABAC, ReBAC

17.1 What are core authorization models

17.1.1 Role-Based Access Control (RBAC)

17.1.2 Attribute-Based Access Control (ABAC)

17.1.3 Relationship-Based Access Control (ReBAC)

17.1.4 Exercises

17.2 Authorization in real-world architectures

17.2.1 Authorization within monoliths

17.2.2 Service-oriented authorization

17.2.3 Exercises

17.3 Answers to questions

17.4 Summary

Appendix

Appendix A: Installation and Setup

A.1 Setting up Java Development Environment

A.1.1 Setup Java 11

A.1.2 Setup A Java IDE

A.2 Obtaining the Book Samples

Overview

3 Service-to-service communication

This chapter emphasizes that securing service-to-service communication is fundamental to trustworthy microservice systems. It frames four universal security problems every application must solve: securing communication channels, implementing authentication and authorization, protecting sensitive credentials, and operating safely in cloud or on‑prem environments. Because a single user action can traverse a deep call graph of independently deployed services, the chapter stresses end-to-end protection of that chain and equips developers with a practical toolbox of technologies and patterns to keep interactions confidential, authenticated, and authorized.

The central technical challenges revolve around identity. First, user identity must be propagated across heterogeneous protocols (HTTP, RPC, messaging, events) and languages so downstream services can enforce least privilege; there is no single industry standard, so teams combine conventions with technologies like OAuth2/OpenID Connect and JOSE-based tokens. Second, services must authenticate to each other to make authorization decisions—commonly via API keys or mutual TLS. API gateways help manage and validate keys and protect the edge, while mTLS—often enabled by a service mesh and strengthened with SPIFFE—authenticates workloads and encrypts every hop by default.

The chapter also ties application-layer security to runtime hardening on Kubernetes. Secure operation requires: building secure container images, running on a locked‑down cluster provided by platform engineering, and shipping deployment manifests that enable security controls and follow best practices. Developers are accountable for image hygiene and secure YAML, while the platform enforces cluster guardrails. Finally, it compiles the must‑know stack for developers: TLS, OAuth2/OIDC, WebAuthn, credential storage services, API gateways, service mesh, SPIFFE, cloud‑native buildpacks, and Kubernetes—grounded in AES, JOSE, and X.509, and underpinned by core cryptographic primitives such as hashing, MACs, symmetric and public‑key cryptography, and key exchange.

Potential microservices that can be easily spotted from a product page: product search microservice, look inside microservice, book details microservice (title, author, publication date, summary), product rating microservice, pricing microservice that can calculate discounts dynamically, delivery estimation microservice that computes when order arrives at a customer’s address and shipping costs

An HTTP request to the product page microservice service fans out through multiple layers of supporting microservices, this is what we mean by the call service-to-service call graph. Organizations can have hundreds of microservices that interact with each other.

A generic call graph showing edge microservices that receive user requests and then call internal microservices to handle the request. How can a microservice determine the user's identity that initiated the request? How can a microservice determine the identity of the service that called it?

The edge service uses OpenID Connect or WebAuthn protocols to determine the identity of the user making the request. It must then propagate the user identity over HTTP to the service written in C#, which must propagate the user identity over gRPC to the service written in Go, which must propagate the user identity over AMQP to the service written in JavaScript.

Some services, like inventory, do not need to know the identity of the customer who is viewing a product page to return the current inventory level.

The book teaches you the standards, protocols, and patterns for building secure applications using practical sample applications. The goal is to set you up for success on your security learning journey by teaching you foundational technologies every developer should know.

Summary

Microservice architectures decompose applications into independently deployable services that communicate through service-to-service calls, creating complex call chains.
Edge microservices interact directly with users and external systems, while internal microservices receive requests from other microservices within the system.
User identity propagation through service call chains requires passing user credentials across different programming languages and network protocols like HTTP, gRPC, and AMQP.
No industry standard exists for propagating user identity between services, requiring custom solutions using patterns and conventions.
Service identity can be established through API keys or mutual TLS authentication to authorize which services can perform specific operations.
API gateways simplify implementation of API key patterns for service authentication and authorization.
Service mesh technologies like Istio simplify deployment and management of mutual TLS between microservices.
Developers must learn to create secure container images and write Kubernetes deployment manifests following security best practices.
Platform engineering teams are responsible for providing secure Kubernetes clusters, while developers handle secure application packaging and deployment configuration.
Essential security technologies for developers include TLS, OAuth2/OpenID Connect, WebAuthn, credential storage services, API gateways, service mesh, SPIFFE, Cloud Native Buildpacks, and Kubernetes.
These technologies depend on foundational knowledge of AES encryption, JOSE standards, X.509 digital certificates, and cryptographic primitives like hash functions and public key cryptography.
DevOps has evolved from separated development and operations teams to integrated teams responsible for both building and running applications in production.

FAQ

What is the service-to-service call chain and why is it important to secure?

The call chain is the path a single request takes as it fans out across multiple microservices. If any service in that chain is weak or compromised, the whole system is at risk. Securing it protects data, decisions, and your application’s reputation.

What’s the difference between an edge microservice and an internal microservice?

Edge microservices interact with users or external systems and accept new requests. Internal microservices only receive requests from other services and are not exposed to the public internet.

What interaction patterns and protocols are commonly used between services?

Common options include synchronous HTTP REST, synchronous RPC (such as gRPC or Thrift), asynchronous request-reply via message brokers (for example, RabbitMQ), and asynchronous event streaming (for example, Kafka).

How can user identity be propagated through a heterogeneous service call chain?

There is no single standard. Teams combine conventions and technologies (for example, tokens issued via OpenID Connect, JOSE-based formats, headers or metadata across HTTP/gRPC/AMQP) and enforce transport security (TLS). Mastering OAuth2, OIDC, JOSE, mTLS, X.509, service mesh, and API gateways is key.

How do services authenticate and authorize each other (service identity)?

Two common approaches are API keys and mutual TLS (mTLS). API keys identify the calling service via a shared secret; mTLS uses X.509 certificates so both sides authenticate cryptographically during TLS handshake.

When is user identity unnecessary and service identity sufficient?

When a service only needs resource context, not who the user is. For example, an inventory service can answer “availability for product X” without the customer’s ID, while still enforcing which calling services may read or change inventory via service identity rules.

How do API gateways and service meshes help secure service-to-service communication?

API gateways simplify API key issuance, rotation, validation, and edge security. Service meshes (often with SPIFFE) automate and manage mTLS between services, easing certificate issuance, rotation, and policy enforcement.

What are the four core security problems every application must solve?

Securing communication channels; authentication and authorization; safely handling sensitive credentials (for example, API keys to external systems); and running the application securely in cloud or on-prem environments.

What should developers know to run services securely on Kubernetes?

Create secure container images and write Kubernetes manifests that follow security best practices. Platform engineering teams secure the clusters; developers focus on image hardening, dependency hygiene, and secure workload configuration. Cloud Native Buildpacks can help produce secure, maintainable images.

Which foundational security technologies should developers learn to secure service communication?

Start with TLS; OAuth2 and OpenID Connect; WebAuthn for user auth; credential storage services; API gateways; service mesh; SPIFFE; Cloud Native Buildpacks; and Kubernetes. Underpinning these are AES, JOSE, X.509, and cryptographic primitives (hashes, MACs, symmetric and public key crypto, Diffie–Hellman).

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more

eBook

$47.99 $33.59

you save $14.40 (30%)

eBook

pdf, ePub, online

$47.99 $33.59

you save $14.40 (30%)

pro $24.99 per month

access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
choose one free eBook per month to keep
exclusive 50% discount on all purchases
renews monthly, pause or cancel renewal anytime

lite $19.99 per month

access to all Manning books, including MEAPs!

team

5, 10 or 20 seats+ for your team - learn more