awesome-java-security

Security resources

A curated list of Java security resources and tools to help developers write more secure software

Awesome Java Security Resources ๐Ÿ•ถโ˜•๐Ÿ”

GitHub
302 stars
17 watching
27 forks
last commit: almost 2 years ago
Linked from 1 awesome list

awesomeawesome-listjavasecuritysecurity-testingsecurity-toolsstatic-analysis

Tools / Web Framework Hardening
Apache Shiro A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management
JJWT 10,389 11 months ago Java JWT: JSON Web Token for Java and Android
OWASP ESAPI Java 620 9 months ago Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications
PAC4J 2,438 8 months ago Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services
Spring Security 8,891 8 months ago A powerful and highly customizable authentication and access-control framework
Spring Security Oauth 4,690 about 3 years ago Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications

Tools / Multi tools
hawkeye 359 almost 4 years ago Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java
GuardRails A GitHub App that gives you instant security feedback in your Pull Requests

Tools / Static Code Analysis
Spotbugs 3,533 8 months ago SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code
Find Security Bugs 2,293 8 months ago SpotBugs plugin for security audits of Java web applications and Android applications
Detect Secrets An enterprise friendly way of detecting and preventing secrets in code
Gitrob 5,955 almost 3 years ago Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github
Sonarqube 9,183 8 months ago SonarQube provides the capability to show the health of an application and highlight newly introduced issues
Oversecured A static analyzer for Android apps (APK files), searches for security vulnerabilities. Contains 90+ vulnerability categories
Bearer A static code security analyzer to discover, filter and prioritize security and privacy risks

Tools / Runtime Analysis
Code Pulse 118 over 2 years ago Code Pulse is a real-time code coverage tool for penetration testing activities
OWASP ZAP 12,847 8 months ago Helps automatically find security vulnerabilities in your web applications
Contrast Community Edition Free runtime protection and vulnerability detection tool, identifying issues in running applications

Tools / Vulnerabilities and Security Advisories
OWASP Dependency-Check 6,547 8 months ago Detects publicly disclosed vulnerabilities in application dependencies
Snyk 4,979 8 months ago CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies
Snyk Vulnerability DB Commercial but free listing of known vulnerabilities in libraries
Common Vulnerabilities and Exposures Vulnerabilities that were assigned a CVE. Covers the language and packages
National Vulnerability Database Java known vulnerabilities in the National Vulnerability Database
Contrast Community Edition Free tool to locate CVEs and outdated dependencies in libraries

Tools / Cryptography
Bouncy Castle Java implementation of cryptographic algorithms
Conscrypt 1,304 8 months ago Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension
Cryptomator 11,982 8 months ago Multi-platform transparent client-side encryption of your files in the cloud
Keyczar 1,097 over 6 years ago Easy-to-use crypto toolkit by Google
Keywhiz 2,622 almost 2 years ago System for distributing and managing secrets
Tink 13,511 over 1 year ago Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse
ACME4J 524 10 months ago Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA

Educational / Hacking Playground
BodgeIt Store 264 about 1 year ago A vulnerable web application aimed at people who are new to pen testing
OWASP Benchmark 3 almost 4 years ago A Java test suite designed to verify the speed and accuracy of vulnerability detection tools
Security Shepherd 1,356 about 1 year ago Web and mobile application security training platform
WebGoat 7,096 8 months ago A deliberately insecure Java Web Application

Educational / Articles, Guides & Talks
Java Platform, Standard Edition Security Developerโ€™s Guide This guide covers major Java Standard Edition security components: Java Cryptography Architecture (JCA), Java Authentication and Authorization Service (JAAS) and Java Secure Socket Extensions (JSSE)
Application Security Verification Standard (PDF) The standard is a list of application security requirements that can be used by developers
Spring Security CSRF A Guide to CSRF Protection in Spring Security
Secure Coding Guidelines Secure Coding Guidelines for Java SE
Securing a Web Application This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security
Spring Security Guides Step by step guides on how to use Spring Security
Prevent cross-site scripting (XSS) attacks This article explains how XSS attacks work and suggests a methodology to block XSS attacks
Java Security Resource Center A collection of security details for different users of the Java Platform

Educational / Practices
Encrypting with SSL/TLS 575 8 months ago Step by step guide for encrypting client and server communication

Educational / Specifications
JSR 115: Java Authorization Contract for Containers
JSR 196: Java Authentication Service Provider Interface for Containers
JSR 375: Java EE Security API

Other / Reporting Bugs
Java Security Reporting

Backlinks from these awesome lists:

More related projects: