awesome-java-security
Security resources
A curated list of Java security resources and tools to help developers write more secure software
Awesome Java Security Resources ๐ถโ๐
302 stars
17 watching
27 forks
last commit: about 1 year ago
Linked from 1 awesome list
awesomeawesome-listjavasecuritysecurity-testingsecurity-toolsstatic-analysis
Tools / Web Framework Hardening | |||
| Apache Shiro | A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management | ||
| JJWT | 10,326 | about 2 months ago | Java JWT: JSON Web Token for Java and Android |
| OWASP ESAPI Java | 616 | 17 days ago | Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications |
| PAC4J | 2,431 | 6 days ago | Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services |
| Spring Security | 8,827 | 5 days ago | A powerful and highly customizable authentication and access-control framework |
| Spring Security Oauth | 4,695 | over 2 years ago | Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications |
Tools / Multi tools | |||
| hawkeye | 358 | about 3 years ago | Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java |
| GuardRails | A GitHub App that gives you instant security feedback in your Pull Requests | ||
Tools / Static Code Analysis | |||
| Spotbugs | 3,512 | 8 days ago | SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code |
| Find Security Bugs | 2,283 | 3 months ago | SpotBugs plugin for security audits of Java web applications and Android applications |
| Detect Secrets | An enterprise friendly way of detecting and preventing secrets in code | ||
| Gitrob | 5,938 | about 2 years ago | Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github |
| Sonarqube | 9,100 | 6 days ago | SonarQube provides the capability to show the health of an application and highlight newly introduced issues |
| Oversecured | A static analyzer for Android apps (APK files), searches for security vulnerabilities. Contains 90+ vulnerability categories | ||
| Bearer | A static code security analyzer to discover, filter and prioritize security and privacy risks | ||
Tools / Runtime Analysis | |||
| Code Pulse | 116 | almost 2 years ago | Code Pulse is a real-time code coverage tool for penetration testing activities |
| OWASP ZAP | 12,743 | 6 days ago | Helps automatically find security vulnerabilities in your web applications |
| Contrast Community Edition | Free runtime protection and vulnerability detection tool, identifying issues in running applications | ||
Tools / Vulnerabilities and Security Advisories | |||
| OWASP Dependency-Check | 6,441 | 7 days ago | Detects publicly disclosed vulnerabilities in application dependencies |
| Snyk | 4,952 | 6 days ago | CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies |
| Snyk Vulnerability DB | Commercial but free listing of known vulnerabilities in libraries | ||
| Common Vulnerabilities and Exposures | Vulnerabilities that were assigned a CVE. Covers the language and packages | ||
| National Vulnerability Database | Java known vulnerabilities in the National Vulnerability Database | ||
| Contrast Community Edition | Free tool to locate CVEs and outdated dependencies in libraries | ||
Tools / Cryptography | |||
| Bouncy Castle | Java implementation of cryptographic algorithms | ||
| Conscrypt | 1,291 | 8 days ago | Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension |
| Cryptomator | 11,837 | 6 days ago | Multi-platform transparent client-side encryption of your files in the cloud |
| Keyczar | 1,097 | over 5 years ago | Easy-to-use crypto toolkit by Google |
| Keywhiz | 2,621 | about 1 year ago | System for distributing and managing secrets |
| Tink | 13,499 | 7 months ago | Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse |
| ACME4J | 521 | about 1 month ago | Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA |
Educational / Hacking Playground | |||
| BodgeIt Store | 263 | 3 months ago | A vulnerable web application aimed at people who are new to pen testing |
| OWASP Benchmark | 3 | about 3 years ago | A Java test suite designed to verify the speed and accuracy of vulnerability detection tools |
| Security Shepherd | 1,348 | 5 months ago | Web and mobile application security training platform |
| WebGoat | 7,036 | 7 days ago | A deliberately insecure Java Web Application |
Educational / Articles, Guides & Talks | |||
| Java Platform, Standard Edition Security Developerโs Guide | This guide covers major Java Standard Edition security components: Java Cryptography Architecture (JCA), Java Authentication and Authorization Service (JAAS) and Java Secure Socket Extensions (JSSE) | ||
| Application Security Verification Standard | (PDF) The standard is a list of application security requirements that can be used by developers | ||
| Spring Security CSRF | A Guide to CSRF Protection in Spring Security | ||
| Secure Coding Guidelines | Secure Coding Guidelines for Java SE | ||
| Securing a Web Application | This guide walks you through the process of creating a simple web application with resources that are protected by Spring Security | ||
| Spring Security Guides | Step by step guides on how to use Spring Security | ||
| Prevent cross-site scripting (XSS) attacks | This article explains how XSS attacks work and suggests a methodology to block XSS attacks | ||
| Java Security Resource Center | A collection of security details for different users of the Java Platform | ||
Educational / Practices | |||
| Encrypting with SSL/TLS | 571 | about 1 month ago | Step by step guide for encrypting client and server communication |
Educational / Specifications | |||
| JSR 115: Java Authorization Contract for Containers | |||
| JSR 196: Java Authentication Service Provider Interface for Containers | |||
| JSR 375: Java EE Security API | |||
Other / Reporting Bugs | |||
| Java Security Reporting | |||
0ex/more-awesome
hakky54/sslcontext-kickstart
rubysec/bundler-audit
burn-my-fat/web
circe/circe
brunofacca/zen-rails-security-checklist
wix-incubator/wix-http-testkit
scalaj/scalaj-http
akka/akka-http
jetty-project/jetty-reactive-httpclient
reactor/reactor-netty
twitter/finagle