I am currently developing a quite straightforward CRUD webapplication for a company. I am using the Apache Tomcat 6.0 and JSTL 1.2
The application is on the road to being finished and withstands constructive testing and basic mischief such as invalid input format in forms.
The security level doesn’t have to be too high since it’s only for internal use, but still I’d like to have the basics covered.
I am now trying to harden and or achieve failsafety/exceptionsafety and am looking for general hints and tipps where the usualy error sources lie.
What I already have thought of:
- SQL Injection (‘fixed’ using Prepared Statements)
- Fail gracefully on SQL-Exceptions
- Range checking on parameters such as pagenumbers
What are your recommendations to this?
Thanks in advance
The OWASP (Open Web Application Security Project) guide on Tomcat is pretty thorough. Many excellent resources on that site.