Core Security Patterns - Ramesh Nagappan CISSP and Chris Steel CISSP

What experts say about "Core Security Patterns" ?

“Java is a language designed with security in mind. It provides the application developer with essential security mechanisms and support in avoiding critical security bugs common in other languages. A language, however, can only go so far. The developer must understand the security requirements of the application and how to use the features Java provides in order to meet those requirements. Core Security Patterns by Lai, Nagappan and Steel addresses both aspects of security and will be a guide to developers everywhere in creating more secure applications.”

- Dr. Whitfield Diffie,
Inventor of Public-key Cryptography.

“From the ground up, the Java platform is designed for security. Read this book to learn how to apply patterns and proven technologies to secure your J2EE applications and beyond”

- Dr. James Gosling,
Father of Java Programming Language

“A Comprehensive book on Security Patterns, which are critical for secure programming”

- Li Gong, Former Chief Java Security Architect,
Sun Microsystems
Co-Author, Inside Java 2 Platform Security

"Like Core J2EE Patterns, this book delivers a proactive and patterns-driven approach for designing end-to-end security in your applications. Leveraging the authors' strong security experience, they created a must-have book for any designer/developer looking to create secure applications."

- John Crupi ,
Distinguished Engineer, Sun Microsystems - Co-Author of Core J2EE Patterns

"As developers of existing applications, or future innovators that will drive the next generation of highly distributed applications, the patterns and best practices outlined in this book will be an important asset to your development efforts".

- Joe Uniejewski,
Chief Technology Officer, Sr.Vice President
RSA Security Inc.

"This book makes an important case for taking a proactive approach to security rather than relying on the reactive security approach common in the software industry".

- Judy Lin,
Executive Vice President,
VeriSign, Inc.

“This book provides a comprehensive patterns-driven approach and methodology for effectively incorporating security into your applications. I recommend that every application developer keep a copy of this indespensible security reference by their side.”

- Bill Hamilton, Author of ADO.NET Cookbook, ADO.NET in a Nutshell, NUnit Pocket Reference

"As a trusted advisory, this book will serve as a Java Developer's security handbook providing applied patterns and design strategies for securing Java applications."

- Shaheen Nasirudheen CISSP,
Vice President,
JPMorgan Chase

"The two reference books that I found most valuable were “Core Security Patterns: Best Practices and Strategies for J2EE, Web Services and Identity Management”, by Christopher Steel, Ramesh Nagappan and Ray Lai and “The Unified Modeling Language User Guide Second Edition” by Grady Booch, James Rumbaugh and Ivar Jacobson. The need for security to be incorporated into our computer systems is obvious, and each new issue of a UML book by the three amigos is one that I will use and reuse".

                                - Charles Ashbacher,
                                   “My best books of the Year 2005”,
                                    in JOT - Journal of Object Technology, vol. 5, no. 1,
                                    January-February, pp159-161, http://www.jot.fm/books/review18
                                    JOT is published by Swedish Federal Institute of Technology, Zurich

" I have been asked a couple of times about a book about security patterns when I have given my patterns course. I'm afraid I really can't say that security is my field at all, but from the little I do know I didn't think that there was such a book. Anyway, the other day "Core Security Patterns" dropped down on my desk. Perhaps it's just the book they were looking for. "

Jimmy Nilsson's Weblog

Jimmy Nilsson, Microsoft MVP, CEO of JN SystemKonsult AB (JNSK), Sweden
Author of "Applying Domain-Driven Design and Patterns"
and
".NET Enterprise Design"

" I've just added 2 new books to my Java library: Core Security Patterns, and Core J2EE Patterns. Core J2EE patterns is a great reference for enterprise application architecture and design patterns. But, I am most intrigued by Core Security Patterns. Core Security Patterns covers all manner of Java security-related topics. . . . . .This book, coupled with Core J2EE Patterns, will give you a great foundation for developing secure, enterprise-scale applications. While I just purchased this book recently and haven't had time to go through all of it, I definitely am impressed by what I've seen so far, and highly recommend it to anyone involved in developing security-relevant applications."

Read the complete review at WhoAmI Weblog

WhoAmI - Java and Identity Management
(JRoller - JavaLobby Community Weblog)
Feb 01, 2006

". . . Having said, it probably goes deeper than most primers go. Pretty much all J2EE security API’s are given a treatment like JCA,JCE, JAAS, JSSE, JGSS etc.. along with the Web Services concepts of XML Signature, encryption, OASIS Security, SAML, Liberty Alliance. All this coverage is leveraged in the meat of the book: 23 Security patterns. Most likely, if you doing any kind of architecture you’ve encountered some of these patterns in some form or another. The patterns are categorized into tiers (Web, Business and Web Services). Also included are design strategies for user provisioning and entitlement services, single signon etc. Each section includes a ‘reality check’ and ‘pitfalls’ entry. The authors then put together the obligatory case study that puts together the pattern realizations. The book wraps up with a discussion of Smart Cards and Biometrics which was particular interesting to me because I wondered what the causes of match failures could be and how they could be handled. The authors also include a nice job of showing how Biometrics are implemented in a J2EE environment.
One of the more enlightening discussions included Trust scenarios when calling from the Web Tier into the Business tier/Web Services tier requires that security info be propagated from the client and patterns/design strategies for secure logging.

This book is highly recommended."

GeekRead.com
Read the complete review at Weblog

"If you are involved in java/ Java 2 Platform, Enterprise Edition (J2EE) development/architecture design or security testing, this book is a must to have. Written by three of the top security gurus in the field, it contains everything you might need to know on security aspects in the Java/J2EE environment. Although it is a technical book, the way the authors explain their subject matter makes this book valuable to all, not only to the J2EE/Java specialists amongst us. It does, however, require basic knowledge of the environment and implementation architectures. The book is definitely written for developers and architects.

Having read other books on patterns in the J2EE environment, this is definitely the best example-oriented security book (I have read) for demonstrating how patterns can be applied in enterprise application security situations. Core Security Patterns is very comprehensive – containing 1039 pages – and is packed with practical examples. It starts off with the basics of security, and ends with the use of smartcards and biometrics for secure personal identification.

The typical security issues a java developer deals with on a day-to-day basis are covered and very well explained. This will allow a team to develop secure applications from the word ‘go’ rather than having security built in after completion of the security assessment of the application.

I would definitely advise each J2EE development team to at least have one copy of this book in its library (and have all team members be familiar with the content). This book is a must have if you are involved in any security testing in a Java/J2EE architecture environment."

Henk Coetzee
Test Focus, South Africa
http://www.testfocus.co.za/bookreviews/brmar2006.htm

I recommend this book for everyone who wants to know everything about security in Java applications. I like "Chapter 1: Security by Default" and "Chapter 2: Basics of Security", they are a good introduction to security concepts. I found in this book a better way to express what I always think about the way some sysadmins take care of security,... they only pay attention to application security! It shows some interesting best practices and strategies to secure java applications and also web services. If you take care of security, you must buy this book.

Abner Ballardo Urco
OpenSourceSpot
http://www.opensourcespot.org/content/view/150/80/lang,es/