Secure coding standards

Secure coding standards

  1. OWASP – Open Web Application Security Project
  2. CWE – Common Weakness Enumeration
  3. SEI CERT –

Tool Used – Fortify (HP- security vulnerability code analyser )

OAuth

𝗔 𝗦𝘂𝗺𝗺𝗮𝗿𝘆 𝗼𝗳 𝗢𝗔𝘂𝘁𝗵 𝗮𝗻𝗱 𝗜𝘁𝘀 𝗨𝘀𝗲𝘀 🛡🔥

OAuth is an open protocol that enables secure authorization from web, mobile, or desktop applications. It’s used to grant access to services such as APIs and websites without needing to exchange passwords.

🔐 𝗪𝗵𝗮𝘁 𝗶𝘀 𝗢𝗔𝘂𝘁𝗵?
OAuth stands for Open Authorization. It’s an open protocol that enables secure authorization from web, mobile, or desktop applications. It allows users to share their private resources stored on one site with another site without having to give away their credentials such as username and password.

✍ 𝘍𝘰𝘳 𝘦𝘹𝘢𝘮𝘱𝘭𝘦, 𝘪𝘧 𝘺𝘰𝘶 𝘩𝘢𝘷𝘦 𝘢 𝘎𝘰𝘰𝘨𝘭𝘦 𝘢𝘤𝘤𝘰𝘶𝘯𝘵 𝘢𝘯𝘥 𝘸𝘢𝘯𝘵 𝘵𝘰 𝘢𝘤𝘤𝘦𝘴𝘴 𝘠𝘰𝘶𝘛𝘶𝘣𝘦 𝘰𝘳 𝘎𝘮𝘢𝘪𝘭 𝘴𝘦𝘳𝘷𝘪𝘤𝘦𝘴, 𝘺𝘰𝘶 𝘤𝘢𝘯 𝘶𝘴𝘦 𝘖𝘈𝘶𝘵𝘩 𝘪𝘯𝘴𝘵𝘦𝘢𝘥 𝘰𝘧 𝘱𝘳𝘰𝘷𝘪𝘥𝘪𝘯𝘨 𝘺𝘰𝘶𝘳 𝘎𝘰𝘰𝘨𝘭𝘦 𝘢𝘤𝘤𝘰𝘶𝘯𝘵 𝘤𝘳𝘦𝘥𝘦𝘯𝘵𝘪𝘢𝘭𝘴.

🔐 𝗛𝗼𝘄 𝗗𝗼𝗲𝘀 𝗢𝗔𝘂𝘁𝗵 𝗪𝗼𝗿𝗸?
OAuth works by authenticating the user’s identity without them having to provide their login details directly. The process involves the user being redirected to the service provider where they are asked to approve the application that requests access. Once approved, the service provider sends back an access token which can then be used by the application to make authorized requests on behalf of the user.

Security Intro

Objective –

  1. meaning /structure of security mechanism
  2. where used? use case
  3. Implementation

Index

  1. Introduction
  2. Basic username-pwd
  3. JWT
  4. Oauth ( micro-services)
  5. Digital Signature (NPCI)

Introduction

Session, Cookie, JWT, Token, SSO, and OAuth 2.0 – here’s what you need to know

These terms are essential for identifying, authenticating, and authorizing users online. Let’s dive in👇

𝗪𝗪𝗪-𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗲
🔹 Oldest & most basic method
🔹 Browser asks for username & password
🔹 Lacks control over login life cycle
🔹 Rarely used today

𝗦𝗲𝘀𝘀𝗶𝗼𝗻-𝗖𝗼𝗼𝗸𝗶𝗲
🔹 Server maintains session storage
🔹 Browser keeps session ID
🔹 Works mainly with browsers, not mobile app friendly

𝗧𝗼𝗸𝗲𝗻
🔹 Compatible with mobile apps
🔹 Client sends token to server for validation

𝗝𝗪𝗧 (𝗝𝗦𝗢𝗡 𝗪𝗲𝗯 𝗧𝗼𝗸𝗲𝗻)
🔹 Standard representation of tokens
🔹 Digitally signed & verifiable
🔹 No need to save session info server-side

𝗦𝗦𝗢 (𝗦𝗶𝗻𝗴𝗹𝗲 𝗦𝗶𝗴𝗻-𝗢𝗻) & 𝗢𝗔𝘂𝘁𝗵 𝟮.𝟬
🔹 SSO: Log in once, access multiple sites
🔹 Uses CAS (central authentication service)
🔹 OAuth 2.0: Authorize one site to access info on another

JWT

Index

  1. What is JWT?
  2. When to use and why?
  3. Application

𝗪𝗵𝗮𝘁 𝗶𝘀 𝗝𝗪𝗧?

Securing the API is one of the most important things to do to prevent its abuse. It is done via the authentication and authorisation process and the most used is the 𝗝𝗪𝗧 token-based mechanism.

JSON Web Token is a standard that is used to share information between client and server as a JSON object.

Official Introduction- https://jwt.io/introduction

It is represented as a string that consists of 3 parts: (Memory map JWT[3words 3 parts – H.P.S. – Header Payload Signature])

  1. 𝗛𝗲𝗮𝗱𝗲𝗿: It consists of token type(typ) and signing algorithm that is used(alg). The type will always be JWT, and the signing algorithm can be HMAC SHA256 or RSA.
  2. 𝗣𝗮𝘆𝗹𝗼𝗮𝗱: This part contains related data(mostly for users) known as claims. There are three types of claims:
    • 𝗥𝗲𝗴𝗶𝘀𝘁𝗲𝗿𝗲𝗱 – claims that are recommended to use for interoperability like issuer(iss), subject(sub), expiration time(exp), etc.
    • 𝗣𝘂𝗯𝗹𝗶𝗰 – contains generic information like email, name, or role. It’s recommended to use collision-resistant names to avoid collision with private claims.
    • 𝗣𝗿𝗶𝘃𝗮𝘁𝗲 – custom claims
  3. 𝗦𝗶𝗴𝗻𝗮𝘁𝘂𝗿𝗲: It ensures that the token hasn’t been altered. JWT is signed with the algorithm from a header, and the signature consists of an encoded header and payload, and secret.

A string is always encoded like a Base64 string where every part is separated by dots and like that is easily passed in HTTP environments through HTTP headers.

Note:

  1. the claim names are only three characters long as JWT is meant to be compact.
  2. though signed tokens are protected against tampering, is readable by anyone(base-64 decry-pt). Do not put secret information in the payload or header elements of a JWT unless it is encrypted. (Note – the token is encoded not encrypted)

Relevant articles on encryption vs encoding

Where JWT Is used? (refer official link above for description)

  1. Authorisation
  2. Information exchange

When to use and why?

In cases of S2S cases, no needed to maintain additional tokens for 3rd party.

Application

Artificial Intelligence

AI tools that gives you superpowers and save countless hours!

(Multi)media generation/modification

  1. 🎧 Krisp: Enjoy peaceful calls with AI that removes background noise. https://krisp.ai/
  2. 🎵 Beatoven: Create unique, royalty-free music. https://www.beatoven.ai/
  3. 🎙️ Cleanvoice: Edit podcast episodes automatically. https://cleanvoice.ai/
  4. 🎤 Podcastle: Studio-quality recording from your computer. https://podcastle.ai/
  5. Video

Content generation

  1. 📸 Stockimg: Find the perfect stock photo every time. https://stockimg.ai/

Professional use tools

  1. Emails
  2. Resume
  3. Meetings

Miscellaneous

🤖 theresanaiforthat: A comprehensive database of AI tools for every task. https://lnkd.in/dKhqaaF3

——————————————————————

Junit and Mocking and spy

Index

  • Junit
  • Mockito
  • testing private method (reflection ,powermock)

2 testing fameworks- MOckito abd Sping testing

MOckMOckBean
annotationpary of MockitoframeworkSPring testing framework
framework@RunWith(MockitoJUnitRunner.class) public class MyServiceTest { @Mock private MyRepository myRepository;@SpringBootTest public class MyServiceIntegrationTest { @Autowired private MyService myService; @MockBean private MyRepository myRepository;
PurposeUnitTetsingIntegration testing

Spy vs Mock

@spy@Mock
Functionalitypartially mocked version of a real object.complete replacement for a real object.
CreationWraps an existing objectCreates a new object
ControlPartial control (can define specific behaviors for specific methods)Full control over behavior
Use caseTesting interactions within a real object with some real behaviorIsolating dependencies, unit testing with specific behavior
accesscan access private methods of the original objectcannot access private methods of the original object
examplebelow codebelow code //

Mock usage

// Interface we want to test
public interface EmailService {
  void sendEmail(String recipient, String message);
}

// Test class using mock
@Test
public void testSendEmail() {
  // Create a mock object of EmailService
  EmailService mockEmailService = Mockito.mock(EmailService.class);

  // Define behavior for the mock object
  Mockito.when(mockEmailService.sendEmail("user@example.com", "Hello world!")).thenReturn(true);

  // Use the mock object in your test logic
  myService.sendNotification(mockEmailService, "user@example.com", "Hello world!");

  // Verify interactions with the mock object
  Mockito.verify(mockEmailService).sendEmail("user@example.com", "Hello world!");
}

IN above example :

  • We create a mock object of EmailService using Mockito.mock.
  • We define behavior for the sendEmail method using Mockito.when. Here, it always returns true.
  • We use the mock object in the test and verify its interaction later.

Spy usage

// Real implementation of EmailService
public class RealEmailService implements EmailService {
  @Override
  public void sendEmail(String recipient, String message) {
    // Send email logic goes here (not shown for simplicity)
  }
}

// Test class using spy
@Test
public void testSendEmailWithSpy() {
  // Create a real object
  EmailService realEmailService = new RealEmailService();

  // Create a spy object from the real object
  EmailService spyEmailService = Mockito.spy(realEmailService);

  // Define behavior for specific method (optional)
  Mockito.when(spyEmailService.sendEmail("admin@example.com", "Alert!")).thenReturn("Sent successfully");

  // Use the spy object in your test logic
  myService.sendNotification(spyEmailService, "user@example.com", "Hello world!");
  myService.sendNotification(spyEmailService, "admin@example.com", "Alert!");

  // Verify interactions (optional)
  Mockito.verify(spyEmailService, times(2)).sendEmail(anyString(), anyString());
}

IN above example :

  • Create a real RealEmailService object.
  • Create a spy of the RealEmailService using Mockito.spy.
  • Define behavior for the sendEmail method to return a specific message for “admin@example.com” email.
  • Use the spy object and verify interactions (optional).

		<dependency>
			<groupId>org.powermock</groupId>
			<artifactId>powermock-module-junit4</artifactId>
			<version>1.7.4</version>
		</dependency>

https://www.learnbestcoding.com/post/21/unit-test-private-methods-and-classes

REfernce

https://www.tutorialspoint.com/mockito/mockito_spying.htm

Quartz

Quartz provides a way to schedule the recurring execution of job.

Important Points

  • Quartz differentiates between Job (What/Task) and Trigger (when) – so both appear as different statement
  • Two types pf scheduling- simple and cron based.
  • Quartz related properties related to cron and others are usually kept in quartz.properties

Cron expression and their meaning-

  1. http://www.quartz-scheduler.org/documentation/quartz-2.3.0/tutorials/crontrigger.html

Questions

Configuration – number of thread pool size.

Asymptotic Analysis and notation

Index

  1. Time Complexity
  2. Common DS Operations Time Complexity and Space Complexity

Time-complexity

Big-O notation: 𝑂O

It describes the asymptotic upper bound, the worst case of time complexity. i.e the max number of times a statement executes. 

Measurement of time complexity

  1. O(N) Linear TC – When the number of operation growth is proportional to input i.e same number of operation as the input size then it’s Linear TC
  2. O(N^2) – Quadratic Algorithm TC
  3. O(LogN) -when algorithm decreases the input data in each step
    • Example Binary search
  4. O(2^n) – opeation doubles with each increment in input data.

Growth Order

O(n!) > O(2 ^n) > O(n^3) > O(n^2) > O(nlogn) > O(n) > O(Log N) > O(sqrt(N)) > 1