Security Essentials
Input validation, secrets handling, and OWASP Top-10 awareness for Java developers.
On this page
Every application is a target. Security isn't a feature you bolt on at the end - it's a mindset woven throughout development. This final lesson covers the essentials every Java developer must know to avoid the most common, damaging mistakes.
Think like an attacker
You don't secure a house by installing one great lock and leaving the windows open. You think about every way in - doors, windows, the garage. Security is that mindset: assume every input could be hostile and every entry point could be probed. Defense in depth beats a single strong wall.
Never trust input
The golden rule: all input is guilty until proven innocent. Validate and sanitize everything from users, APIs, files, and URLs.
// Validate early, reject bad input
public void setAge(int age) {
if (age < 0 || age > 150) {
throw new IllegalArgumentException("Invalid age");
}
this.age = age;
}Injection attacks
Injection happens when untrusted input is treated as code or commands.
- SQL injection - you saw this in the JDBC lesson. Always use
PreparedStatementwith parameters, never string concatenation. - Cross-site scripting (XSS) - malicious scripts injected into web pages; escape/encode output rendered in HTML.
- Command injection - never build shell commands from raw user input.
// SAFE: parameters can't change the query's meaning
String sql = "SELECT * FROM users WHERE email = ?";
ps.setString(1, userInput);Injection tops the OWASP list for a reason
Injection flaws let attackers read or destroy data, or take over systems. The defense is always the same idea: keep data separate from code/commands, and use parameterized, escaped APIs rather than gluing strings together.
Store passwords correctly
Never store passwords in plain text. Hash them with a slow, salted algorithm built for passwords - BCrypt, Argon2, or scrypt:
// With Spring Security's BCrypt
String hash = passwordEncoder.encode(rawPassword); // store this hash
boolean ok = passwordEncoder.matches(rawPassword, hash); // verify at loginHashing is not encryption
A password hash is a one-way fingerprint - you can verify a password but never recover it. Use a password-specific hash (BCrypt/Argon2) with a per-user salt; never plain MD5/SHA or reversible encryption. If your database leaks, proper hashing is what protects your users.
Authentication vs. authorization
Two related but distinct ideas:
- Authentication - who are you? (login, verifying identity)
- Authorization - what are you allowed to do? (permissions, roles)
Checking in with ID proves who you are (authentication). Your key card only opens your room and the gym, not other guests' rooms (authorization). Confusing the two - letting anyone who logs in do anything - is a classic, serious mistake.
Frameworks like Spring Security handle both robustly. Don't roll your own auth.
Manage secrets and dependencies
- Secrets (API keys, DB passwords) belong in environment variables or a secrets manager - never in code or Git.
- Dependencies can carry known vulnerabilities. Keep them updated and scan them (tools like OWASP Dependency-Check or your platform's scanner).
- Use HTTPS everywhere so data is encrypted in transit.
- Apply least privilege - every account and service gets only the access it truly needs.
The OWASP Top 10
The OWASP Top 10 is the industry's list of the most critical web security risks - injection, broken authentication, security misconfiguration, and more. Every professional developer should know it.
Security is everyone's job
Security isn't only the 'security team's' responsibility. Every line you write is a potential vulnerability or a defense. Build the habits - validate input, parameterize queries, hash passwords, manage secrets - into your daily coding, and most common breaches simply never happen.
Quick check
How should you store user passwords in a database?
Key takeaways
- Treat all input as hostile - validate and sanitize everything, early.
- Prevent injection by keeping data separate from code: PreparedStatements, output encoding, no shell strings.
- Never store plain-text passwords - hash with salted BCrypt/Argon2; hashing is one-way, not encryption.
- Authentication is who you are; authorization is what you may do - use a proven library like Spring Security.
- Keep secrets out of code, update and scan dependencies, use HTTPS, and apply least privilege.
- Learn the OWASP Top 10 - security is every developer's daily responsibility.
Congratulations - you've completed the entire Javaneer journey! 🎉 From your
first Hello, World! to system design and security, you now have a genuine,
well-rounded command of Java. Keep building, keep learning, and go create
something great.