In today's world IT security is quite an important aspect. Most people have realized that information technology can cause a lot of harm if misused.
The last half-century of computing contained a lot to learn from, in terms of security, and not only for enterprise software.
Let's look into a few lessons learned from the past of enterprise application development. In previous years, the biggest security issues were encryption and approaches on how to manage credentials.
Encrypting and signing data is an incredibly safe way of keeping secrets, if applied correctly. It solely depends on the used algorithms and the key lengths.
There were quite a few encryption and hashing algorithms that turned out to not be secure enough. DES is an example, as well as the often-used MD5 hashing algorithm. As of writing this book, AES with 192- or 256-bit key lengths is considered secure. For the hashing algorithm, SHA-2 or -3 with at least 256 bits is advised.
User credentials that are stored as part of the application must not be stored in plain text. There have been too many security breaches in the past that especially targeted databases where the passwords resided. Also, simply hashing passwords without providing proper password salts is discouraged.
In general, it's highly advisable for enterprise developers not to implement security functionality themselves if they can avoid it. The idea of companies was to create their own security implementations that weren't used anywhere else and, therefore, provide security by obscurity. This, however, turns out to have had the opposite effect, and, unless security experts are involved, in fact leads to, less secure solutions.
The vast majority of enterprise security demands don't require their own, custom implementations. Enterprise frameworks and the implementations thereof already ship with corresponding functionality that has been well-tested in numerous use cases. We will have a look at these APIs for Java Enterprise later in this chapter.
If the application requires the custom use of encryption, then implementations provided by runtime or third-party dependencies must be used. The Java platform offers the Java Cryptography Extension (JCE) for this reason. It provides implementations for modern encryption and hashing algorithms.
In general, applications should only process and store secure information when it's absolutely required by the business use case. In particular, for authentication and authorization, there are ways that avoid storing user credentials in multiple systems.