Skip to content

guardrailsio/awesome-java-security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

31 Commits
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation


A curated list of awesome Java security-related resources.

Awesome

List inspired by the awesome list thing.

Supported by: GuardRails.io


Contents

Tools

Web Framework Hardening

  • Apache Shiro - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
  • JJWT - Java JWT: JSON Web Token for Java and Android.
  • OWASP ESAPI Java - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
  • PAC4J - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
  • Spring Security - A powerful and highly customizable authentication and access-control framework.
  • Spring Security Oauth - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

Multi tools

  • hawkeye - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java.
  • GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.

Static Code Analysis

  • Spotbugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
  • Find Security Bugs - SpotBugs plugin for security audits of Java web applications and Android applications.
  • Detect Secrets - An enterprise friendly way of detecting and preventing secrets in code.
  • Gitrob - Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
  • Sonarqube - SonarQube provides the capability to show the health of an application and highlight newly introduced issues.
  • Oversecured - A static analyzer for Android apps (APK files), searches for security vulnerabilities. Contains 90+ vulnerability categories.
  • Bearer - A static code security analyzer to discover, filter and prioritize security and privacy risks.

Runtime Analysis

  • Code Pulse - Code Pulse is a real-time code coverage tool for penetration testing activities.
  • OWASP ZAP - Helps automatically find security vulnerabilities in your web applications.
  • Contrast Community Edition - Free runtime protection and vulnerability detection tool, identifying issues in running applications.

Vulnerabilities and Security Advisories

Cryptography

  • Bouncy Castle - Java implementation of cryptographic algorithms.
  • Conscrypt - Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension.
  • Cryptomator - Multi-platform transparent client-side encryption of your files in the cloud.
  • Keyczar - Easy-to-use crypto toolkit by Google.
  • Keywhiz - System for distributing and managing secrets.
  • Tink - Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
  • ACME4J - Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA.

Educational

Hacking Playground

  • BodgeIt Store - A vulnerable web application aimed at people who are new to pen testing.
  • OWASP Benchmark - A Java test suite designed to verify the speed and accuracy of vulnerability detection tools.
  • Security Shepherd - Web and mobile application security training platform.
  • WebGoat - A deliberately insecure Java Web Application.

Articles, Guides & Talks

Practices

Specifications

Other

Reporting Bugs

Contributing

Found an awesome project, package, article, or another type of resources related to Java Security? Open a pull request! Just follow the guidelines. Thank you!

License

CC0