Skip to content
Awesome Java Security Resources šŸ•¶ā˜•šŸ”
Branch: master
Clone or download
Pull request Compare This branch is even with guardrailsio:master.
Fetching latest commitā€¦
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CONTRIBUTING.MD
README.md
code-of-conduct.md

README.md


A curated list of awesome Java security-related resources.

Awesome

List inspired by the awesome list thing.

Supported by: GuardRails.io


Contents

Tools

Web Framework Hardening

  • Apache Shiro - A powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
  • JJWT - Java JWT: JSON Web Token for Java and Android.
  • OWASP ESAPI Java - Enterprise Security API is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
  • PAC4J - Security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services.
  • Spring Security - A powerful and highly customizable authentication and access-control framework.
  • Spring Security Oauth - Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

Multi tools

  • hawkeye - Multi-purpose security/vulnerability/risk scanning tool supporting Ruby, Node.js, Python, PHP and Java.
  • GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.

Static Code Analysis

  • Spotbugs - SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.
  • Find Security Bugs - SpotBugs plugin for security audits of Java web applications and Android applications.
  • Detect Secrets - An enterprise friendly way of detecting and preventing secrets in code.
  • Gitrob - Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
  • Sonarqube - SonarQube provides the capability to show the health of an application and highlight newly introduced issues.

Runtime Analysis

  • Code Pulse - Code Pulse is a real-time code coverage tool for penetration testing activities.
  • OWASP ZAP - Helps automatically find security vulnerabilities in your web applications.
  • Contrast Community Edition - Free runtime protection and vulnerability detection tool, identifying issues in running applications.

Vulnerabilities and Security Advisories

Cryptography

  • Bouncy Castle - Java implementation of cryptographic algorithms.
  • Conscrypt - Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension.
  • Cryptomator - Multi-platform transparent client-side encryption of your files in the cloud.
  • Keyczar - Easy-to-use crypto toolkit by Google.
  • Keywhiz - System for distributing and managing secrets.
  • Tink - Multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
  • ACME4J - Java ACME client for issuing X.509 certificates using Let's Encrypt or another ACME based CA.

Educational

Hacking Playground

  • BodgeIt Store - A vulnerable web application aimed at people who are new to pen testing.
  • OWASP Benchmark - A Java test suite designed to verify the speed and accuracy of vulnerability detection tools.
  • Security Shepherd - Web and mobile application security training platform.
  • WebGoat - A deliberately insecure Java Web Application.

Articles, Guides & Talks

Specifications

Other

Reporting Bugs

Contributing

Found an awesome project, package, article, or another type of resources related to Java Security? Open a pull request! Just follow the guidelines. Thank you!

License

CC0

You canā€™t perform that action at this time.