Security Concern Refactoring – Putu Ashintya Widhiartha Katsuhisa Maruyama ISSN 1858-1633 2005 ICTS 95

2.2. Cryptography

According to [4], strong cryptography is a critical piece of information security that can be applied at many levels from data storage to network communication. People always think that cryptography is important to protect data from attacking. However, people usually are not realizing that the misapplication of cryptography commonly leads to the security problem. The ability to protect and secure information is vital to the growth of internet especially electronic commerce. We can imagine a bank which is giving service to the customer via internet, absolutely the bank should provide a secure method for the customer for accessing their account. Thus, the bank will need a cryptography method which is able to protect data sending from and to its server. Mostly Java programmers write code at a higher level, dealing mostly with the APIs, in other word they have no strong connection with the principles and algorithm behind cryptographic. Although Java provides two APIs, JCA Java Cryptography Architecture and JCE Java Cryptography Extension, but still there are opportunities to improve the quality of code security by learn more about cryptography principles and implement it into our code.

2.3. Random Numbers

Random numbers is often required in order to provide a key in cryptography. Although random numbers seem as unimportant factor but it could guide to a problem in secure programming. Generating random numbers by using predictable manner will ease attackers to disturb our software. Thus we need to consider the secure method for generating random numbers.

2.4. Anti-Tampering

Reverse engineering has been known as a threat to the security of software. With anti-tampering mechanisms we will be able to increase the security level of our software by protecting secret data or algorithm and ensuring proper execution of our software. Although there are no easy answers for avoiding reverse engineering from our compiled code but we can still apply several anti-tampering techniques in order to create obstacles for people who wants to gain the protecting information in our software.

2.5. Error Handling

Error handling is also simple matter which could lead to the security problem if we do not pay more attention on it. The most common problem in error handling occurs when the internal error messages provide too detail information such as stack traces which should not be revealed to the user. This simple information could be used by an attacker to disturb our software. Consequently, the solution of this flaw is by providing robust error handling which provide enough information to the user about the error without revealing any protected information.

2.6. Injection Flaws

There are many programs which work by accessing the other programs or operating system features. If we write a code that access to the operating system and the code does not have any protection, a malicious code could be implanted in our program and there will be possibility that the malicious code will be able to access the operating system also. Certainly, the easiest way to solve this problem is by avoiding any access to the other programs or operating system. For many shell commands and some system calls, there are language specific libraries that perform the same functions which are needed by us. Using such libraries does not involve the operating system shell interpreter, and therefore avoids a large number of problems with shell commands [8]. However, if we have to access the operating system or the other program we should provide a secure operation and provide protected parameter into the operation call.

2.7. Security Features in Java