Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
3
I am in the process of developing a java web app and I have a question about its security as a whole and when working with SQL servers. The Java app itself is for a medical health provider so it has to pass many of the HIPAA technical safeguards and I was needing to know what securities I need to be researching with the applications security and its general security with handling SQL statements.
If Java isn't the language I should be using for this, then which language should I be looking at?
4 replies to this topic
Back to top|
|
|
#2
Posted 31 December 2011 - 01:31 AM
wim DC
-
- Members
-
- 2,084 posts
Writes binary right handed and hex left handed
- Programming Language:Java, JavaScript, PL/SQL
- Learning:Java
If you use prepared statements to query your database, that should be safe enough.
You can as well make different roles / logins on the database and depending on which user is logged in you use that certain role. So a less important user will always use that role (datasource) and even if he can manage to do a query on a table he's not supposed to be querying (due to a Java code fail) the database will still stop him due to not having permissions with that role.
In the end the biggest leak will be the people using your software / database.
Phone them, tell em you're mr X and they'll go like, oh yea sure Mr X, I'll look it up for you and BAM you got all the info of Mr X you want.
You'd be surprised what some secretaries would give away over the phone without REALLY knowing who's on the other side.
You can as well make different roles / logins on the database and depending on which user is logged in you use that certain role. So a less important user will always use that role (datasource) and even if he can manage to do a query on a table he's not supposed to be querying (due to a Java code fail) the database will still stop him due to not having permissions with that role.
In the end the biggest leak will be the people using your software / database.
Phone them, tell em you're mr X and they'll go like, oh yea sure Mr X, I'll look it up for you and BAM you got all the info of Mr X you want.
You'd be surprised what some secretaries would give away over the phone without REALLY knowing who's on the other side.
#3
Posted 31 December 2011 - 07:48 AM
xXAlphaXx
-
- Members
-
- 85 posts
Learning Programmer
So all I should be focusing on in terms of security is all on the database side? I don't have to worry about anything on Javas side?
Btw, I love your avatar.
Btw, I love your avatar.
#4
Posted 31 December 2011 - 11:31 PM
Alexander
-
- Moderators
-
- 4,118 posts
It's Science!
- Location:Vancouver, Eh! Cleverness: 200
Java has successfully been used many times over in environments such as that. Your job would be to implement the security in to the language you are using, be it BASIC or Haskell.
A Wikipedia resource on the technical side of HIPAA states the following as guidelines or requirements:
A Wikipedia resource on the technical side of HIPAA states the following as guidelines or requirements:
- Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
- Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
- Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
- Covered entities must also authenticate entities with which they communicate. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.
- Covered entities must make documentation of their HIPAA practices available to the government to determine compliance.
- In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.
- Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
#5
Posted 02 January 2012 - 02:54 AM
wim DC
-
- Members
-
- 2,084 posts
Writes binary right handed and hex left handed
- Programming Language:Java, JavaScript, PL/SQL
- Learning:Java
xXAlphaXx said:
So all I should be focusing on in terms of security is all on the database side? I don't have to worry about anything on Javas side?
Btw, I love your avatar.
Btw, I love your avatar.
No, the database side should be the last resort when all Java code has failed :P
A few questions:
Do you use Spring?
Is it a web application?
XML vs annotation configuration (just a preference)?
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
