| Wiki Markup |
|---|
Sensitive data must be protected from eavesdropping and malicious tampering during transit. An Obfuscated Transfer Object \[[Steel 2005|AA. Bibliography#Steel 05]\] that is strongly encrypted can protect data in exchanges that involve multiple business tiers or end user systems. This approach is known as _sealing_ the object. To guarantee object integrity, apply a digital signature to the sealed object. |
...
| Wiki Markup |
|---|
\[[API 2006|AA. Bibliography#API 06]\] \[[Gong 2003|AA. Bibliography#Gong 03]\] 9.10 Sealing Objects \[[Harold 1999|AA. Bibliography#Harold 99]\] Chapter 11: Object Serialization, Sealed Objects \[[Neward 2004|AA. Bibliography#Neward 04]\] Item 64: Use SignedObject to provide integrity of Serialized objects and Item 65: Use SealedObject to provide confidentiality of Serializable objects \[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 319|http://cwe.mitre.org/data/definitions/319.html] "Cleartext Transmission of Sensitive Information" \[[Steel 2005|AA. Bibliography#Steel 05]\] Chapter 10: Securing the Business Tier, Obfuscated Transfer Object |
...
SER04-J. Use SSLSockets rather than Sockets for secure data exchange 14. Platform Security (SEC) void SEC17-J. Create and sign a SignedObject before creating a SealedObject 16. Serialization (SER) SER03-J. Do not serialize unencrypted, sensitive data