application security pitfalls
DESCRIPTION
Speaker: Mike Wiesner Creating a secure application involves more then just applying Spring Security to it. This is of course not a new topic, but with the increased popularity of much more dynamic configurations for Servlet Containers and various Spring Projects, like Spring MVC and Spring Integration, it becomes more important to know about the Security tradeoffs we might get with that, and how to tackle them.TRANSCRIPT
![Page 1: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/1.jpg)
© 2013 SpringOne 2GX. All rights reserved. Do not distribute without permission.
Application Security PitfallsBy Mike Wiesner
[email protected]://github.com/mikewiesner/security-patterns-2013
![Page 2: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/2.jpg)
Mike Wiesner• Technical Instructor @Pivotal• 10+ years experience in Java
–As developer, consultant and instructor• Focus on Application Security and Enterprise Integration• Spring Security contributor
2
![Page 3: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/3.jpg)
![Page 4: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/4.jpg)
ApplicationSecurity?
![Page 5: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/5.jpg)
Enterprise Java = Spring
Spring + Security=
Spring Security
![Page 6: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/6.jpg)
Done?
![Page 7: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/7.jpg)
OWASP Top Ten
7
Spring Security
Spring Security3.2
• Injection• Cross-Site Scripting (XSS)• Broken Authentication and Session Management• Insecure Direct Object References• Cross-Site Request Forgery (CSRF)• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict URL Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards•
![Page 8: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/8.jpg)
Security is a process
![Page 9: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/9.jpg)
select * from users whereuser = 'user' andpassword = '' or '1' = '1'
Login
BBI Webserver
Client
Database
' or '1' = '1
user
9
SQL Injection
![Page 10: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/10.jpg)
XML Processing
10
![Page 11: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/11.jpg)
fromFile newOrderXml
download
box
downloadSecured
boxSecured
11
XML Processing
![Page 12: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/12.jpg)
Still awake?
![Page 13: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/13.jpg)
DemoTime!
![Page 14: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/14.jpg)
InputValidation
![Page 15: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/15.jpg)
public class Address {
@NotNull @Length(max=30)private String addressline1;
@Length(max=30)private String addressline2;
}
15
JSR-303: Bean Validation
![Page 16: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/16.jpg)
TrustZones
![Page 17: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/17.jpg)
![Page 18: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/18.jpg)
![Page 19: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/19.jpg)
DemoTime!
![Page 20: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/20.jpg)
OWASP Top Ten
20
Spring Security
Spring Security3.2
Your code
• Injection• Cross-Site Scripting (XSS)• Broken Authentication and Session Management• Insecure Direct Object References• Cross-Site Request Forgery (CSRF)• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict URL Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards•
![Page 21: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/21.jpg)
Spring MVC
Services
Spring Data Repos
DB
21
Typical Architecture
![Page 22: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/22.jpg)
Spring MVC
Services
Spring Data Repos
DB
webmvc-config.xml
application-context.xml
application-context-jpa.xmlpersistence.xml
prod/test-infrastructure.xml
Servlet Container web.xml
22
Spring XML & Servlet 2.5 config
![Page 23: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/23.jpg)
Spring MVC
Services
Spring Data Repos
DB
SpringWebMvcConfig.java
SpringCoreConfig.java
SpringRepoConfig.java
InfraProductionConfig.java
Servlet Container WebContainerConfig.java
23
Spring Java and Servlet 3.x config
![Page 24: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/24.jpg)
DemoTime!
![Page 25: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/25.jpg)
Servlet 3.x web.xml replacements• Dynamic configuration available with:• Annotated web components
–E.g. @WebServlet, @WebFilter–Disable with metadata-complete="true" in web.xml
• Web fragments–web-fragmet.xml–E.g. Spring WebApplicationInitializer–Disable with <absolute-ordering/> in web.xml
25
![Page 26: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/26.jpg)
spring-web.jar
META-INF/web-fragment.xml
META-INF/services/javax.servlet.ServletContainerInitializer
org.springframework.web.SpringServletContainerInitializer
org.springframework.web.WebApplicationInitializer
How Springs WAI works
26
![Page 27: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/27.jpg)
DemoTime!
![Page 28: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/28.jpg)
“Hidden” Framework features
![Page 29: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/29.jpg)
DemoTime!
![Page 30: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/30.jpg)
OWASP Top Ten
30
Spring Security
Spring Security3.2
Your code
• Injection• Cross-Site Scripting (XSS)• Broken Authentication and Session Management• Insecure Direct Object References• Cross-Site Request Forgery (CSRF)• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict URL Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards
![Page 31: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/31.jpg)
Done?
![Page 32: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/32.jpg)
Internet Tomcat
Browser
File-System
../
%C0%AE%C0%AE%C0%AF
32
Encoding Problems
![Page 33: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/33.jpg)
Defensein Depth
![Page 34: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/34.jpg)
Conclusion• Application Security is a process, not a feature.• EVERY developer needs to know about Application Security• Shouldn’t negatively impact innovation and architecture• Frameworks can help you
–But you need to understand them
34
![Page 35: Application Security Pitfalls](https://reader034.vdocuments.mx/reader034/viewer/2022051012/5455f7b9af7959795d8b4a78/html5/thumbnails/35.jpg)
Learn More. Stay Connected.
[email protected]://github.com/mikewiesner/security-patterns-2013
Talk to us on Twitter: @springcentralFind session replays on YouTube: spring.io/video