java web security - tools & tips
TRANSCRIPT
![Page 1: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/1.jpg)
Java Web SecurityTools & Tips
Michael Dowden@mrdowden
![Page 2: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/2.jpg)
Goals
➔Know some Java security tools
➔Understand some common attacks
➔Prepared to implement basic software security
➔Able to research security topics
![Page 3: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/3.jpg)
Overview
➔Java Security Tools
➔Attack Vectors
➔Security Principles & Terminology
➔Common Attacks
➔Implementation Examples
![Page 4: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/4.jpg)
Michael Dowden
➔Education◆ BS Computer Science
◆ MBA Entrepreneurship
➔Experience◆ Software Development and IT since 1992
◆ 12+ years software security
◆ Full Stack - Hardware to User Interface
◆Worked with 60+ organizations in multiple industries
Co Founder & Product Architect @ FlexePark
![Page 5: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/5.jpg)
Internet Security
![Page 6: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/6.jpg)
HT
TP
Client
(Web Browser)Internet Server
Request
Response
Request
Response
User System
Administrator
![Page 7: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/7.jpg)
Client
(Web Browser)Internet Server
Request
Response
Request
Response
User System
Administrator
Email / Website / Hack / XSS / CSRF
Permissions / Injection / DDoS / Hack
Man in the Middle
Social Engineering
Attack V
ecto
rs..
.and
mo
de
s o
f d
eliv
ery
![Page 8: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/8.jpg)
Client
(Web Browser)Internet Server
Request
Response
Request
Response
User System
Administrator
Email / Website / Hack / XSS / CSRF
Permissions / Injection / DDoS / Hack
Man in the Middle
Social Engineering
Softw
are
Mitig
ation
HTTPS / VPN / Tor
Headers / CSRF / Password Managers
/ Public Key Encryption
Encryption / Authentication /
Authorization
Least Privilege / Training
![Page 9: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/9.jpg)
Security Topics
![Page 10: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/10.jpg)
Java Security Tools
➔JCA / JCE - https://goo.gl/qhlxLnhttp://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html
➔Spring Security - https://projects.spring.io/spring-security/
➔Apache Shiro - https://shiro.apache.org/
➔Bouncy Castle - https://www.bouncycastle.org/
➔Jasypt - http://www.jasypt.org/
![Page 11: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/11.jpg)
Key Objectives of Security
➔ Ensure users are who they claim to be…with every request
➔ Users can do what they need…but no more
➔ Data is kept safe
➔ Communication is kept private
![Page 12: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/12.jpg)
Attack Goals
![Page 13: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/13.jpg)
Auth & Session
![Page 14: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/14.jpg)
Authentication
➔Identity
➔Something you Know (password)
➔Something you Are (biometrics)
➔Something you Have (security key)
Natalie Curtiss : Grandmother? (https://flic.kr/p/7VqQPa)
![Page 15: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/15.jpg)
Authorization
➔Restrict access to specific data
➔Access levels:
◆ View
◆ Change
◆ Delete
➔Rules applied based upon ID trust
![Page 16: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/16.jpg)
Least P
rivile
ge
htt
ps://x
kcd
.co
m/8
98
/
![Page 17: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/17.jpg)
Hijacking
➔ Broken Authentication & Session Management
➔Used to:◆ Gain account access
◆ Impersonate users
➔Protection:◆ Security frameworks such as Spring or Shiro
◆ Session timeouts and fixation prevention
![Page 18: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/18.jpg)
Broken Access Control
➔ Changing parameter grants unintended access
➔Used To:◆ Access data
◆ Perform functions
➔Protection:◆ Check access / permissions with each request
◆ Use indirect object references
◆ Both URL and Function protection with Spring or Shiro
![Page 19: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/19.jpg)
CSRF (Cross-Site Request Forgery)
➔Impersonate user to the server
➔Used to:
◆ Coerce user action
◆ Transfer control or resources
➔Protection:
◆ Unpredictable token in each request
◆ Use framework built-in defenses
Client
Attacker
Server
Server
![Page 20: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/20.jpg)
5C9MWWHYCWWN0GZ7SN8CKGXRPQOQW6ZSY8PJDN26AC5U4LQYSHZWSVIN9HLKPZF0CYXPPW0WAGDM4SOI7MVBI0JZS8D44KA2XJR7GSBR6O4GF01Z5TZLM5
L
Crypto
![Page 21: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/21.jpg)
Obscurity
➔Can’t put the cat back in the bag
➔Security requires shared algorithms
➔Implementation accuracy requires public review
➔Unpredictable level of risk
Which box holds
the prize?
![Page 22: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/22.jpg)
Cryptography
➔Mathematically provable complexity
➔Cryptographic hash
➔Symmetric encryption
➔Public-key encryption
➔Transport Layer Security (https)
Public Private
Public Private
Encrypts
Decrypts
Verifies
![Page 23: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/23.jpg)
Chain of Trust
➔Digital Signatures
➔Certificates
➔Only sign certificates you know
➔Only accept certificates you trust
![Page 24: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/24.jpg)
Passwords
![Page 25: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/25.jpg)
Password Protection
➔Hash, don’t encrypt
◆ Secure algorithm (PBKDF2 with SHA512,
bcrypt, scrypt)
➔Salt
◆ Two salts - row and app
➔Iterate
◆ Key derivation
➔Go slow!
+
1000x
![Page 26: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/26.jpg)
1. Click “forgot password”
2. Enter identification
3. Receive email
4. Click link
5. Enter security key(s)
6. Enter new password
Change Password
Website Security Form
Password FormNew Password
![Page 27: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/27.jpg)
Injection
![Page 28: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/28.jpg)
(SQL) Injection
➔Verbatim user-submitted content in query
➔Used to:◆ Steal data
◆ Corrupt data
➔Protection:◆ Prepared statements
◆ Escape user input
◆ OWASP Java Encoder
https://xkcd.com/327/
![Page 29: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/29.jpg)
XSS (Cross-Site Scripting)
➔Verbatim display of user-submitted content
➔Used to:◆ Hijack sessions or Install Trojans
◆ Redirect to foreign sites
➔Protection:◆ Encode all user-provided data
◆ Use safe JavaScript APIs (never eval)
◆ CSP Headers
◆ OWASP Java HTML Sanitizer
Client
Client
Server
Server
![Page 30: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/30.jpg)
Other Vulnerabilities
![Page 31: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/31.jpg)
Stale Dependencies
➔ Using components with known vulnerabilities
➔Used to:◆ Compromise systems
◆ Execute application code
➔Protection:◆ Automated management with Ant+Ivy, Maven, or Gradle
◆ OWASP DependencyCheck
◆ National Vulnerability Database - https://nvd.nist.gov/
![Page 32: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/32.jpg)
Underprotected APIs
➔ Insufficient protections for REST and SOAP APIs
➔Used to:◆ Steal data
◆ Corrupt data / deface websites
➔Protection:◆ Client code doesn’t contain keys
◆ Strong authentication
![Page 33: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/33.jpg)
Social Engineering
➔Simply ask someone for their credentials
➔Used to:
◆ Obtain credentials
◆ Access secure systems
➔Protection:
◆ Training
◆ Never tell anyone your passwords https://xkcd.com/538/
![Page 34: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/34.jpg)
Discussion
![Page 35: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/35.jpg)
Minimum Developer Responsibility
➔HTTPS
➔Password Protection
◆Hashing for Auth
◆AES for System Logins
➔OWASP Top 10 - https://owasp.org
![Page 36: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/36.jpg)
How does online security help people?
➔Restrict access to financial assets
➔Protect your identity and personal information
➔Defend against device takeover
➔Shelter citizens from oppressive governments
➔Preserve 1st, 4th, and 5th amendment rights
![Page 37: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/37.jpg)
Security decisions
➔What are we protecting?
➔What is the likelihood of attack?
➔What are the risks of security failure?
➔What are the probable attack vectors?
➔How will we detect and report breaches?
➔Don’t forget the ethics!
![Page 38: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/38.jpg)
Security Resources
➔Troy Hunthttps://www.troyhunt.com/
➔Brian Krebshttps://krebsonsecurity.com/
➔Pluralsighthttps://pluralsight.com/browse/information-cyber-security
➔OWASPhttps://www.owasp.org/
![Page 39: Java Web Security - Tools & Tips](https://reader033.vdocuments.mx/reader033/viewer/2022051007/5a64a0c57f8b9a76568b4df3/html5/thumbnails/39.jpg)
Michael Dowden
@mrdowden
linkedin.com/in/mdowden
plus.google.com/+MichaelDowden
lanyrd.com/profile/mrdowden/