securing restful services with spring hateoas & hdiv

48
Securing RESTful services with Spring HATEOAS & Hdiv Roberto Velasco @hdivroberto

Upload: hdiv-security

Post on 16-Apr-2017

596 views

Category:

Software


4 download

TRANSCRIPT

Page 1: Securing RESTful services with Spring HATEOAS & Hdiv

Securing RESTful services with Spring HATEOAS & Hdiv

Roberto Velasco@hdivroberto

Page 2: Securing RESTful services with Spring HATEOAS & Hdiv

About me

Spring I/O 2016

Roberto Velasco

CEO at Hdiv Security

Working as Java Software Architectsince 2004

Page 3: Securing RESTful services with Spring HATEOAS & Hdiv

About me

Spring I/O 2016

Involved in Software Securitysince 2001

Roberto Velasco

CEO at Hdiv Security

Page 4: Securing RESTful services with Spring HATEOAS & Hdiv

About me

Spring I/O 2016

Hdiv Security Frameworkfounder in 2008

Roberto Velasco

CEO at Hdiv Security

Page 5: Securing RESTful services with Spring HATEOAS & Hdiv

It’s not about

Spring I/O 2016

Authentication

Role BasedAccess Control

Best Practices

Security Automation

Security by Design

It’s about

About this talk

Page 6: Securing RESTful services with Spring HATEOAS & Hdiv

Agenda

APIs security overview

Spring I/O 2016

1

2

3

4

WhyThe solution

Spring HATEOAS & Hdiv

Page 7: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

1APIS SECURITY OVERVIEW

Page 8: Securing RESTful services with Spring HATEOAS & Hdiv

APIs everywhere

Spring I/O 2016

Page 9: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

The old new things

What about security in this new scenario?

Page 10: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

LET’S SEE A DEMO

Spring HATEOAS & Android

Page 11: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

The old new things

The most important remains the samerepresented by

OWASP Top 10

Client-side approach let us more exposed

Controller inside the client

More business logic in the client side

Page 12: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Spring  I/O  2016

86% of all websitestested had at least1 serious vulnerability

How big is the problem

Page 13: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

WHY

2

Page 14: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Security issues

Design FlawsBugsSQL Injection

XSS

etc.

Forget authenticate an user.Non authorized access to a register.

Easy to find and fix

No tool to findand complex to fix

Page 15: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Design FlawsIEEE Cyber Security

Page 16: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Spring  I/O  2016

Why

Current technology to developservices is insecure by default

Page 17: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Spring  I/O  2016

Why

Don’t protect from bugsand design flaws

Page 18: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Spring  I/O  2016

Securitydepends on people

Why

Page 19: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Security solutions

Recommended for security bugs Detected issues must be solved by developers

ASTApplication Security Testing

Page 20: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

WAFWeb Application Firewall

Security solutions

Try  to  protect from bugs  and security design flaws

but…

Page 21: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

WAFWeb Application Firewall

Security solutions

False positivesCostly implementation

Page 22: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Summary

Foundational software providersDon’t protect from bugs neither security design flaws

Security providersBugs are well detected by ASTRepresents a significant fixing work from developers

Design flaws not properly covered by WAFs

Page 23: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

THE SOLUTION

3

Page 24: Securing RESTful services with Spring HATEOAS & Hdiv

The solution

Different problems require different solutions

Spring I/O 2016

Page 25: Securing RESTful services with Spring HATEOAS & Hdiv

The solution for…Design flaws

Spring I/O 2016

Current approachEverything open, close manually

Page 26: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Proposed approachSecurity By Default

The solution for…Design flaws

Everything closed by default, open manually

Page 27: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

The server defines what is allowed

The solution for…Design flaws

Page 28: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

The server defines what is allowed

The solution for…Design flaws

Hypermedia

Page 29: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

The solution for…Design flaws

The server rejects all the request that don’t respect the original contract

Page 30: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

The solution for…Design flaws

B O R N S E C U R E

The server rejects all the request that don’t respect the original contract

Page 31: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Integrity validation for read-only data

The solution for…Design flaws

B O R N S E C U R E

White & Black list validation for editable data (text fields)

Page 32: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

We need a detection mechanism

The solution for…Bugs

Page 33: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

We need a detection mechanism

The solution for…Bugs

AST tools

Page 34: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

We need to automate the protection of the detected issues

The solution for…Bugs

Page 35: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

We need to automate the protection of the detected issues

The solution for…Bugs

B O R N S E C U R E

Page 36: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Don’t do anything for read-only data

The solution for…Bugs

B O R N S E C U R E

Strict white-list validation from vulnerable text fieldsShows the error in the text field

Page 37: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

SPRING HATEOAS & Hdiv

4

Page 38: Securing RESTful services with Spring HATEOAS & Hdiv

Spring HATEOAS

Spring I/O 2016

The most important HATEOAS implementation in Java

Includes a format for links

Form complete definition not covered

Based on HAL

Page 39: Securing RESTful services with Spring HATEOAS & Hdiv

Form support Pull Request

Spring I/O 2016

Mike Amundsen

Participants & Collaborators

https://github.com/spring-projects/spring-hateoas/pull/447

B O R N S E C U R E

Dietrich Schulten

OliverGierke

Supported hypermedia formats

Forms: HAL-FORMS, Siren, HTMLLinks: HAL

Page 40: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Form Support in Action

@RequestMapping(method = RequestMethod.GET)public ResourceSupport charge() {

ResourceSupport resourceSupport = new ResourceSupport();resourceSupport.add(linkTo(methodOn(TransferController.class).charge(new Charge())).build());// code omitted here

return resourceSupport;}

public class Charge {private String fromAccount;private double amount;

public Charge(@Select(options = CashAccountOptions.class) String fromAccount,@Input(editable = true, required = true) double amount) {// code omitted here

}}

Form definition example

Page 41: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

{"_links":  {"self":   {"href":   "http://localhost:9000/hdiv-­‐ee-­‐bank-­‐services/api/transfer?rel=halforms:make-­‐transfer"},"curies":  [{"href":"{href}{?rel}",   "name" :  "halforms",  "templated":  true}

]},"_templates":  {"default":  {"method":  "POST","properties":  [{"name":   "fromAccount",  "readOnly":  true,  "suggest":   [{"value":"00948343154448310446",  "prompt":"Checking  Account"},  {"value":"91123204989505683033",  "prompt":"Individual  Retirement      Accounts  (IRAs)"}

]},{"name":"toAccount",  "readOnly":false,   required":  true},{"name":"description",  "readOnly":   false,  "required":  true},{"name":"amount",  "readOnly":   false,  "value":   "0.0",  "required":  true},{"name":"fee",   "readOnly":  true,  "value":  "5.0"},]}

}}

Several form formats are supportedHAL-FORMS example

Page 42: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Spring  I/O  2016

Try it!hdivsecurity.com/try-it-springio

B O R N S E C U R E

Page 43: Securing RESTful services with Spring HATEOAS & Hdiv

Summary

Spring I/O 2016

Hypermedia offers an excelentfoundation to cover security design

Page 44: Securing RESTful services with Spring HATEOAS & Hdiv

Summary

Spring I/O 2016

Hypermedia helps to automate the protection

against detected security bugs

Page 45: Securing RESTful services with Spring HATEOAS & Hdiv

Summary

Spring I/O 2016

It is necessary hypermedia formatsto cover 100% of interactions

Page 46: Securing RESTful services with Spring HATEOAS & Hdiv

Summary

Spring I/O 2016

Spring HATEOAS and Hdivmake it possible to automate

many security tasks

Page 47: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Questions&

Answers

Page 48: Securing RESTful services with Spring HATEOAS & Hdiv

Spring I/O 2016

Roberto VelascoHdiv Founder

[email protected]

Thanks!