10 Excellent Ways to Secure Your Spring Boot Application - The Secure Developer 2019
1 like620 views
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love. YouTube: https://www.thesecuredeveloper.com/post/10-excellent-ways-to-secure-your-spring-boot-application Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
More Related Content
What's hot (20)
Similar to 10 Excellent Ways to Secure Your Spring Boot Application - The Secure Developer 2019 (20)
More from Matt Raible (20)
Recently uploaded (20)
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Developer 2019
- 1. 10 Excellent Ways to Secure Your Spring Boot Application June 6, 2019 Simon Maple and Matt Raible @sjmaple | @mraible thesecuredeveloper.com
- 3. 1. Use HTTPS in Production
- 4. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
- 5. @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
- 6. @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }
- 7. Life hack: Night lights
- 9. 2. Scan Your Dependencies for Vulnerabilities
- 11. Source: SecurityIntelligence.com Java Struts 2 RCE Vulnerability CVE 2017-5638
- 12. Java Struts 2 RCE Vulnerability CVE 2017-5638 Source: SecurityIntelligence.com
- 14. Serverless Example: Fetch file & store in s3 (Serverless Framework Example) 19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) 191,155 Lines of Code
- 16. Demo
- 17. 3. Upgrade To Latest Releases
- 19. How well do you know your dependencies?
- 20. Checking for Updates with npm npm i -g npm-check-updates ncu
- 21. Checking for Updates with Maven mvn versions:display-dependency-updates
- 22. Checking for Updates with Gradle gradle dependencyUpdates -Drevision=release
- 23. Life hack: Straight cuts
- 25. 4. Enable CSRF Protection
- 26. @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
- 27. 5. Use a Content Security Policy to Prevent XSS Attacks
- 28. @spring_io #springio17 Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
- 29. @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https://trustedscripts.example.com; " + "object-src https://trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }
- 31. @spring_io #springio17 Better Web Site Security How-To developer.okta.com/blog/2019/04/11/site-security-cloudflare-netlify
- 32. Life hack: Peppermint tea
- 34. 6. Use OpenID Connect for Authentication
- 36. @spring_io #springio17 Spring Security OIDC Configuration spring: security: oauth2: client: registration: okta: client-id: {clientId} client-secret: {clientSecret} provider: okta: issuer-uri: https://{yourOktaDomain}/oauth2/default
- 37. OIDC Authentication Demo @Grab('spring-boot-starter-oauth2-client') @RestController class Application { @GetMapping('/') String home(java.security.Principal user) { ‘Hello ' + user.name } }
- 38. Works with Spring WebFlux developer.okta.com/blog/2018/11/26/spring-boot-2-dot-1-oidc-oauth2-reactive-apis
- 40. 7. Managing Passwords? Use Password Hashing!
- 41. hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 Deterministic
- 43. It should not be predictable hash(“TSD0”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash(“TSD1”) = 98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2 hash(“TSD2”) = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef hash(“TSD3”) = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288
- 44. One to one mapping hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash(“123”) != 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
- 45. @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } Hashed passwords in Spring
- 46. @Autowired private PasswordEncoder passwordEncoder; public String hashPassword(String password) { return passwordEncoder.encode(password); } Hashed passwords in Spring
- 47. Life hack: Pasta holder
- 49. 8. Store Secrets Securely
- 54. 9. Test Your App with OWASP’s ZAP
- 55. OWASP Zed Attack Proxy Two approaches: Spider and Active Scan Spider starts with a seed of URLs Active Scan records a session then plays it back, scanning for known vulnerabilities
- 56. Learn More about ZAP Homepage www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project GitHub github.com/zaproxy/zaproxy Twitter twitter.com/zaproxy
- 57. Life hack: Boiling water
- 59. 10. Have Your Security Team do a Code Review
- 60. Code Review topics 1. Identify and validate any third party input 2. Never store credentials as code/config 3. Test for new security vulnerabilities in third-party open source dependencies. 4. Authenticate inbound requests 5. Enforce the least privilege principle 6. Prefer whitelist over blacklist 7. Handle sensitive data with care 8. Do not allow back doors in your code 9. Protect against well-known attacks 10.Statically test your source code on every PR, automatically
- 61. 10 Excellent Ways to Secure Spring Boot 1. Use HTTPS 2. Scan dependencies 3. Dependencies up-to-date 4. Enable CSRF protection 5. Use a Content Security Policy 6. Use OIDC 7. Hash passwords 8. Store secrets securely 9. Test with OWASP's ZAP 10.Code review with experts
- 63. Bonus: Don’t Allow Your Lack of Security to be Disturbing