Post on 01-Nov-2014
description
© 2013 SpringOne 2GX. All rights reserved. Do not distribute without permission.
Application Security PitfallsBy Mike Wiesner
mwiesner@gopivotal.comhttps://github.com/mikewiesner/security-patterns-2013
Mike Wiesner• Technical Instructor @Pivotal• 10+ years experience in Java
–As developer, consultant and instructor• Focus on Application Security and Enterprise Integration• Spring Security contributor
2
ApplicationSecurity?
Enterprise Java = Spring
Spring + Security=
Spring Security
Done?
OWASP Top Ten
7
Spring Security
Spring Security3.2
• Injection• Cross-Site Scripting (XSS)• Broken Authentication and Session Management• Insecure Direct Object References• Cross-Site Request Forgery (CSRF)• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict URL Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards•
Security is a process
select * from users whereuser = 'user' andpassword = '' or '1' = '1'
Login
BBI Webserver
Client
Database
' or '1' = '1
user
9
SQL Injection
XML Processing
10
fromFile newOrderXml
download
box
downloadSecured
boxSecured
11
XML Processing
Still awake?
DemoTime!
InputValidation
public class Address {
@NotNull @Length(max=30)private String addressline1;
@Length(max=30)private String addressline2;
}
15
JSR-303: Bean Validation
TrustZones
DemoTime!
OWASP Top Ten
20
Spring Security
Spring Security3.2
Your code
• Injection• Cross-Site Scripting (XSS)• Broken Authentication and Session Management• Insecure Direct Object References• Cross-Site Request Forgery (CSRF)• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict URL Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards•
Spring MVC
Services
Spring Data Repos
DB
21
Typical Architecture
Spring MVC
Services
Spring Data Repos
DB
webmvc-config.xml
application-context.xml
application-context-jpa.xmlpersistence.xml
prod/test-infrastructure.xml
Servlet Container web.xml
22
Spring XML & Servlet 2.5 config
Spring MVC
Services
Spring Data Repos
DB
SpringWebMvcConfig.java
SpringCoreConfig.java
SpringRepoConfig.java
InfraProductionConfig.java
Servlet Container WebContainerConfig.java
23
Spring Java and Servlet 3.x config
DemoTime!
Servlet 3.x web.xml replacements• Dynamic configuration available with:• Annotated web components
–E.g. @WebServlet, @WebFilter–Disable with metadata-complete="true" in web.xml
• Web fragments–web-fragmet.xml–E.g. Spring WebApplicationInitializer–Disable with <absolute-ordering/> in web.xml
25
spring-web.jar
META-INF/web-fragment.xml
META-INF/services/javax.servlet.ServletContainerInitializer
org.springframework.web.SpringServletContainerInitializer
org.springframework.web.WebApplicationInitializer
How Springs WAI works
26
DemoTime!
“Hidden” Framework features
DemoTime!
OWASP Top Ten
30
Spring Security
Spring Security3.2
Your code
• Injection• Cross-Site Scripting (XSS)• Broken Authentication and Session Management• Insecure Direct Object References• Cross-Site Request Forgery (CSRF)• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict URL Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards
Done?
Internet Tomcat
Browser
File-System
../
%C0%AE%C0%AE%C0%AF
32
Encoding Problems
Defensein Depth
Conclusion• Application Security is a process, not a feature.• EVERY developer needs to know about Application Security• Shouldn’t negatively impact innovation and architecture• Frameworks can help you
–But you need to understand them
34
Learn More. Stay Connected.
Questions?mwiesner@gopivotal.comhttps://github.com/mikewiesner/security-patterns-2013
Talk to us on Twitter: @springcentralFind session replays on YouTube: spring.io/video