5. It’s not about
Spring I/O
2016
Authentication
Role Based
Access Control
Best Practices
Security Automation
Security by Design
It’s about
About this talk
11. Spring I/O
2016
The old new things
The most important remains the same
representedby
OWASP Top 10
Client-side approach let us more exposed
Controller inside the client
More business logic in the client side
12. Spring I/O
2016
Spring
I/O
2016
86% of all websites
tested had at least
1 serious vulnerability
How big is the problem
14. Spring I/O
2016
Security issues
Design FlawsBugs
SQL Injection
XSS
etc.
Forget authenticatean user.
Non authorized access to a
register.
Easy to
find and fix
No tool to find
and complex to fix
22. Spring I/O
2016
Summary
Foundational software providers
Don’t protect from bugs neither security design flaws
Security providers
Bugs are well detected by AST
Represents a significant fixing work from developers
Design flaws not properly covered by WAFs
29. Spring I/O
2016
The solution for…
Design flaws
The server rejects all the
request that don’t respect
the original contract
30. Spring I/O
2016
The solution for…
Design flaws
B O R N S E C U R E
The server rejects all the
request that don’t respect
the original contract
31. Spring I/O
2016
Integrity validation for read-only data
The solution for…
Design flaws
B O R N S E C U R E
White & Black list validation for editable
data (text fields)
34. Spring I/O
2016
We need to automate the protection
of the detected issues
The solution for…
Bugs
35. Spring I/O
2016
We need to automate the protection
of the detected issues
The solution for…
Bugs
B O R N S E C U R E
36. Spring I/O
2016
Don’t do anything for read-only data
The solution for…
Bugs
B O R N S E C U R E
Strict white-list validation from vulnerable
text fields
Shows the error in the text field
38. Spring HATEOAS
Spring I/O
2016
The most important HATEOAS
implementation in Java
Includesa format for links
Form complete definition not covered
Based on HAL
39. Form support Pull Request
Spring I/O
2016
Mike
Amundsen
Participants & Collaborators
https://github.com/spring-
projects/spring-hateoas/pull/447
B O R N S E C U R E
Dietrich
Schulten
Oliver
Gierke
Supported hypermedia formats
Forms: HAL-FORMS, Siren, HTML
Links: HAL
40. Spring I/O
2016
Form Support in Action
@RequestMapping(method = RequestMethod.GET)
public ResourceSupport charge() {
ResourceSupport resourceSupport = new ResourceSupport();
resourceSupport.add(linkTo(methodOn(TransferController.class).charge(new Charge())).build());
// code omitted here
return resourceSupport;
}
public class Charge {
private String fromAccount;
private double amount;
public Charge(@Select(options = CashAccountOptions.class) String fromAccount,
@Input(editable = true, required = true) double amount) {
// code omitted here
}
}
Form definition example