10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019

Brian Vermeer and Matt Raible
10 Excellent Ways to Secure Your
Spring Boot Application
@BrianVerm | @mraible
��

10 Excellent Ways...
https://bit.ly/secure-spring-boot

Use HTTPS Everywhere!
4
Let’s Encrypt offers free HTTPS certificates
certbot can be used to generate certificates
mkcert can be used to create localhost certificates
Spring Boot Starter ACME for automating certificates

@Configuration
public class SecurityConfiguration extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().anyRequest().requiresSecure();
}
}

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
http.requiresChannel()
.requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null)
.requiresSecure();
}
}

Java Struts 2 RCE Vulnerability CVE 2017-5638
Source: SecurityIntelligence.com

Serverless Example: Fetch ﬁle & store in S3
'use strict';
const fetch = require('node-fetch');
const AWS = require('aws-sdk'); // eslint-disable-line
import/no-extraneous-dependencies
const s3 = new AWS.S3();
module.exports.save = (event, context, callback) => {
fetch(event.image_url)
.then((response) => {
if (response.ok) {
return response;
}
return Promise.reject(new Error(
`Failed to fetch ${response.url}: ${response.status}
${response.statusText}`));
})
.then(response => response.buffer())
.then(buffer => (
s3.putObject({
Bucket: process.env.BUCKET,
Key: event.key,
Body: buffer,
}).promise()
))
.then(v => callback(null, v), callback);
};
19 Lines of Code
https://github.com/serverless/examples/tree/master/aws-node-fetch-ﬁle-and-store-in-s3

'use strict';
if (response.ok) {
return response;
}
})
.then(buffer => (
s3.putObject({
Key: event.key,
Body: buffer,
}).promise()
))
};
19 Lines of Code
2 Direct dependencies
{
"dependencies": {
"aws-sdk": "^2.7.9",
"node-fetch": "^1.6.3"
}
}

'use strict';
if (response.ok) {
return response;
}
})
.then(buffer => (
s3.putObject({
Key: event.key,
Body: buffer,
}).promise()
))
};
19 Lines of Code
19 dependencies (incl. indirect)
{
"dependencies": {
"aws-sdk": "^2.7.9",
}
}

'use strict';
if (response.ok) {
return response;
}
})
.then(buffer => (
s3.putObject({
Key: event.key,
Body: buffer,
}).promise()
))
};
19 Lines of Code
19 dependencies (incl. indirect)
191,155 Lines of Code 😱
{
"dependencies": {
"aws-sdk": "^2.7.9",
}
}

https://snyk.io/opensourcesecurity-2019

Matt's Life Hack: Don't ﬁx your socks; ﬁx your toes!

How well do you know your dependencies?
22
Dependencies
Dependency
Health
Indirect
Dependencies
Regular
Commits
Regular
Releases

Check for Updates with npm
npm i -g npm-check-updates
ncu
https://www.npmjs.com/package/npm-check-updates

Check for Updates with Maven
mvn versions:display-dependency-updates
https://www.mojohaus.org/versions-maven-plugin

Check for Updates with Gradle
gradle dependencyUpdates
-Drevision=release
https://github.com/ben-manes/gradle-versions-plugin

@EnableWebSecurity
@Override
http
.csrf()
.csrfTokenRepository(
CookieCsrfTokenRepository.withHttpOnlyFalse());
}
}

Brian's Life Hack:
Portable pizza oven

Default Spring Security Headers
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

@EnableWebSecurity
@Override
http.headers()
.contentSecurityPolicy("script-src 'self' " +
"https://trustedscripts.example.com; " +
"object-src https://trustedplugins.example.com; " +
"report-uri /csp-report-endpoint/");
}
}

https://developer.okta.com/blog/2019/04/11/site-security-cloudﬂare-netlify

Brian's Life Hack
Easy anti virus
system

Spring Security OIDC Conﬁguration
spring:
security:
oauth2:
client:
registration:
okta:
client-id: {clientId}
client-secret: {clientSecret}
provider:
okta:
issuer-uri: https://{yourOktaDomain}/oauth2/default

OIDC Authentication Demo
@Grab('spring-boot-starter-oauth2-client')
@RestController
class Application {
@GetMapping('/')
String home(java.security.Principal user) {
'Hello ' + user.name
}
}

Works with Spring WebFlux
https://developer.okta.com/blog/2018/11/26/spring-boot-2-dot-1-oidc-oauth2-reactive-apis

And JHipster! 🎉
https://developer.okta.com/blog/2019/04/04/java-11-java-12-jhipster-oidc

Deterministic
hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3

One-way Function
hash("TSD") =3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
unhash("3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3") = ???

It should not be predictable
hash("TSD0") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
hash("TSD1") = 98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2
hash("TSD2") = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef
hash("TSD3") = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288

One-to-one mapping
hash("123") != 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3

Hashed Passwords in Spring
@Bean
public PasswordEncoder passwordEncoder() {
return new SCryptPasswordEncoder();
}

Hashed Passwords in Spring
@Autowired
private PasswordEncoder passwordEncoder;
public String hashPassword(String password) {
return passwordEncoder.encode(password);
}

Matt's Life Hack: Clean hard-to-reach places with 🐓

https://github.com/awslabs/git-secrets

Spring Vault
<dependencies>
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
<version>2.2.0.RELEASE</version>
</dependency>
</dependencies>

Spring Vault
@Value("${password}")
char[] password;

Why char[] instead of String for password?
Strings are immutable, can't wipe data
String passwords can be accidentally printed
https://www.baeldung.com/java-storing-passwords
Printing String password -> password
Printing char[] password -> [C@6e8cf4c6

OWASP Zed Attack Proxy
Two approaches: Spider and Active Scan
Spider starts with a seed of URLs
Active Scan records a session then plays it back, scanning for known
vulnerabilities

Learn More About ZAP
Homepage
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
GitHub https://github.com/zaproxy/zaproxy
Twitter @zaproxy

Code Review Topics
1. Identify and validate any third
party input
2. Never store credentials as
code/conﬁg
3. Test for new security
vulnerabilities in third-party
open source dependencies.
4. Authenticate inbound requests
5. Enforce the least privilege
principle
6. Prefer whitelist over blacklist
7. Handle sensitive data with care
8. Do not allow back doors in your
code
9. Protect against well-known
attacks
10. Statically test your source code
on every PR, automatically

Java security best practices cheat sheet
http://bit.ly/java-security

10 Excellent Ways to Secure Spring Boot
1. Use HTTPS
2. Scan dependencies
3. Dependencies up-to-date
4. Enable CSRF protection
5. Use a Content Security Policy
6. Use OIDC
7. Hash passwords
8. Store secrets securely
9. Test with OWASP's ZAP
10. Code review with experts
��

https://snyk.io/blog/spring-boot-security-best-practices

Life Hack: Use a toilet seat for a 👌 TV dinner setup

Questions?
67
Keep in Touch!
@mraible
@BrianVerm
Presentation
speakerdeck.com/mraible
Code
github.com/oktadeveloper

10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a 10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019

Similar a 10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019 (20)

Más de Matt Raible

Más de Matt Raible (20)

Último

Último (20)

10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019