The document summarizes a presentation about securing web applications using Apache Sling. The presentation covers an introduction to Apache Sling, a demo of an application, threat modeling of the application's assets and risks, how Apache Sling addresses security through natural access controls and injection-safe APIs, a demo of the secure application, and conclusions about building securely by default and Apache Sling's extensibility.
Exploring the Future Potential of AI-Enabled Smartphone Processors
Secure by Default Web Applications with Apache Sling
1. http://robert.muntea.nu @rombert
Secure by Default Web Applications With Apache Sling
Secure by Default Web Applications With Apache Sling
Robert Munteanu, Adobe Systems
Bucharest Technology Week 2016
2. http://robert.muntea.nu @rombert
Who I am
$DAYJOB
Adobe Experience
Manager
Apache Sling
Apache Jackrabbit
Apache Felix
Open Source
Apache Sling
MantisBT
Mylyn Connector for
MantisBT
Mylyn Connector for Review
Board
22. http://robert.muntea.nu @rombert
Threat modelling
“Threat modeling is an engineering technique you
can use to help you identify threats, attacks,
vulnerabilities, and countermeasures that could
affect your application”
Threat Modeling Web Applications on MSDN
38. http://robert.muntea.nu @rombert
Conclusions – Security
●
Aim to be “Secure by Default”
●
Build a threat model for your application
●
Look for components that eliminate problems
altogether
39. http://robert.muntea.nu @rombert
Conclusions – Apache Sling
●
Simple to be “Secure by Default”
●
Eventing, Thread Pooling, Job Management,
Caching
●
Scripting: Groovy, Scala, JSP, Sightly, Java, Ruby,
Thymeleaf
●
Flexible resource rendering with resource types
●
Very extensible due to being internally powered by
OSGi – most extension points available to clients