Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Application Security Pitfalls
By Mike Wiesner
mwiesner@gopivotal.com
https://github.com/mikewiesner/security-patterns-2013...
Mike Wiesner
• Technical Instructor @Pivotal
• 10+ years experience in Java
–As developer, consultant and instructor

• Fo...
Application
Security?
Enterprise Java = Spring
Spring + Security
=
Spring Security
Done?
OWASP Top Ten
•
•
•
•
•
•
•
•
•
•
•
7

Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
I...
Security is a
process
SQL Injection

Webserver

BBI

Database
user

Login
' or '1' = '1

Client
9

select * from users where
user = 'user' and
p...
XML Processing

10
XML Processing
fromFile

newOrderXml

download

box

11

downloadSecured

boxSecured
Still awake?
Demo
Time!
Input
Validation
JSR-303: Bean Validation
public class Address {
@NotNull @Length(max=30)
private String addressline1;
@Length(max=30)
priv...
Trust
Zones
Demo
Time!
OWASP Top Ten
• Injection
• Cross-Site Scripting (XSS)
• Broken Authentication and Session Management
• Insecure Direct Ob...
Typical Architecture
Spring MVC

Services

Spring Data Repos

DB

21
Spring XML & Servlet 2.5 config
Spring MVC

Services

webmvc-config.xml

application-context.xml

Spring Data Repos

appli...
Spring Java and Servlet 3.x config
Spring MVC

SpringWebMvcConfig.java

Services

SpringCoreConfig.java

Spring Data Repos...
Demo
Time!
Servlet 3.x web.xml replacements
• Dynamic configuration available with:
• Annotated web components
–E.g. @WebServlet, @We...
How Springs WAI works
spring-web.jar

META-INF/web-fragment.xml

META-INF/services/javax.servlet.ServletContainerInitializ...
Demo
Time!
“Hidden”
Framework features
Demo
Time!
OWASP Top Ten
•
•
•
•
•
•
•
•
•
•
30

Injection
Cross-Site Scripting (XSS)
Broken Authentication and Session Management
In...
Done?
Encoding Problems

Internet

%C0%AE%C0%AE%C0%AF

Browser
32

Tomcat
FileSystem

../
Defense
in Depth
Conclusion
• Application Security is a process, not a feature.
• EVERY developer needs to know about Application Security
...
Learn More. Stay Connected.

Questions?
mwiesner@gopivotal.com
https://github.com/mikewiesner/security-patterns-2013

Talk...
Application Security Pitfalls
Application Security Pitfalls
Application Security Pitfalls
Upcoming SlideShare
Loading in …5
×

Application Security Pitfalls

1,367 views

Published on

Speaker: Mike Wiesner
Creating a secure application involves more then just applying Spring Security to it. This is of course not a new topic, but with the increased popularity of much more dynamic configurations for Servlet Containers and various Spring Projects, like Spring MVC and Spring Integration, it becomes more important to know about the Security tradeoffs we might get with that, and how to tackle them.

Published in: Technology
  • Be the first to comment

Application Security Pitfalls

  1. 1. Application Security Pitfalls By Mike Wiesner mwiesner@gopivotal.com https://github.com/mikewiesner/security-patterns-2013 © 2013 SpringOne 2GX. All rights reserved. Do not distribute without permission.
  2. 2. Mike Wiesner • Technical Instructor @Pivotal • 10+ years experience in Java –As developer, consultant and instructor • Focus on Application Security and Enterprise Integration • Spring Security contributor 2
  3. 3. Application Security?
  4. 4. Enterprise Java = Spring Spring + Security = Spring Security
  5. 5. Done?
  6. 6. OWASP Top Ten • • • • • • • • • • • 7 Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards Spring Security Spring Security 3.2
  7. 7. Security is a process
  8. 8. SQL Injection Webserver BBI Database user Login ' or '1' = '1 Client 9 select * from users where user = 'user' and password = '' or '1' = '1'
  9. 9. XML Processing 10
  10. 10. XML Processing fromFile newOrderXml download box 11 downloadSecured boxSecured
  11. 11. Still awake?
  12. 12. Demo Time!
  13. 13. Input Validation
  14. 14. JSR-303: Bean Validation public class Address { @NotNull @Length(max=30) private String addressline1; @Length(max=30) private String addressline2; } 15
  15. 15. Trust Zones
  16. 16. Demo Time!
  17. 17. OWASP Top Ten • Injection • Cross-Site Scripting (XSS) • Broken Authentication and Session Management • Insecure Direct Object References • Cross-Site Request Forgery (CSRF) • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Unvalidated Redirects and Forwards • 20 Your code Spring Security Spring Security 3.2
  18. 18. Typical Architecture Spring MVC Services Spring Data Repos DB 21
  19. 19. Spring XML & Servlet 2.5 config Spring MVC Services webmvc-config.xml application-context.xml Spring Data Repos application-context-jpa.xml persistence.xml DB prod/test-infrastructure.xml Servlet Container 22 web.xml
  20. 20. Spring Java and Servlet 3.x config Spring MVC SpringWebMvcConfig.java Services SpringCoreConfig.java Spring Data Repos SpringRepoConfig.java DB Servlet Container 23 InfraProductionConfig.java WebContainerConfig.java
  21. 21. Demo Time!
  22. 22. Servlet 3.x web.xml replacements • Dynamic configuration available with: • Annotated web components –E.g. @WebServlet, @WebFilter –Disable with metadata-complete="true" in web.xml • Web fragments –web-fragmet.xml –E.g. Spring WebApplicationInitializer –Disable with <absolute-ordering/> in web.xml 25
  23. 23. How Springs WAI works spring-web.jar META-INF/web-fragment.xml META-INF/services/javax.servlet.ServletContainerInitializer org.springframework.web.SpringServletContainerInitializer org.springframework.web.WebApplicationInitializer 26
  24. 24. Demo Time!
  25. 25. “Hidden” Framework features
  26. 26. Demo Time!
  27. 27. OWASP Top Ten • • • • • • • • • • 30 Injection Cross-Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object References Cross-Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards Your code Spring Security Spring Security 3.2
  28. 28. Done?
  29. 29. Encoding Problems Internet %C0%AE%C0%AE%C0%AF Browser 32 Tomcat FileSystem ../
  30. 30. Defense in Depth
  31. 31. Conclusion • Application Security is a process, not a feature. • EVERY developer needs to know about Application Security • Shouldn’t negatively impact innovation and architecture • Frameworks can help you –But you need to understand them 34
  32. 32. Learn More. Stay Connected. Questions? mwiesner@gopivotal.com https://github.com/mikewiesner/security-patterns-2013 Talk to us on Twitter: @springcentral Find session replays on YouTube: spring.io/video

×