Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing RESTful services with Spring HATEOAS & Hdiv

1,048 views

Published on

Securing your REST services with Spring HATEOAS and Hdiv, shown at Spring IO 16.

Published in: Software
  • Be the first to comment

Securing RESTful services with Spring HATEOAS & Hdiv

  1. 1. Securing RESTful services with Spring HATEOAS & Hdiv Roberto Velasco @hdivroberto
  2. 2. About me Spring I/O 2016 Roberto Velasco CEO at Hdiv Security Working as Java Software Architect since 2004
  3. 3. About me Spring I/O 2016 Involved in Software Security since 2001 Roberto Velasco CEO at Hdiv Security
  4. 4. About me Spring I/O 2016 Hdiv Security Framework founder in 2008 Roberto Velasco CEO at Hdiv Security
  5. 5. It’s not about Spring I/O 2016 Authentication Role Based Access Control Best Practices Security Automation Security by Design It’s about About this talk
  6. 6. Agenda APIs security overview Spring I/O 2016 1 2 3 4 Why The solution Spring HATEOAS & Hdiv
  7. 7. Spring I/O 2016 1 APIS SECURITY OVERVIEW
  8. 8. APIs everywhere Spring I/O 2016
  9. 9. Spring I/O 2016 The old new things What about security in this new scenario?
  10. 10. Spring I/O 2016 LET’S SEE A DEMO Spring HATEOAS & Android
  11. 11. Spring I/O 2016 The old new things The most important remains the same representedby OWASP Top 10 Client-side approach let us more exposed Controller inside the client More business logic in the client side
  12. 12. Spring I/O 2016 Spring  I/O  2016 86% of all websites tested had at least 1 serious vulnerability How big is the problem
  13. 13. Spring I/O 2016 WHY 2
  14. 14. Spring I/O 2016 Security issues Design FlawsBugs SQL Injection XSS etc. Forget authenticatean user. Non authorized access to a register. Easy to find and fix No tool to find and complex to fix
  15. 15. Spring I/O 2016 Design Flaws IEEE Cyber Security
  16. 16. Spring I/O 2016 Spring  I/O  2016 Why Current technology to develop services is insecure by default
  17. 17. Spring I/O 2016 Spring  I/O  2016 Why Don’t protect from bugs and design flaws
  18. 18. Spring I/O 2016 Spring  I/O  2016 Security depends on people Why
  19. 19. Spring I/O 2016 Security solutions Recommended for security bugs Detected issues must be solved by developers AST Application Security Testing
  20. 20. Spring I/O 2016 WAF Web Application Firewall Security solutions Try  to  protect from bugs  and security design flaws but…
  21. 21. Spring I/O 2016 WAF Web Application Firewall Security solutions False positives Costly implementation
  22. 22. Spring I/O 2016 Summary Foundational software providers Don’t protect from bugs neither security design flaws Security providers Bugs are well detected by AST Represents a significant fixing work from developers Design flaws not properly covered by WAFs
  23. 23. Spring I/O 2016 THE SOLUTION 3
  24. 24. The solution Different problems require different solutions Spring I/O 2016
  25. 25. The solution for… Design flaws Spring I/O 2016 Current approach Everything open, close manually
  26. 26. Spring I/O 2016 Proposed approach Security By Default The solution for… Design flaws Everything closedby default, open manually
  27. 27. Spring I/O 2016 The server defines what is allowed The solution for… Design flaws
  28. 28. Spring I/O 2016 The server defines what is allowed The solution for… Design flaws Hypermedia
  29. 29. Spring I/O 2016 The solution for… Design flaws The server rejects all the request that don’t respect the original contract
  30. 30. Spring I/O 2016 The solution for… Design flaws B O R N S E C U R E The server rejects all the request that don’t respect the original contract
  31. 31. Spring I/O 2016 Integrity validation for read-only data The solution for… Design flaws B O R N S E C U R E White & Black list validation for editable data (text fields)
  32. 32. Spring I/O 2016 We need a detection mechanism The solution for… Bugs
  33. 33. Spring I/O 2016 We need a detection mechanism The solution for… Bugs AST tools
  34. 34. Spring I/O 2016 We need to automate the protection of the detected issues The solution for… Bugs
  35. 35. Spring I/O 2016 We need to automate the protection of the detected issues The solution for… Bugs B O R N S E C U R E
  36. 36. Spring I/O 2016 Don’t do anything for read-only data The solution for… Bugs B O R N S E C U R E Strict white-list validation from vulnerable text fields Shows the error in the text field
  37. 37. Spring I/O 2016 SPRING HATEOAS & Hdiv 4
  38. 38. Spring HATEOAS Spring I/O 2016 The most important HATEOAS implementation in Java Includesa format for links Form complete definition not covered Based on HAL
  39. 39. Form support Pull Request Spring I/O 2016 Mike Amundsen Participants & Collaborators https://github.com/spring- projects/spring-hateoas/pull/447 B O R N S E C U R E Dietrich Schulten Oliver Gierke Supported hypermedia formats Forms: HAL-FORMS, Siren, HTML Links: HAL
  40. 40. Spring I/O 2016 Form Support in Action @RequestMapping(method = RequestMethod.GET) public ResourceSupport charge() { ResourceSupport resourceSupport = new ResourceSupport(); resourceSupport.add(linkTo(methodOn(TransferController.class).charge(new Charge())).build()); // code omitted here return resourceSupport; } public class Charge { private String fromAccount; private double amount; public Charge(@Select(options = CashAccountOptions.class) String fromAccount, @Input(editable = true, required = true) double amount) { // code omitted here } } Form definition example
  41. 41. Spring I/O 2016 { "_links":  { "self":  { "href":  "http://localhost:9000/hdiv-­‐ee-­‐bank-­‐services/api/transfer?rel=halforms:make-­‐transfer" }, "curies":  [ {"href":"{href}{?rel}",   "name" :  "halforms",  "templated":  true} ] }, "_templates":  { "default":  { "method":  "POST", "properties":  [ {"name":  "fromAccount",  "readOnly":  true,  "suggest":  [ {"value":"00948343154448310446",  "prompt":"Checking  Account"},   {"value":"91123204989505683033",  "prompt":"Individual  Retirement      Accounts  (IRAs)"} ]}, {"name":"toAccount",  "readOnly":false,  required":  true}, {"name":"description",  "readOnly":  false,  "required":  true}, {"name":"amount",  "readOnly":  false,  "value":  "0.0",  "required":  true}, {"name":"fee",   "readOnly":  true,  "value":  "5.0"}, ]} } } Several form formats are supported HAL-FORMS example
  42. 42. Spring I/O 2016 Spring  I/O  2016 Try it! hdivsecurity.com/try-it-springio B O R N S E C U R E
  43. 43. Summary Spring I/O 2016 Hypermedia offers an excelent foundation to cover security design
  44. 44. Summary Spring I/O 2016 Hypermedia helps to automate the protection against detected security bugs
  45. 45. Summary Spring I/O 2016 It is necessary hypermedia formats to cover 100% of interactions
  46. 46. Summary Spring I/O 2016 Spring HATEOAS and Hdiv make it possible to automate many security tasks
  47. 47. Spring I/O 2016 Questions & Answers
  48. 48. Spring I/O 2016 Roberto Velasco Hdiv Founder roberto@hdivsecurity.com Thanks!

×