SlideShare a Scribd company logo

Security in practice with Java EE 6 and GlassFish

1 of 60
Download to read offline
Java EE 6 Security
                         in practice with
                             GlassFish




Markus Eisele & Masoud Kalali
Agenda
• Introduction
• The Top 10 Most Critical Web Application
  Security Risks
• Take Away
Masoud Kalali                                       Markus Eisele
http://kalali.me                             http://blog.eisele.net
http://twitter.com/MasoudKalali         http://twitter.com/myfear
Masoud.Kalali@oracle.com          Markus.eisele@msg-systems.com

software engineer,                                     Java EE 7 EG,
author, blogger,                  architect, husband, father of two,
climber and flute enthusiast          photographer, speaker, writer
Java EE 6 & GlassFish




     glassfish.org
Galleria Project




https://bitbucket.org/VineetReynolds/java-ee-6-galleria/
Galleria Project


           ?




http://blog.eisele.net/2012/03/java-ee-6-galleria-example-part-1.html

Recommended

How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
How to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteHow to Do a Performance Audit of Your .NET Website
How to Do a Performance Audit of Your .NET WebsiteDNN
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 

More Related Content

What's hot

How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
 THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONSMarkus Eisele
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDCThinqloud
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSAlert Logic
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
SecDevOps - The Operationalisation of Security
SecDevOps -  The Operationalisation of SecuritySecDevOps -  The Operationalisation of Security
SecDevOps - The Operationalisation of SecurityDinis Cruz
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Security Automation using ZAP
Security Automation using ZAPSecurity Automation using ZAP
Security Automation using ZAPVaibhav Gupta
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20Tabăra de Testare
 

What's hot (20)

Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
 THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
 
Security Testing using ZAP in SFDC
Security Testing using ZAP in SFDCSecurity Testing using ZAP in SFDC
Security Testing using ZAP in SFDC
 
CSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWSCSS 17: NYC - Building Secure Solutions in AWS
CSS 17: NYC - Building Secure Solutions in AWS
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
SecDevOps - The Operationalisation of Security
SecDevOps -  The Operationalisation of SecuritySecDevOps -  The Operationalisation of Security
SecDevOps - The Operationalisation of Security
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
Security Automation using ZAP
Security Automation using ZAPSecurity Automation using ZAP
Security Automation using ZAP
 
Java Security
Java SecurityJava Security
Java Security
 
SQL Server: Security
SQL Server: SecuritySQL Server: Security
SQL Server: Security
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
 

Viewers also liked

Architecting Large Enterprise Java Projects
Architecting Large Enterprise Java ProjectsArchitecting Large Enterprise Java Projects
Architecting Large Enterprise Java ProjectsMarkus Eisele
 
Architecting Large Enterprise Java Projects
Architecting Large Enterprise Java ProjectsArchitecting Large Enterprise Java Projects
Architecting Large Enterprise Java ProjectsMarkus Eisele
 
From XaaS to Java EE – Which damn cloud is right for me?
From XaaS to Java EE – Which damn cloud is right for me? From XaaS to Java EE – Which damn cloud is right for me?
From XaaS to Java EE – Which damn cloud is right for me? Markus Eisele
 
Java cloud service - And introduction for Java EE Developers
Java cloud service - And introduction for Java EE DevelopersJava cloud service - And introduction for Java EE Developers
Java cloud service - And introduction for Java EE DevelopersMarkus Eisele
 
Java EE 7 - Into the Cloud
Java EE 7 - Into the CloudJava EE 7 - Into the Cloud
Java EE 7 - Into the CloudMarkus Eisele
 
JUG Darmstadt - Java EE 7 - Auf in die Wolken!
JUG Darmstadt - Java EE 7 - Auf in die Wolken!JUG Darmstadt - Java EE 7 - Auf in die Wolken!
JUG Darmstadt - Java EE 7 - Auf in die Wolken!Markus Eisele
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Wild Flies and a Camel Java EE Integration Stories
Wild Flies and a Camel Java EE Integration StoriesWild Flies and a Camel Java EE Integration Stories
Wild Flies and a Camel Java EE Integration StoriesMarkus Eisele
 
Microservice Come in Systems
Microservice Come in SystemsMicroservice Come in Systems
Microservice Come in SystemsMarkus Eisele
 
Wild Flies and a Camel - Chicago JUG - 03/15
Wild Flies and a Camel - Chicago JUG - 03/15Wild Flies and a Camel - Chicago JUG - 03/15
Wild Flies and a Camel - Chicago JUG - 03/15Markus Eisele
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAASrahmed_sct
 
How would ESBs look like, if they were done today.
How would ESBs look like, if they were done today.How would ESBs look like, if they were done today.
How would ESBs look like, if they were done today.Markus Eisele
 
OpenShift for Java EE Developers
OpenShift for Java EE DevelopersOpenShift for Java EE Developers
OpenShift for Java EE DevelopersMarkus Eisele
 
Community and Java EE @ DevConf.CZ
Community and Java EE @ DevConf.CZCommunity and Java EE @ DevConf.CZ
Community and Java EE @ DevConf.CZMarkus Eisele
 
ARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUG
ARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUGARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUG
ARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUGMarkus Eisele
 
Architecting Large Enterprise Projects @DevConf.CZ
Architecting Large Enterprise Projects @DevConf.CZArchitecting Large Enterprise Projects @DevConf.CZ
Architecting Large Enterprise Projects @DevConf.CZMarkus Eisele
 
Modernizing Applications with Microservices
Modernizing Applications with MicroservicesModernizing Applications with Microservices
Modernizing Applications with MicroservicesMarkus Eisele
 
Java EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithJava EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithMarkus Eisele
 
Nine Neins - where Java EE will never take you
Nine Neins - where Java EE will never take youNine Neins - where Java EE will never take you
Nine Neins - where Java EE will never take youMarkus Eisele
 
Architecting for failure - Why are distributed systems hard?
Architecting for failure - Why are distributed systems hard?Architecting for failure - Why are distributed systems hard?
Architecting for failure - Why are distributed systems hard?Markus Eisele
 

Viewers also liked (20)

Architecting Large Enterprise Java Projects
Architecting Large Enterprise Java ProjectsArchitecting Large Enterprise Java Projects
Architecting Large Enterprise Java Projects
 
Architecting Large Enterprise Java Projects
Architecting Large Enterprise Java ProjectsArchitecting Large Enterprise Java Projects
Architecting Large Enterprise Java Projects
 
From XaaS to Java EE – Which damn cloud is right for me?
From XaaS to Java EE – Which damn cloud is right for me? From XaaS to Java EE – Which damn cloud is right for me?
From XaaS to Java EE – Which damn cloud is right for me?
 
Java cloud service - And introduction for Java EE Developers
Java cloud service - And introduction for Java EE DevelopersJava cloud service - And introduction for Java EE Developers
Java cloud service - And introduction for Java EE Developers
 
Java EE 7 - Into the Cloud
Java EE 7 - Into the CloudJava EE 7 - Into the Cloud
Java EE 7 - Into the Cloud
 
JUG Darmstadt - Java EE 7 - Auf in die Wolken!
JUG Darmstadt - Java EE 7 - Auf in die Wolken!JUG Darmstadt - Java EE 7 - Auf in die Wolken!
JUG Darmstadt - Java EE 7 - Auf in die Wolken!
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Wild Flies and a Camel Java EE Integration Stories
Wild Flies and a Camel Java EE Integration StoriesWild Flies and a Camel Java EE Integration Stories
Wild Flies and a Camel Java EE Integration Stories
 
Microservice Come in Systems
Microservice Come in SystemsMicroservice Come in Systems
Microservice Come in Systems
 
Wild Flies and a Camel - Chicago JUG - 03/15
Wild Flies and a Camel - Chicago JUG - 03/15Wild Flies and a Camel - Chicago JUG - 03/15
Wild Flies and a Camel - Chicago JUG - 03/15
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAAS
 
How would ESBs look like, if they were done today.
How would ESBs look like, if they were done today.How would ESBs look like, if they were done today.
How would ESBs look like, if they were done today.
 
OpenShift for Java EE Developers
OpenShift for Java EE DevelopersOpenShift for Java EE Developers
OpenShift for Java EE Developers
 
Community and Java EE @ DevConf.CZ
Community and Java EE @ DevConf.CZCommunity and Java EE @ DevConf.CZ
Community and Java EE @ DevConf.CZ
 
ARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUG
ARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUGARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUG
ARCHITECTING LARGE ENTERPRISE JAVA PROJECTS - vJUG
 
Architecting Large Enterprise Projects @DevConf.CZ
Architecting Large Enterprise Projects @DevConf.CZArchitecting Large Enterprise Projects @DevConf.CZ
Architecting Large Enterprise Projects @DevConf.CZ
 
Modernizing Applications with Microservices
Modernizing Applications with MicroservicesModernizing Applications with Microservices
Modernizing Applications with Microservices
 
Java EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolithJava EE microservices architecture - evolving the monolith
Java EE microservices architecture - evolving the monolith
 
Nine Neins - where Java EE will never take you
Nine Neins - where Java EE will never take youNine Neins - where Java EE will never take you
Nine Neins - where Java EE will never take you
 
Architecting for failure - Why are distributed systems hard?
Architecting for failure - Why are distributed systems hard?Architecting for failure - Why are distributed systems hard?
Architecting for failure - Why are distributed systems hard?
 

Similar to Security in practice with Java EE 6 and GlassFish

Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Writing Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoWriting Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoEli Robillard
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure CodingMateusz Olejarka
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developersPablo Gazmuri
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security IntroCash Williams
 

Similar to Security in practice with Java EE 6 and GlassFish (20)

Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Writing Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoWriting Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday Toronto
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Web security for app developers
Web security for app developersWeb security for app developers
Web security for app developers
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Drupal Security Intro
Drupal Security IntroDrupal Security Intro
Drupal Security Intro
 

More from Markus Eisele

Sustainable Software Architecture - Open Tour DACH '22
Sustainable Software Architecture - Open Tour DACH '22Sustainable Software Architecture - Open Tour DACH '22
Sustainable Software Architecture - Open Tour DACH '22Markus Eisele
 
Going from java message service (jms) to eda
Going from java message service (jms) to eda Going from java message service (jms) to eda
Going from java message service (jms) to eda Markus Eisele
 
Let's be real. Quarkus in the wild.
Let's be real. Quarkus in the wild.Let's be real. Quarkus in the wild.
Let's be real. Quarkus in the wild.Markus Eisele
 
What happens when unicorns drink coffee
What happens when unicorns drink coffeeWhat happens when unicorns drink coffee
What happens when unicorns drink coffeeMarkus Eisele
 
Stateful on Stateless - The Future of Applications in the Cloud
Stateful on Stateless - The Future of Applications in the CloudStateful on Stateless - The Future of Applications in the Cloud
Stateful on Stateless - The Future of Applications in the CloudMarkus Eisele
 
Java in the age of containers - JUG Frankfurt/M
Java in the age of containers - JUG Frankfurt/MJava in the age of containers - JUG Frankfurt/M
Java in the age of containers - JUG Frankfurt/MMarkus Eisele
 
Java in the Age of Containers and Serverless
Java in the Age of Containers and ServerlessJava in the Age of Containers and Serverless
Java in the Age of Containers and ServerlessMarkus Eisele
 
Migrating from Java EE to cloud-native Reactive systems
Migrating from Java EE to cloud-native Reactive systemsMigrating from Java EE to cloud-native Reactive systems
Migrating from Java EE to cloud-native Reactive systemsMarkus Eisele
 
Streaming to a new Jakarta EE / JOTB19
Streaming to a new Jakarta EE / JOTB19Streaming to a new Jakarta EE / JOTB19
Streaming to a new Jakarta EE / JOTB19Markus Eisele
 
Cloud wars - A LavaOne discussion in seven slides
Cloud wars - A LavaOne discussion in seven slidesCloud wars - A LavaOne discussion in seven slides
Cloud wars - A LavaOne discussion in seven slidesMarkus Eisele
 
Streaming to a new Jakarta EE
Streaming to a new Jakarta EEStreaming to a new Jakarta EE
Streaming to a new Jakarta EEMarkus Eisele
 
Reactive Integrations - Caveats and bumps in the road explained
Reactive Integrations - Caveats and bumps in the road explained  Reactive Integrations - Caveats and bumps in the road explained
Reactive Integrations - Caveats and bumps in the road explained Markus Eisele
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolithMarkus Eisele
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolithMarkus Eisele
 
Stay productive_while_slicing_up_the_monolith
Stay productive_while_slicing_up_the_monolithStay productive_while_slicing_up_the_monolith
Stay productive_while_slicing_up_the_monolithMarkus Eisele
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolith Stay productive while slicing up the monolith
Stay productive while slicing up the monolith Markus Eisele
 
How lagom helps to build real world microservice systems
How lagom helps to build real world microservice systemsHow lagom helps to build real world microservice systems
How lagom helps to build real world microservice systemsMarkus Eisele
 
CQRS and Event Sourcing for Java Developers
CQRS and Event Sourcing for Java DevelopersCQRS and Event Sourcing for Java Developers
CQRS and Event Sourcing for Java DevelopersMarkus Eisele
 
Taking the friction out of microservice frameworks with Lagom
Taking the friction out of microservice frameworks with LagomTaking the friction out of microservice frameworks with Lagom
Taking the friction out of microservice frameworks with LagomMarkus Eisele
 
10 Golden Social Media Rules for Developer Relations Manager
10 Golden Social Media Rules for Developer Relations Manager10 Golden Social Media Rules for Developer Relations Manager
10 Golden Social Media Rules for Developer Relations ManagerMarkus Eisele
 

More from Markus Eisele (20)

Sustainable Software Architecture - Open Tour DACH '22
Sustainable Software Architecture - Open Tour DACH '22Sustainable Software Architecture - Open Tour DACH '22
Sustainable Software Architecture - Open Tour DACH '22
 
Going from java message service (jms) to eda
Going from java message service (jms) to eda Going from java message service (jms) to eda
Going from java message service (jms) to eda
 
Let's be real. Quarkus in the wild.
Let's be real. Quarkus in the wild.Let's be real. Quarkus in the wild.
Let's be real. Quarkus in the wild.
 
What happens when unicorns drink coffee
What happens when unicorns drink coffeeWhat happens when unicorns drink coffee
What happens when unicorns drink coffee
 
Stateful on Stateless - The Future of Applications in the Cloud
Stateful on Stateless - The Future of Applications in the CloudStateful on Stateless - The Future of Applications in the Cloud
Stateful on Stateless - The Future of Applications in the Cloud
 
Java in the age of containers - JUG Frankfurt/M
Java in the age of containers - JUG Frankfurt/MJava in the age of containers - JUG Frankfurt/M
Java in the age of containers - JUG Frankfurt/M
 
Java in the Age of Containers and Serverless
Java in the Age of Containers and ServerlessJava in the Age of Containers and Serverless
Java in the Age of Containers and Serverless
 
Migrating from Java EE to cloud-native Reactive systems
Migrating from Java EE to cloud-native Reactive systemsMigrating from Java EE to cloud-native Reactive systems
Migrating from Java EE to cloud-native Reactive systems
 
Streaming to a new Jakarta EE / JOTB19
Streaming to a new Jakarta EE / JOTB19Streaming to a new Jakarta EE / JOTB19
Streaming to a new Jakarta EE / JOTB19
 
Cloud wars - A LavaOne discussion in seven slides
Cloud wars - A LavaOne discussion in seven slidesCloud wars - A LavaOne discussion in seven slides
Cloud wars - A LavaOne discussion in seven slides
 
Streaming to a new Jakarta EE
Streaming to a new Jakarta EEStreaming to a new Jakarta EE
Streaming to a new Jakarta EE
 
Reactive Integrations - Caveats and bumps in the road explained
Reactive Integrations - Caveats and bumps in the road explained  Reactive Integrations - Caveats and bumps in the road explained
Reactive Integrations - Caveats and bumps in the road explained
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolith
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolithStay productive while slicing up the monolith
Stay productive while slicing up the monolith
 
Stay productive_while_slicing_up_the_monolith
Stay productive_while_slicing_up_the_monolithStay productive_while_slicing_up_the_monolith
Stay productive_while_slicing_up_the_monolith
 
Stay productive while slicing up the monolith
Stay productive while slicing up the monolith Stay productive while slicing up the monolith
Stay productive while slicing up the monolith
 
How lagom helps to build real world microservice systems
How lagom helps to build real world microservice systemsHow lagom helps to build real world microservice systems
How lagom helps to build real world microservice systems
 
CQRS and Event Sourcing for Java Developers
CQRS and Event Sourcing for Java DevelopersCQRS and Event Sourcing for Java Developers
CQRS and Event Sourcing for Java Developers
 
Taking the friction out of microservice frameworks with Lagom
Taking the friction out of microservice frameworks with LagomTaking the friction out of microservice frameworks with Lagom
Taking the friction out of microservice frameworks with Lagom
 
10 Golden Social Media Rules for Developer Relations Manager
10 Golden Social Media Rules for Developer Relations Manager10 Golden Social Media Rules for Developer Relations Manager
10 Golden Social Media Rules for Developer Relations Manager
 

Recently uploaded

Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsEvangelia Mitsopoulou
 
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueVM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueShapeBlue
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31shyamraj55
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareAsma Ben Abacha
 
PrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyPrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyMustafa Kuğu
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc
 
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...2toLead Limited
 
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueCloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueShapeBlue
 
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...htrindia
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanDatabarracks
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024ThousandEyes
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingerssuser9354ce
 
AMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes WebinarAMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes WebinarThousandEyes
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Chris Bingham
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Product School
 
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...ShapeBlue
 
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...SearchNorwich
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...ShapeBlue
 
Revolutionizing The Banking Industry: The Monzo Way by CPO, Monzo
Revolutionizing The Banking Industry: The Monzo Way by CPO, MonzoRevolutionizing The Banking Industry: The Monzo Way by CPO, Monzo
Revolutionizing The Banking Industry: The Monzo Way by CPO, MonzoProduct School
 

Recently uploaded (20)

Battle of React State Managers in frontend applications
Battle of React State Managers in frontend applicationsBattle of React State Managers in frontend applications
Battle of React State Managers in frontend applications
 
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueVM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
 
Large Language Models and Applications in Healthcare
Large Language Models and Applications in HealthcareLarge Language Models and Applications in Healthcare
Large Language Models and Applications in Healthcare
 
PrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5CompanyPrismCRM-RealEstate-SalesCRM_byCode5Company
PrismCRM-RealEstate-SalesCRM_byCode5Company
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
 
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
Microsoft x 2toLead Webinar Session 1 - How Employee Communication and Connec...
 
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlueCloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue
 
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
HBR SERIES METAL HOUSED RESISTORS POWER ELECTRICAL ABSORBS HIGH CURRENT DURIN...
 
How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response Plan
 
New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024New ThousandEyes Product Features and Release Highlights: February 2024
New ThousandEyes Product Features and Release Highlights: February 2024
 
iOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostingeriOncologi_Pitch Deck_2024 slide show for hostinger
iOncologi_Pitch Deck_2024 slide show for hostinger
 
AMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes WebinarAMER Introduction to ThousandEyes Webinar
AMER Introduction to ThousandEyes Webinar
 
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
Learning About GenAI Engineering with AWS PartyRock [AWS User Group Basel - F...
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
 
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
 
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
ChatGPT's Code Interpreter: Your secret weapon for SEO automation success - S...
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
 
Revolutionizing The Banking Industry: The Monzo Way by CPO, Monzo
Revolutionizing The Banking Industry: The Monzo Way by CPO, MonzoRevolutionizing The Banking Industry: The Monzo Way by CPO, Monzo
Revolutionizing The Banking Industry: The Monzo Way by CPO, Monzo
 

Security in practice with Java EE 6 and GlassFish

  • 1. Java EE 6 Security in practice with GlassFish Markus Eisele & Masoud Kalali
  • 2. Agenda • Introduction • The Top 10 Most Critical Web Application Security Risks • Take Away
  • 3. Masoud Kalali Markus Eisele http://kalali.me http://blog.eisele.net http://twitter.com/MasoudKalali http://twitter.com/myfear Masoud.Kalali@oracle.com Markus.eisele@msg-systems.com software engineer, Java EE 7 EG, author, blogger, architect, husband, father of two, climber and flute enthusiast photographer, speaker, writer
  • 4. Java EE 6 & GlassFish glassfish.org
  • 6. Galleria Project ? http://blog.eisele.net/2012/03/java-ee-6-galleria-example-part-1.html
  • 8. Galleria and Security • Form based authentication • JDBCRealm • request.login(userId, new String(password)); • @RolesAllowed({ "RegisteredUsers" }) Enough? State-of-the-Art? Feeling-good-with-it™?
  • 9. Motivation for this talk • Seen a lot of Java EE out there with no or not enough security. • Providing you a starting point • Having seen a lot – sharing something • Making you aware about security • Finding out about “the security state of Galleria”
  • 10. The Top 10 Most Critical Web Application Security Risks Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
  • 11. What is OWASP? • Open Web Application Security Project • Improving the security of (web) application software – Not-for-profit organization since 2001 – Raise interest in secure development • Documents – Top 10 – Cheat Sheets – Development Guides • Solutions – Enterprise Security API (ESAPI) – WebScarab – WebGoat
  • 13. What is it? • Sending unintended data to applications • Manipulating and reading Data stores (e.g. DB, LDAP) • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP) – Database access (JPA, JDBC)
  • 14. Worst-Practice Injection String id = "x'; DROP TABLE members; --"; // user-input Query query = em.createNativeQuery("SELECT * FROM PHOTO WHERE ID =" + id, Photo.class); Query query2 = em.createNativeQuery("SELECT * FROM MAG WHERE ID ?1", Magazine.class); query2.setParameter(1, id);
  • 15. Prevent Injection • Sanitize the input • Escape/Quotesafe the input • Use bound parameters (the PREPARE statement) • Limit database permissions and segregate users • Use stored procedures for database access (might work) • Isolate the webserver • Configure error reporting
  • 16. A2 - Cross-Site Scripting (XSS)
  • 17. What is it? • Inject malicious code into user interfaces • Get access to browser information – E.g. javascript:alert(document.cookie) • Steal user’s session, steal sensitive data • rewrite web page • redirect user to phishing or malware site • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP)
  • 18. Worst Practices • Don’t sanitize at all <h:outputText value="#{user.content}" escape="false"/> • Sanitize on your own <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4=">T est</a>
  • 19. Prevent • Sanitize the input • Escape/Quotesafe the input • Use Cookie flags: – httpOnly (prevents XSS access) https://code.google.com/p/owasp-esapi-java/
  • 20. A3 - Broken Authentication and Session Management
  • 21. What is it? • Container Security vs. own solution • Session Binding / Session Renewal • Password Strength (length/complexity) • Plain text passwords (http/https) • Password recovery • Number of factors used for authentication • Java EE 6 affected: – JAAS / JASPIC – Filter / PhaseListener – Container and Web-App configuration
  • 22. Worst Practice • Authentication over http • Custom security filter • Not using Container Functionality • No password strength requirements • No HttpSession binding • Saving Passwords • Not testing security
  • 23. Best Practices • Go with provided Standard Realms and LoginModules whenever possible • Use transport layer encryption (TLS/SSL) • Use Cookie flags: – secure (avoid clear text transmission)
  • 24. A4 – Insecure Direct Object References
  • 25. What is it? • Accessing domain objects with their PK https://you.com/user/1 => https://you.com/user/21 • Opening opportunities for intruders • Information hiding on the client • Parameter value tampering • Java EE 6 affected: – All layers – Especially data access
  • 26. Worst Practice • No data separation for users (tenants) • No request mode access for data (RUD) • No query constraints
  • 27. Best Practices • Use AccessReferenceMaps • Use data-driven security • Perform data authorization on the view
  • 28. A5 - Cross Site Request Forgery (CSRF)
  • 29. What is it? • Basically a capture-replay attack • Malicious code executes functions on your behalf while being authenticated • Deep links make this easier • JavaEE 6 affected: – UI technology of choice (e.g. JSF, JSP)
  • 30. Worst Practice • Using a “secret Cookie” • Only POST requests • Wizard like transactions • URL rewriting
  • 31. Best Practices • Add Unpredictability (tokens) • CSRFPreventionForm http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html • Use OWASP ESAPI http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross- site-request-forgery-csrf/
  • 32. A6 - Security Misconfiguration
  • 33. What is it? • Applies to – Operating System – Application Server – Databases – Additional Services • Includes (beside _many_ others) – Missing Patches – All security relevant configuration – Default accounts
  • 34. Running GlassFish in a Secure Environment • Use the latest version (3.1.2.2) • Enable secure admin (TLS/https) • Use password aliasing • Enable security manager and put forth a proper security policy file • Set correct file system permissions http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html http://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
  • 35. Review the *.policy files • server.policy and granted.policy • Remove unused grants • Add extra permissions only to applications or modules that require them, not to all applications deployed to a domain. • Document your changes! // Following grant block is only required by Connectors. If Connectors// are not in use the recommendation is to remove this grant.grant { permission javax.security.auth.PrivateCredentialPermission "javax.resource.spi.security.PasswordCredential * "*"","read";};
  • 36. Worst Practices • Not to redirect the default pages • Using any defaults like: – Passwords: Admin, master password – Network interface binding: Listening on 0.0.0.0 – Certificates: Self signed certificate • Not restricting GlassFish user nor enabling security manager. • Same security config for all environments • Using a not hardened OS!
  • 37. A7 - Failure to Restrict URL Access
  • 38. What is it? • Presentation layer access control • Related to A4 – Insecure Direct Object References
  • 39. Worst Practice • Using home-grown security features instead of container provided ones • Assuming people wont know some URLs to try them • Assuming no one would miss use the extra permission and access they have
  • 40. Java EE 6 • What you do to prevent A4 plus: – Use Container security (security-constraint) – Use programatic login of Java EE 6 if needed. – Properly configure security realms – Accurately map roles to principal/groups (auth- constraint / security-role-mapping) – Only allow supported/required HTTP methods – Accurately Categorize the URL patterns and permit the relevant roles for each
  • 41. Best Practices • Any no public URL should be protected • Use container authentication/authorization features or extend on top of them • If not enough use proven frameworks/ products to protect the resources • If user can get /getpic?id=1x118uf it does not mean you should show /getpic?id=1x22ug
  • 42. A8 - Insecure Cryptographic Storage
  • 43. What is it? • Sensitive data exposed to wrong persons • Could be: – Passwords – Financial/Health care data – Credit cards
  • 44. GlassFish • Protect the keystore • Protect sensitive data – Use salted hashing or double hashing for authentication realms (Custom realm development) – Evaluate logging output • Protect GlassFish accounts – Use aliasing to protect the password and keep the master password safe to protect the aliases
  • 45. Worst Practices • Storing passwords in clear text without aliasing or the proper store • Using file authentication realm • Ignoring digest authentication/hashed password storage • Keeping clear text copies of encrypted data • Not keeping the keys/passwords well guarded
  • 46. Prevention • Identify sensitive data • Wisely encrypt sensitive data – On every level (application, appserver, db) – with the right algorithm and – with the right mechanism • Don’t keep clear text copies • Only authorized personnel have access to clear text data • Keep the keys as protected as possible (HSM) • Keep offsite encrypted backups in addition to on-site copies
  • 47. A9- Insufficient Transport Layer Protection
  • 49. Worst Practice • Using basic/form authentication without SSL • Not using HTTPS for pages with private information • Using default self signed certificate • Storing unencrypted cookies • Not setting cookies to be transmitted Cookie.setSecure(true) • Forgetting about the rest of the infrastructure
  • 50. GlassFish • Properly configure HTTPS listener/s (set the right keystore) • Install the right server certificates to be used by SSL listeners • Properly configure the ORB over SSL listeners if needed (set the right keystore) • Enable auditing under Security and and access log under HTTP Service
  • 51. Java EE • Group the resources in regard to transport sensitivity using web-resource-collection • Use user-data-constraint as widely as you need for data integrity and encryption needs • Ensure that login/logout pages (in case of form auth-type) are protected by <transport- guarantee>CONFIDENTIAL</transport- guarantee>
  • 52. Best Practice • Use TLS on all connections with sensitive data • Individually encrypt messages • Sign messages before transmission • Use standard strong algorithms • Use proven mechanisms when sufficient
  • 53. A10 - Unvalidated Redirects and Forwards
  • 54. What is it? • Redirecting to another URL computed by user provided parameters • Forward to another URL computed by user provided parameters http://www.java.net/external?url=http://www.adam- bien.com/roller/abien/entry/conveniently_transactionally_a nd_legally_starting
  • 55. Java EE 6 • Don’t use redirect or forward as much as possible • Accurately verify/validate the target URL before forwarding or redirecting • Redirects are safe when using container managed authentication/authorization properly • Redirects happen without authentication and thus requires triple check to prevent unauthorized access.
  • 56. Worst Practices • Not using a proper access control mechanism (e.g container managed and proper security- constraint ) • Redirecting to a user provided parameter, e.g to an external website • Not to validate/verify the target with user’s access level before doing the forward
  • 59. Security isn‘t all candy.. … but you will love it in the end!
  • 60. CC picture reference • http://www.flickr.com/photos/wallyg/2439494447/sizes/l/in/photostream/ • http://www.flickr.com/photos/62983199@N04/7188112487/sizes/l/in/photostream/ • http://www.flickr.com/photos/stuckincustoms/3466470709/sizes/l/in/photostream/ • http://www.flickr.com/photos/lukemontague/187987292/sizes/l/in/photostream/ • http://www.flickr.com/photos/082007/7108942911/sizes/l/in/photostream/ • http://www.flickr.com/photos/ndrwfgg/140411433/sizes/l/in/photostream/ • http://www.flickr.com/photos/gingerblokey/4130969725/sizes/l/in/photostream/ • http://www.flickr.com/photos/bpc009/3328427457/sizes/l/in/photostream/ • http://www.flickr.com/photos/marine_corps/6950409157/sizes/l/in/photostream/ • http://www.flickr.com/photos/cindy47452/2898015652/sizes/l/in/photostream/