Successfully reported this slideshow.
Your SlideShare is downloading. ×

Secure by Default Web Applications with Apache Sling

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 40 Ad

Secure by Default Web Applications with Apache Sling

Download to read offline

A product that works is not done, as there are many facets to consider – availability, scalability, security. Of those, security is probably the most expensive to get wrong.
By analysing a simple web application built on top of Apache Sling and its threat model, we will review the main attack vectors and how they can be mitigated. You will see what the general approaches are and also how Apache Sling allows you to eliminate entire classes of vulnerabilities by using secure-by-default components. Although we will use Apache Sling for examples, previous knowledge of Sling or its components is not required.

A product that works is not done, as there are many facets to consider – availability, scalability, security. Of those, security is probably the most expensive to get wrong.
By analysing a simple web application built on top of Apache Sling and its threat model, we will review the main attack vectors and how they can be mitigated. You will see what the general approaches are and also how Apache Sling allows you to eliminate entire classes of vulnerabilities by using secure-by-default components. Although we will use Apache Sling for examples, previous knowledge of Sling or its components is not required.

Advertisement
Advertisement

More Related Content

Slideshows for you (19)

Similar to Secure by Default Web Applications with Apache Sling (20)

Advertisement

More from Robert Munteanu (20)

Recently uploaded (20)

Advertisement

Secure by Default Web Applications with Apache Sling

  1. 1. http://robert.muntea.nu @rombert Secure by Default Web Applications With Apache Sling Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems Bucharest Technology Week 2016
  2. 2. http://robert.muntea.nu @rombert Who I am  $DAYJOB  Adobe Experience Manager  Apache Sling  Apache Jackrabbit  Apache Felix  Open Source  Apache Sling  MantisBT  Mylyn Connector for MantisBT  Mylyn Connector for Review Board
  3. 3. http://robert.muntea.nu @rombert Purpose of the talk Scope Cost Schedule
  4. 4. http://robert.muntea.nu @rombert Purpose of the talk Scope Cost Schedule
  5. 5. http://robert.muntea.nu @rombert Purpose of the talk Scope Cost Schedule
  6. 6. http://robert.muntea.nu @rombert Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A
  7. 7. http://robert.muntea.nu @rombert Apache Sling – Brief History 2007 Incubation 2009 TLP 2015 Version 8 200x Pre-Apache
  8. 8. http://robert.muntea.nu @rombert Apache Sling – Code Statistics
  9. 9. http://robert.muntea.nu @rombert Apache Sling – Contributor activity
  10. 10. http://robert.muntea.nu @rombert Apache Sling – Value proposition ● Content-oriented ● RESTful ● Lightweight ● Integrated authentication and authorization ● OSGi-powered ● Scripting inside ● Easily deployable
  11. 11. http://robert.muntea.nu @rombert Apache Sling – Content-Oriented Blog posts Images Users and Groups
  12. 12. http://robert.muntea.nu @rombert Apache Sling – Content-Oriented Server-side templates and scripts Configurations
  13. 13. http://robert.muntea.nu @rombert Apache Sling – RESTful $ http localhost:8080/content/↵ blog/posts/hello_world.html json xml txt pdf php3
  14. 14. http://robert.muntea.nu @rombert Apache Sling – RESTful
  15. 15. http://robert.muntea.nu @rombert Apache Sling – Persistence via JCR
  16. 16. http://robert.muntea.nu @rombert Apache Sling – Topologies Standalone High Availability
  17. 17. http://robert.muntea.nu @rombert Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A
  18. 18. http://robert.muntea.nu @rombert Demo App – main page
  19. 19. http://robert.muntea.nu @rombert Demo App – Article Page
  20. 20. http://robert.muntea.nu @rombert Demo App – Submitting comments
  21. 21. http://robert.muntea.nu @rombert Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A
  22. 22. http://robert.muntea.nu @rombert Threat modelling “Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application” Threat Modeling Web Applications on MSDN
  23. 23. http://robert.muntea.nu @rombert Threat Modelling - Assets
  24. 24. http://robert.muntea.nu @rombert Threat Modelling - Assets ● Availability ● Content ● User Credentials ● Ability to execute code on server ● Ability to execute code in the browser context
  25. 25. http://robert.muntea.nu @rombert Threat Modelling - Trust Levels
  26. 26. http://robert.muntea.nu @rombert Threat Modelling - Trust Levels 1. Anonymous 2. Author 3. Administrator
  27. 27. http://robert.muntea.nu @rombert Threat Modelling - Threats OWASP
  28. 28. http://robert.muntea.nu @rombert Threat Modelling - Threats 1. Denial of Service 2. Defacement / Deletion 3. Leaking credentials 4. SQL/Shell Injection 5. Stored/Reflected XSS
  29. 29. http://robert.muntea.nu @rombert Threat Modelling - Mitigation
  30. 30. http://robert.muntea.nu @rombert Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A
  31. 31. http://robert.muntea.nu @rombert Apache Sling Security – Natural layering of ACEs
  32. 32. http://robert.muntea.nu @rombert Apache Sling Security – Security applied at the lowest level $ http --auth bob:bob localhost:8080/content/blog/posts/n ew_blog_post 'jcr:title=New post'
  33. 33. http://robert.muntea.nu @rombert Apache Sling Security – Context-aware templating language <div class="comment clearfix"> <img class="avatar img-rounded pull-left" src="${resource.valueMap['authorAvatar']}"/> <h3>${resource.valueMap['jcr:title']}</h3> <p>$ {resource.valueMap['jcr:description']}</p> </div>
  34. 34. http://robert.muntea.nu @rombert Apache Sling Security – Injection-safe APIs Children of /content/blog/posts
  35. 35. http://robert.muntea.nu @rombert Apache Sling Security – Injection-safe APIs Children of /content/blog/comments/ hello_world
  36. 36. http://robert.muntea.nu @rombert Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A
  37. 37. http://robert.muntea.nu @rombert Demo Application – Actual demo!!!!1oneone
  38. 38. http://robert.muntea.nu @rombert Conclusions – Security ● Aim to be “Secure by Default” ● Build a threat model for your application ● Look for components that eliminate problems altogether
  39. 39. http://robert.muntea.nu @rombert Conclusions – Apache Sling ● Simple to be “Secure by Default” ● Eventing, Thread Pooling, Job Management, Caching ● Scripting: Groovy, Scala, JSP, Sightly, Java, Ruby, Thymeleaf ● Flexible resource rendering with resource types ● Very extensible due to being internally powered by OSGi – most extension points available to clients
  40. 40. http://robert.muntea.nu @rombert Resources ● Apache Sling – https://sling.apache.org ● Apache Jackrabbit ● https://jackrabbit.apache.org ● http://jackrabbit.apache.org/oak/ ● OWASP - https://www.owasp.org ● https://www.owasp.org/index.php/OWASP_Top_Ten _Cheat_Sheet ● https://www.owasp.org/index.php/Application_Thre at_Modeling

×