Matt Raible, profile picture
Uploaded byMatt Raible
215 views

10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020

The document outlines ten effective strategies for securing Spring Boot applications. Key recommendations include using HTTPS, scanning for vulnerable dependencies, enabling CSRF protection, implementing content security policies, using OpenID Connect for authentication, and ensuring secure password hashing. Additional tips involve maintaining up-to-date libraries, securely storing secrets, testing with OWASP's ZAP tool, and conducting thorough code reviews.

Software
Related topics:
Web Security Overview

Embed presentation

Downloaded 15 times
Brian Demers and Matt Raible 10 Excellent Ways to Secure Spring Boot Apps @briandemers | @mraible ��
10 Excellent Ways... https://bit.ly/secure-spring-boot
1. Use HTTPS
Use HTTPS Everywhere! 6 Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
howhttps.works
@Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
@Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }
2. Scan Dependencies
Java Struts 2 RCE Vulnerability CVE 2017-5638 Source: SecurityIntelligence.com
Your App
Your App Your Code
Serverless Example: Fetch file & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3
Serverless Example: Fetch file & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
Serverless Example: Fetch file & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
Serverless Example: Fetch file & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) 191,155 Lines of Code 😱 https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
https://snyk.io/opensourcesecurity-2019
Demo
Matt's Life Hack: Don't fix your socks; fix your toes!
3. Upgrade Libraries
How well do you know your dependencies? 24 Dependencies Dependency Health Indirect Dependencies Regular Commits Regular Releases
Check for Updates with npm npm i -g npm-check-updates ncu https://www.npmjs.com/package/npm-check-updates
Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin
Check for Updates with Gradle gradle dependencyUpdates -Drevision=release https://github.com/ben-manes/gradle-versions-plugin
4. Enable CSRF
@EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
Brian's Life Hack: Tennis Ball Storage
5. Use a CSP
Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
@EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https://trustedscripts.example.com; " + "object-src https://trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }
https://securityheaders.com
https://developer.okta.com/blog/2019/04/11/site-security-cloudflare-netlify
Brian's Life Hack Laptop Charger Snack-Warmer
6. Use OIDC for Auth
OIDC Authorization Code Flow
Spring Security OIDC Configuration spring: security: oauth2: client: registration: okta: client-id: {clientId} client-secret: {clientSecret} provider: okta: issuer-uri: https://{yourOktaDomain}/oauth2/default
OIDC Authentication Demo @Grab('spring-boot-starter-oauth2-client') @RestController class Application { @GetMapping('/') String home(java.security.Principal user) { 'Hello ' + user.name } }
Want less code? Use Okta! okta: oauth2: issuer: https://{yourOktaDomain}/oauth2/default client-id: {yourClientId} client-secret: {yourClientSecret} <dependency> <groupId>com.okta.spring</groupId> <artifactId>okta-spring-boot-starter</artifactId> <version>1.3.0</version> </dependency>
Works with Spring WebFlux https://developer.okta.com/blog/2018/11/26/spring-boot-2-dot-1-oidc-oauth2-reactive-apis
And JHipster! 🎉 https://developer.okta.com/blog/2019/04/04/java-11-java-12-jhipster-oidc
7. Hash Passwords
One-way Function hash("TSD") =3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 unhash("3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3") = ???
Deterministic hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
It should not be predictable hash("TSD0") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD1") = 98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2 hash("TSD2") = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef hash("TSD3") = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288
One-to-one mapping hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("123") != 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
Hashed Passwords in Spring @Bean public PasswordEncoder passwordEncoder() { return new SCryptPasswordEncoder(); }
Hashed Passwords in Spring @Autowired private PasswordEncoder passwordEncoder; public String hashPassword(String password) { return passwordEncoder.encode(password); }
Matt's Life Hack: Clean hard-to-reach places with 🐓
8. Use Secure Secrets
https://github.com/awslabs/git-secrets
Spring Vault <dependencies> <dependency> <groupId>org.springframework.vault</groupId> <artifactId>spring-vault-core</artifactId> <version>2.2.0.RELEASE</version> </dependency> </dependencies>
Spring Vault @Value("${password}") char[] password;
Why char[] instead of String for password? Strings are immutable, can't wipe data String passwords can be accidentally printed https://www.baeldung.com/java-storing-passwords Printing String password -> password Printing char[] password -> [C@6e8cf4c6
9. Test with ZAP
OWASP Zed Attack Proxy Two approaches: Spider and Active Scan Spider starts with a seed of URLs Active Scan records a session then plays it back, scanning for known vulnerabilities
Learn More About ZAP Homepage https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project GitHub https://github.com/zaproxy/zaproxy Twitter @zaproxy
10. Security Reviews
Code Review Topics 1. Identify and validate any third party input 2. Never store credentials as code/config 3. Test for new security vulnerabilities in third-party open source dependencies. 4. Authenticate inbound requests 5. Enforce the least privilege principle 6. Prefer whitelist over blacklist 7. Handle sensitive data with care 8. Do not allow back doors in your code 9. Protect against well-known attacks 10. Statically test your source code on every PR, automatically
10 Excellent Ways to Secure Spring Boot 1. Use HTTPS 2. Scan dependencies 3. Dependencies up-to-date 4. Enable CSRF protection 5. Use a Content Security Policy 6. Use OIDC 7. Hash passwords 8. Store secrets securely 9. Test with OWASP's ZAP 10. Code review with experts ��
https://snyk.io/blog/spring-boot-security-best-practices
Life Hack: Use a toilet seat for a 👌 TV dinner setup
Questions? 69 Keep in Touch! @mraible @briandemers Presentation speakerdeck.com/mraible Code github.com/oktadeveloper

More Related Content

PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
byMatt Raible
 
PDF
Apache Roller, Acegi Security and Single Sign-on
byMatt Raible
 
PDF
Java Web Application Security - UberConf 2011
byMatt Raible
 
PDF
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
byMatt Raible
 
PDF
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
byMatt Raible
 
PDF
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
byVMware Hyperic
 
PDF
Web App Security for Java Developers - PWX 2021
byMatt Raible
 
PDF
Web App Security for Java Developers - UberConf 2021
byMatt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
byMatt Raible
 
Apache Roller, Acegi Security and Single Sign-on
byMatt Raible
 
Java Web Application Security - UberConf 2011
byMatt Raible
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
byMatt Raible
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
byMatt Raible
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
byVMware Hyperic
 
Web App Security for Java Developers - PWX 2021
byMatt Raible
 
Web App Security for Java Developers - UberConf 2021
byMatt Raible
 

What's hot

PDF
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
byMatt Raible
 
PDF
Java Web Application Security - Jazoon 2011
byMatt Raible
 
PDF
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
byArun Gupta
 
PDF
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
byMatt Raible
 
PDF
Bootiful Development with Spring Boot and React - UberConf 2018
byMatt Raible
 
PDF
Front End Development for Back End Java Developers - Jfokus 2020
byMatt Raible
 
PDF
Java REST API Framework Comparison - PWX 2021
byMatt Raible
 
PDF
What's New in Spring 3.1
byMatt Raible
 
PDF
JAX-RS JavaOne Hyderabad, India 2011
byShreedhar Ganapathy
 
PDF
Spark IT 2011 - Developing RESTful Web services with JAX-RS
byArun Gupta
 
PDF
Hybrid Apps (Native + Web) via QtWebKit
byAriya Hidayat
 
PDF
Seven Simple Reasons to Use AppFuse
byMatt Raible
 
PDF
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
byMatt Raible
 
PDF
Clojure Web Development
byHong Jiang
 
PDF
Spark IT 2011 - Java EE 6 Workshop
byArun Gupta
 
PDF
Front End Development for Backend Developers - GIDS 2019
byMatt Raible
 
PDF
How to Win at UI Development in the World of Microservices - THAT Conference ...
byMatt Raible
 
PDF
A Gentle Introduction to Angular Schematics - Angular SF 2019
byMatt Raible
 
PPT
Os Johnson
byoscon2007
 
PDF
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
byMatt Raible
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019
byMatt Raible
 
Java Web Application Security - Jazoon 2011
byMatt Raible
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
byArun Gupta
 
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
byMatt Raible
 
Bootiful Development with Spring Boot and React - UberConf 2018
byMatt Raible
 
Front End Development for Back End Java Developers - Jfokus 2020
byMatt Raible
 
Java REST API Framework Comparison - PWX 2021
byMatt Raible
 
What's New in Spring 3.1
byMatt Raible
 
JAX-RS JavaOne Hyderabad, India 2011
byShreedhar Ganapathy
 
Spark IT 2011 - Developing RESTful Web services with JAX-RS
byArun Gupta
 
Hybrid Apps (Native + Web) via QtWebKit
byAriya Hidayat
 
Seven Simple Reasons to Use AppFuse
byMatt Raible
 
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
byMatt Raible
 
Clojure Web Development
byHong Jiang
 
Spark IT 2011 - Java EE 6 Workshop
byArun Gupta
 
Front End Development for Backend Developers - GIDS 2019
byMatt Raible
 
How to Win at UI Development in the World of Microservices - THAT Conference ...
byMatt Raible
 
A Gentle Introduction to Angular Schematics - Angular SF 2019
byMatt Raible
 
Os Johnson
byoscon2007
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
byMatt Raible
 

Similar to 10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020

PDF
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
byMatt Raible
 
PDF
Bootiful Development with Spring Boot and React - SpringOne 2017
byMatt Raible
 
PDF
Bootiful Development with Spring Boot and React - RWX 2017
byMatt Raible
 
PDF
spring-security-reference.pdf
byhorica9300
 
PDF
Bootiful Development with Spring Boot and React
byVMware Tanzu
 
PDF
Get Hip with JHipster - GIDS 2019
byMatt Raible
 
PDF
Bootiful Development with Spring Boot and React - Belfast JUG 2018
byMatt Raible
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
byMatt Raible
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PDF
Bootiful Development with Spring Boot and React - Richmond JUG 2018
byMatt Raible
 
PDF
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
PDF
1000 ways to die in mobile oauth
byPriyanka Aash
 
PDF
Secured REST Microservices with Spring Cloud
byOrkhan Gasimov
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
byMatt Raible
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
byMatt Raible
 
PDF
Practical API Security - Midwest PHP 2018
byAdam Englander
 
PDF
Spring security jwt tutorial toptal
byjbsysatm
 
PDF
Bootiful Development with Spring Boot and React - Dublin JUG 2018
byMatt Raible
 
PDF
Microservices with Spring Boot
byJoshua Long
 
PPTX
Box Authentication Types
byJonathan LeBlanc
 
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Morocco 2019
byMatt Raible
 
Bootiful Development with Spring Boot and React - SpringOne 2017
byMatt Raible
 
Bootiful Development with Spring Boot and React - RWX 2017
byMatt Raible
 
spring-security-reference.pdf
byhorica9300
 
Bootiful Development with Spring Boot and React
byVMware Tanzu
 
Get Hip with JHipster - GIDS 2019
byMatt Raible
 
Bootiful Development with Spring Boot and React - Belfast JUG 2018
byMatt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Jforum S...
byMatt Raible
 
Securing RESTful API
byMuhammad Zbeedat
 
Bootiful Development with Spring Boot and React - Richmond JUG 2018
byMatt Raible
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
1000 ways to die in mobile oauth
byPriyanka Aash
 
Secured REST Microservices with Spring Cloud
byOrkhan Gasimov
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
byMatt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
byMatt Raible
 
Practical API Security - Midwest PHP 2018
byAdam Englander
 
Spring security jwt tutorial toptal
byjbsysatm
 
Bootiful Development with Spring Boot and React - Dublin JUG 2018
byMatt Raible
 
Microservices with Spring Boot
byJoshua Long
 
Box Authentication Types
byJonathan LeBlanc
 

More from Matt Raible

PDF
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
byMatt Raible
 
PDF
Micro Frontends for Java Microservices - Belfast JUG 2022
byMatt Raible
 
PDF
Micro Frontends for Java Microservices - Dublin JUG 2022
byMatt Raible
 
PDF
Micro Frontends for Java Microservices - Cork JUG 2022
byMatt Raible
 
PDF
Comparing Native Java REST API Frameworks - Seattle JUG 2022
byMatt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
byMatt Raible
 
PDF
Comparing Native Java REST API Frameworks - Devoxx France 2022
byMatt Raible
 
PDF
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
byMatt Raible
 
PDF
Native Java with Spring Boot and JHipster - Garden State JUG 2021
byMatt Raible
 
PDF
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
byMatt Raible
 
PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
byMatt Raible
 
PDF
Java REST API Framework Comparison - UberConf 2021
byMatt Raible
 
PDF
Native Java with Spring Boot and JHipster - SF JUG 2021
byMatt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
byMatt Raible
 
PDF
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
byMatt Raible
 
PDF
JHipster and Okta - JHipster Virtual Meetup December 2020
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - SpringOne 2020
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
byMatt Raible
 
PDF
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
byMatt Raible
 
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
byMatt Raible
 
Micro Frontends for Java Microservices - Belfast JUG 2022
byMatt Raible
 
Micro Frontends for Java Microservices - Dublin JUG 2022
byMatt Raible
 
Micro Frontends for Java Microservices - Cork JUG 2022
byMatt Raible
 
Comparing Native Java REST API Frameworks - Seattle JUG 2022
byMatt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
byMatt Raible
 
Comparing Native Java REST API Frameworks - Devoxx France 2022
byMatt Raible
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
byMatt Raible
 
Native Java with Spring Boot and JHipster - Garden State JUG 2021
byMatt Raible
 
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
byMatt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
byMatt Raible
 
Java REST API Framework Comparison - UberConf 2021
byMatt Raible
 
Native Java with Spring Boot and JHipster - SF JUG 2021
byMatt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
byMatt Raible
 
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
byMatt Raible
 
JHipster and Okta - JHipster Virtual Meetup December 2020
byMatt Raible
 
Security Patterns for Microservice Architectures - SpringOne 2020
byMatt Raible
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
byMatt Raible
 
Security Patterns for Microservice Architectures - London Java Community 2020
byMatt Raible
 
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
byMatt Raible
 

Recently uploaded

PDF
Using Agentic RAG for Research - Demonstration of NotebookLM
byRathish Chandra Gatti,Ph.D
 
PDF
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
PDF
TNG_Architecting Green Software - An Introduction_Nils-Oliver Linden&Alexande...
byQAware GmbH
 
PPTX
Privacy Preserving Detection of Sensitive Data Exposure (1).pptx
byNikitaMandhan4
 
PDF
Microservices-Final !!!!!!!!!!!!!!!!.pdf
bydoquangminh962004
 
PDF
From Experiment to Enterprise: Scaling AI Coding Assistants Across Engineerin...
byMaxim Salnikov
 
PDF
How Modern Custom Software is Revolutionizing Mortgage Lending Processes -Ma...
byMatellio
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
Jeremy Millul - An NYU Computer Science Graduate
byJeremy Millul
 
PDF
Virtual Study Circles Innovative Ways to Collaborate Online.pdf
byExplain Learning
 
PPTX
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
PDF
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
PPTX
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
PDF
DSD-INT 2025 Managing low flows in the International Meuse Basin with Nature-...
byDeltares
 
PDF
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
PPTX
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
PPTX
Custom chat gpt integration services.pptx
byChetu
 
PPTX
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
PPTX
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 
Using Agentic RAG for Research - Demonstration of NotebookLM
byRathish Chandra Gatti,Ph.D
 
DSD-INT 2025 Latest Developments for HydroMT and wflow - Meshgi
byDeltares
 
TNG_Architecting Green Software - An Introduction_Nils-Oliver Linden&Alexande...
byQAware GmbH
 
Privacy Preserving Detection of Sensitive Data Exposure (1).pptx
byNikitaMandhan4
 
Microservices-Final !!!!!!!!!!!!!!!!.pdf
bydoquangminh962004
 
From Experiment to Enterprise: Scaling AI Coding Assistants Across Engineerin...
byMaxim Salnikov
 
How Modern Custom Software is Revolutionizing Mortgage Lending Processes -Ma...
byMatellio
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
Jeremy Millul - An NYU Computer Science Graduate
byJeremy Millul
 
Virtual Study Circles Innovative Ways to Collaborate Online.pdf
byExplain Learning
 
Lecture 3 - Scheduling - Operating System
bynurulalomador
 
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
DSD-INT 2025 Managing low flows in the International Meuse Basin with Nature-...
byDeltares
 
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
SNG460-CNG489_Week8_17-21Nov25_Chp8-OdtuClass.pptx
byberayseray382
 
Custom chat gpt integration services.pptx
byChetu
 
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
Road_Quality_Indicator using deeplearning algorithms and computer vision
byDHARUNPRASHOBMM
 

10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020

  • 1.
    Brian Demers andMatt Raible 10 Excellent Ways to Secure Spring Boot Apps @briandemers | @mraible ��
  • 2.
  • 3.
  • 4.
    Use HTTPS Everywhere! 6 Let’sEncrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
  • 5.
  • 6.
    @Configuration public class SecurityConfigurationextends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
  • 7.
    @Configuration public class SecurityConfigurationextends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }
  • 8.
  • 10.
    Java Struts 2RCE Vulnerability CVE 2017-5638 Source: SecurityIntelligence.com
  • 11.
  • 12.
  • 13.
    Serverless Example: Fetchfile & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3
  • 14.
    Serverless Example: Fetchfile & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
  • 15.
    Serverless Example: Fetchfile & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
  • 16.
    Serverless Example: Fetchfile & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) 191,155 Lines of Code 😱 https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
  • 17.
  • 18.
  • 19.
    Matt's Life Hack:Don't fix your socks; fix your toes!
  • 20.
  • 22.
    How well doyou know your dependencies? 24 Dependencies Dependency Health Indirect Dependencies Regular Commits Regular Releases
  • 23.
    Check for Updateswith npm npm i -g npm-check-updates ncu https://www.npmjs.com/package/npm-check-updates
  • 24.
    Check for Updateswith Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin
  • 25.
    Check for Updateswith Gradle gradle dependencyUpdates -Drevision=release https://github.com/ben-manes/gradle-versions-plugin
  • 26.
  • 27.
    @EnableWebSecurity public class SecurityConfigurationextends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
  • 28.
  • 29.
  • 30.
    Default Spring SecurityHeaders Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
  • 31.
    @EnableWebSecurity public class SecurityConfigurationextends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https://trustedscripts.example.com; " + "object-src https://trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }
  • 32.
  • 33.
  • 34.
    Brian's Life Hack LaptopCharger Snack-Warmer
  • 35.
    6. Use OIDCfor Auth
  • 36.
  • 37.
    Spring Security OIDCConfiguration spring: security: oauth2: client: registration: okta: client-id: {clientId} client-secret: {clientSecret} provider: okta: issuer-uri: https://{yourOktaDomain}/oauth2/default
  • 38.
    OIDC Authentication Demo @Grab('spring-boot-starter-oauth2-client') @RestController classApplication { @GetMapping('/') String home(java.security.Principal user) { 'Hello ' + user.name } }
  • 39.
    Want less code?Use Okta! okta: oauth2: issuer: https://{yourOktaDomain}/oauth2/default client-id: {yourClientId} client-secret: {yourClientSecret} <dependency> <groupId>com.okta.spring</groupId> <artifactId>okta-spring-boot-starter</artifactId> <version>1.3.0</version> </dependency>
  • 40.
    Works with SpringWebFlux https://developer.okta.com/blog/2018/11/26/spring-boot-2-dot-1-oidc-oauth2-reactive-apis
  • 41.
  • 42.
  • 43.
  • 44.
    Deterministic hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD")= 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
  • 45.
    It should notbe predictable hash("TSD0") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD1") = 98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2 hash("TSD2") = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef hash("TSD3") = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288
  • 46.
    One-to-one mapping hash("TSD") =3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("123") != 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
  • 47.
    Hashed Passwords inSpring @Bean public PasswordEncoder passwordEncoder() { return new SCryptPasswordEncoder(); }
  • 48.
    Hashed Passwords inSpring @Autowired private PasswordEncoder passwordEncoder; public String hashPassword(String password) { return passwordEncoder.encode(password); }
  • 49.
    Matt's Life Hack:Clean hard-to-reach places with 🐓
  • 50.
  • 52.
  • 53.
  • 54.
  • 55.
    Why char[] insteadof String for password? Strings are immutable, can't wipe data String passwords can be accidentally printed https://www.baeldung.com/java-storing-passwords Printing String password -> password Printing char[] password -> [C@6e8cf4c6
  • 56.
  • 57.
    OWASP Zed AttackProxy Two approaches: Spider and Active Scan Spider starts with a seed of URLs Active Scan records a session then plays it back, scanning for known vulnerabilities
  • 58.
    Learn More AboutZAP Homepage https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project GitHub https://github.com/zaproxy/zaproxy Twitter @zaproxy
  • 59.
  • 60.
    Code Review Topics 1.Identify and validate any third party input 2. Never store credentials as code/config 3. Test for new security vulnerabilities in third-party open source dependencies. 4. Authenticate inbound requests 5. Enforce the least privilege principle 6. Prefer whitelist over blacklist 7. Handle sensitive data with care 8. Do not allow back doors in your code 9. Protect against well-known attacks 10. Statically test your source code on every PR, automatically
  • 61.
    10 Excellent Waysto Secure Spring Boot 1. Use HTTPS 2. Scan dependencies 3. Dependencies up-to-date 4. Enable CSRF protection 5. Use a Content Security Policy 6. Use OIDC 7. Hash passwords 8. Store secrets securely 9. Test with OWASP's ZAP 10. Code review with experts ��
  • 62.
  • 64.
    Life Hack: Usea toilet seat for a 👌 TV dinner setup
  • 65.