SlideShare a Scribd company logo
Java Web Application Security

   Matt Raible
   http://raibledesigns.com
   @mraible

Photos by Trish - http://mcginityphoto.com   © 2013 Raible Designs
Who is Matt Raible?
                                              Father, Skier, Cyclist




                     Web Framework Connoisseur
Founder of AppFuse




  Blogger on raibledesigns.com
                      © 2013 Raible Designs
Why am I here?
Purpose
 To learn more about Java webapp security and
 transform myself into a security expert.
Goals
 Show how to implement Java webapp security.
 Show how to penetrate a Java webapp.
 Show how to fix vulnerabilities.


                     © 2013 Raible Designs
Why are you here?
For the free beer?
Because you care about
security?
Have you used Java EE 6,
Spring Security or Apache
Shiro?
What do you want to get
from this talk?


                     © 2013 Raible Designs
Session Agenda
Security Development
  Java EE 6, Spring Security, Apache Shiro
  SSL and Testing
Verifying Security
  OWASP Top 10 & Zed Attack Proxy
Commercial Tools and Services
Conclusion

  Develop        Penetrate                     Protect   Relax
                       © 2013 Raible Designs
Develop




          © 2013 Raible Designs
Dynamic Language Support?

If it deploys on Tomcat, it has a web.xml
  Grails
  JRuby on Rails
  Lift
  Play! Framework




                      © 2013 Raible Designs
Java EE 6
Security constraints defined in web.xml
  web resource collection - URLs and methods
  authorization constraints - role names
  user data constraint - HTTP or HTTPS
User Realm defined by App Server
Declarative or Programmatic Authentication
Annotations Support

                      © 2013 Raible Designs
Java EE 6 Demo
http://www.youtube.com/watch?v=8bXBGU7uo4o

                   © 2013 Raible Designs
Servlet 3.0
 HttpServletRequest
   authenticate(response)
   login(user, pass)
   logout()
   getRemoteUser()
   isUserInRole(name)


                        © 2013 Raible Designs
Servlet 3.0 and JSR 250
Annotations

  @ServletSecurity

  @HttpMethodConstraint

  @HttpConstraint

  @RolesAllowed

  @PermitAll

  @DenyAll



                      © 2013 Raible Designs
Java EE Security Limitations
 No error messages for
 failed logins
 No Remember Me
 Container has to be
 configured
 Doesn’t support
 regular expressions for
 URLs


                       © 2013 Raible Designs
Spring Security
 Filter defined in web.xml
 Separate security context file loaded by Spring
   Defines URLs, Roles and Authentication Providers
   Defines UserService (provided or custom)
 Password Encoding
 Remember Me


                       © 2013 Raible Designs
Spring Security Demo
http://www.youtube.com/watch?v=poc5dyImbig

                    © 2013 Raible Designs
Securing Methods
<global-method-security secured-annotations="enabled"/>

   @Secured("IS_AUTHENTICATED_ANONYMOUSLY")
   public Account readAccount(Long id);

   @Secured("IS_AUTHENTICATED_ANONYMOUSLY")
   public Account[] findAccounts();

   @Secured("ROLE_TELLER")
   public Account post(Account account, double amount);

<global-method-security jsr250-annotations="enabled"/>


                           © 2013 Raible Designs
Securing Methods 3.x
<global-method-security pre-post-annotations="enabled"/>

   @PreAuthorize("isAnonymous()")
   public Account readAccount(Long id);

   @PreAuthorize("isAnonymous()")
   public Account[] findAccounts();

   @PreAuthorize("hasAuthority('ROLE_TELLER')")
   public Account post(Account account, double amount);




                           © 2013 Raible Designs
Spring Security Limitations
 Authentication
 mechanism in WAR
 Securing methods only
 works on Spring beans
 My remember me
 example doesn’t work




                        © 2013 Raible Designs
Apache Shiro
Filter defined in web.xml
shiro.ini loaded from classpath
  [main], [urls], [roles]
Cryptography
Session Management




                            © 2013 Raible Designs
Apache Shiro Demo
http://www.youtube.com/watch?v=YJByiDvOhsc

                    © 2013 Raible Designs
Apache Shiro Limitations
Limited Documentation
Getting Roles via LDAP
not supported
No out-of-box support
for Kerberos
REST Support needs
work



                     © 2013 Raible Designs
Testing with SSL
Cargo doesn’t support http and
https at same time
Jetty and Tomcat plugins work
for both
Pass javax.net.ssl.trustStore &
javax.net.ssl.trustStorePassword
to maven-failsafe-plugin as
<systemPropertyVariables>



                      © 2013 Raible Designs
Ajax Login




http://raibledesigns.com/rd/entry/implementing_ajax_authentication_using_jquery

                                 © 2013 Raible Designs
Securing a REST API
Use Basic or Form
Authentication
Use Developer Keys
Use OAuth




                     © 2013 Raible Designs
OAuth




        © 2013 Raible Designs
REST Security and OAuth Demo
 http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt
 http://raibledesigns.com/rd/entry/grails_oauth_and_linkedin_apis
                           © 2013 Raible Designs
Integrating OAuth with AppFuse and REST
http://raibledesigns.com/rd/entry/integrating_oauth_with_appfuse_and

                            © 2013 Raible Designs
REST Security Resources

Implementing REST Authentication
  http://www.objectpartners.com/2011/06/16/
  implementing-rest-authentication/
Swagger ApiAuthorizationFilter
  https://github.com/wordnik/swagger-core/tree/
  master/samples/java-jaxrs



                     © 2013 Raible Designs
REST Security Resources
Spring Security OAuth
- version 1.0.1
Spring Social
- version 1.0.2
  Facebook, Twitter,
  LinkedIn, TripIt, and
  GitHub Bindings



                          © 2013 Raible Designs
Penetrate
OWASP Testing Guide and Code Review Guide
OWASP Top 10
OWASP Zed Attack Proxy
Burp Suite
OWASP WebGoat




                   © 2013 Raible Designs
OWASP
The Open Web Application Security Project (OWASP) is
a worldwide not-for-profit charitable organization
focused on improving the security of software.
At OWASP you’ll find free and open ...
  Application security tools, complete books, standard
  security controls and libraries, cutting edge research
  http://www.owasp.org



                      © 2013 Raible Designs
Penetration Testing Demo




http://raibledesigns.com/rd/entry/java_web_application_security_part4
                             © 2013 Raible Designs
Fixing ZAP Vulnerabilities

<session-config>
    <session-timeout>15</session-timeout>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>


<form action="${ctx}/j_security_check" id="loginForm"
      method="post" autocomplete="off">




                        © 2013 Raible Designs
7 Security (Mis)Configurations
in web.xml
1. Error pages not configured
2. Authentication &
   Authorization Bypass
3. SSL Not Configured
4. Not Using the Secure Flag




  http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files

                                        © 2013 Raible Designs
7 Security (Mis)Configurations
5. Not Using the HttpOnly
   Flag
6. Using URL Parameters for
   Session Tracking
7. Not Setting a Session
   Timeout




  http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files

                                        © 2013 Raible Designs
OWASP Top 10 for 2010
1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session
   Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)




                        © 2013 Raible Designs
OWASP Top 10 for 2010
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10.Unvalidated Redirects and Forwards




                        © 2013 Raible Designs
Protect
[SWAT] Checklist
Firewalls
IDS and IDPs
Audits
Penetration Tests
Code Reviews with Static
Analysis Tools


                    © 2013 Raible Designs
© 2013 Raible Designs
Firewalls
 Stateless Firewalls
 Stateful Firewalls
   Invented by Nir Zuk at
   Check Point in the mid-90s
 Web App Firewalls
   Inspired by the 1996 PHF
   CGI exploit
   WAF Market $234m in 2010

                       © 2013 Raible Designs
Gartner on Firewalls




            © 2013 Raible Designs
Content Security Policy

 An HTTP Header with whitelist of trusted content
 Bans inline <script> tags, inline event handlers and
 javascript: URLs
 No eval(), new Function(), setTimeout or setInterval
 Supported in Chrome 16+, Safari 6+, and Firefox 4+,
 and (very) limited in IE 10



                       © 2013 Raible Designs
Content Security Policy




            © 2013 Raible Designs
Relax
Web App Firewalls: Imperva, F5, Breach
  Open Source: WebNight and ModSecurity
Stateful Firewalls: Juniper, Check Point, Palo Alto
IDP/IDS: Sourcefire, TippingPoint
  Open Source: Snort
Audits: ENY, PWC, Grant Thornton
Pen Testing: WhiteHat, Trustwave, Electric Alchemy
  Open Source: OWASP ZAP
Static Analysis: Fortify, Veracode
                         © 2013 Raible Designs
Remember...
“Security is a quality, and as all other quality, it is
important that we build it into our apps while we are
developing them, not patching it on afterwards like
many people do.” -- Erlend Oftedal
From a comment on my blog: http://bit.ly/mjufjR




                       © 2013 Raible Designs
Action!
 Use OWASP and Open Source Security Frameworks
   Don’t be afraid to contribute!
 Follow the Security Street Fighter Blog
   http://software-security.sans.org/blog
 Use OWASP ZAP to pentest your apps
 Don’t be afraid of security!



                        © 2013 Raible Designs
Additional Reading

Securing a JavaScript-based Web Application
  http://eoftedal.github.com/WebRebels2012
Michal Zalewski’s “The Tangled Web”
  http://lcamtuf.coredump.cx/tangled




                     © 2013 Raible Designs
Additional Resources
OWASP Denver
  https://www.owasp.org/index.php/Denver
  Next Meeting: Wednesday, February 20, 6-8pm
Front Range OWASP Security Conference
  March 28 - 29 in Denver
David Campbell of Electric Alchemy
  http://www.electricalchemy.net

                     © 2013 Raible Designs
Questions?
Contact Information
  http://raibledesigns.com
  @mraible

My Presentations
  http://slideshare.net/mraible




                       © 2013 Raible Designs

More Related Content

What's hot

Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015
Matt Raible
 
What's New in Spring 3.1
What's New in Spring 3.1What's New in Spring 3.1
What's New in Spring 3.1
Matt Raible
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Matt Raible
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Matt Raible
 
Get Hip with JHipster - Colorado Springs OSS Meetup April 2016
Get Hip with JHipster - Colorado Springs OSS Meetup April 2016Get Hip with JHipster - Colorado Springs OSS Meetup April 2016
Get Hip with JHipster - Colorado Springs OSS Meetup April 2016
Matt Raible
 
Play Framework vs Grails Smackdown - JavaOne 2013
Play Framework vs Grails Smackdown - JavaOne 2013Play Framework vs Grails Smackdown - JavaOne 2013
Play Framework vs Grails Smackdown - JavaOne 2013
Matt Raible
 
The Art of AngularJS in 2015
The Art of AngularJS in 2015The Art of AngularJS in 2015
The Art of AngularJS in 2015
Matt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
Comparing JSF, Spring MVC, Stripes, Struts 2, Tapestry and Wicket
Comparing JSF, Spring MVC, Stripes, Struts 2, Tapestry and WicketComparing JSF, Spring MVC, Stripes, Struts 2, Tapestry and Wicket
Comparing JSF, Spring MVC, Stripes, Struts 2, Tapestry and Wicket
Matt Raible
 
Java Framework comparison
Java Framework comparisonJava Framework comparison
Java Framework comparison
SIB Visions GmbH
 
Choosing a Java Web Framework
Choosing a Java Web FrameworkChoosing a Java Web Framework
Choosing a Java Web Framework
Will Iverson
 
Front End Development for Backend Developers - GIDS 2019
Front End Development for Backend Developers - GIDS 2019Front End Development for Backend Developers - GIDS 2019
Front End Development for Backend Developers - GIDS 2019
Matt Raible
 
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
Matt Raible
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Matt Raible
 
Java Web Application Security - UberConf 2011
Java Web Application Security - UberConf 2011Java Web Application Security - UberConf 2011
Java Web Application Security - UberConf 2011
Matt Raible
 
A Gentle Introduction to Angular Schematics - Angular SF 2019
A Gentle Introduction to Angular Schematics - Angular SF 2019A Gentle Introduction to Angular Schematics - Angular SF 2019
A Gentle Introduction to Angular Schematics - Angular SF 2019
Matt Raible
 
Getting Started with Angular - Stormpath Webinar, January 2017
Getting Started with Angular - Stormpath Webinar, January 2017Getting Started with Angular - Stormpath Webinar, January 2017
Getting Started with Angular - Stormpath Webinar, January 2017
Matt Raible
 
The Art of Angular in 2016 - Devoxx UK 2016
The Art of Angular in 2016 - Devoxx UK 2016The Art of Angular in 2016 - Devoxx UK 2016
The Art of Angular in 2016 - Devoxx UK 2016
Matt Raible
 
Wrangling Large Scale Frontend Web Applications
Wrangling Large Scale Frontend Web ApplicationsWrangling Large Scale Frontend Web Applications
Wrangling Large Scale Frontend Web Applications
Ryan Roemer
 
The Art of Angular in 2016 - Devoxx France 2016
The Art of Angular in 2016 - Devoxx France 2016The Art of Angular in 2016 - Devoxx France 2016
The Art of Angular in 2016 - Devoxx France 2016
Matt Raible
 

What's hot (20)

Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015Get Hip with JHipster - Denver JUG 2015
Get Hip with JHipster - Denver JUG 2015
 
What's New in Spring 3.1
What's New in Spring 3.1What's New in Spring 3.1
What's New in Spring 3.1
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx France 2016
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Angular Summit 2015
 
Get Hip with JHipster - Colorado Springs OSS Meetup April 2016
Get Hip with JHipster - Colorado Springs OSS Meetup April 2016Get Hip with JHipster - Colorado Springs OSS Meetup April 2016
Get Hip with JHipster - Colorado Springs OSS Meetup April 2016
 
Play Framework vs Grails Smackdown - JavaOne 2013
Play Framework vs Grails Smackdown - JavaOne 2013Play Framework vs Grails Smackdown - JavaOne 2013
Play Framework vs Grails Smackdown - JavaOne 2013
 
The Art of AngularJS in 2015
The Art of AngularJS in 2015The Art of AngularJS in 2015
The Art of AngularJS in 2015
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
Comparing JSF, Spring MVC, Stripes, Struts 2, Tapestry and Wicket
Comparing JSF, Spring MVC, Stripes, Struts 2, Tapestry and WicketComparing JSF, Spring MVC, Stripes, Struts 2, Tapestry and Wicket
Comparing JSF, Spring MVC, Stripes, Struts 2, Tapestry and Wicket
 
Java Framework comparison
Java Framework comparisonJava Framework comparison
Java Framework comparison
 
Choosing a Java Web Framework
Choosing a Java Web FrameworkChoosing a Java Web Framework
Choosing a Java Web Framework
 
Front End Development for Backend Developers - GIDS 2019
Front End Development for Backend Developers - GIDS 2019Front End Development for Backend Developers - GIDS 2019
Front End Development for Backend Developers - GIDS 2019
 
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
 
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - Devoxx 2015
 
Java Web Application Security - UberConf 2011
Java Web Application Security - UberConf 2011Java Web Application Security - UberConf 2011
Java Web Application Security - UberConf 2011
 
A Gentle Introduction to Angular Schematics - Angular SF 2019
A Gentle Introduction to Angular Schematics - Angular SF 2019A Gentle Introduction to Angular Schematics - Angular SF 2019
A Gentle Introduction to Angular Schematics - Angular SF 2019
 
Getting Started with Angular - Stormpath Webinar, January 2017
Getting Started with Angular - Stormpath Webinar, January 2017Getting Started with Angular - Stormpath Webinar, January 2017
Getting Started with Angular - Stormpath Webinar, January 2017
 
The Art of Angular in 2016 - Devoxx UK 2016
The Art of Angular in 2016 - Devoxx UK 2016The Art of Angular in 2016 - Devoxx UK 2016
The Art of Angular in 2016 - Devoxx UK 2016
 
Wrangling Large Scale Frontend Web Applications
Wrangling Large Scale Frontend Web ApplicationsWrangling Large Scale Frontend Web Applications
Wrangling Large Scale Frontend Web Applications
 
The Art of Angular in 2016 - Devoxx France 2016
The Art of Angular in 2016 - Devoxx France 2016The Art of Angular in 2016 - Devoxx France 2016
The Art of Angular in 2016 - Devoxx France 2016
 

Viewers also liked

Vb.net session 01
Vb.net session 01Vb.net session 01
Vb.net session 01
Niit Care
 
Wipro resume
Wipro resumeWipro resume
Wipro resume
Kapil Chaudhary
 
Rakesh G CV
Rakesh G CVRakesh G CV
Rakesh G CV
Rakesh G
 
Soumya Resume
Soumya ResumeSoumya Resume
Soumya Resume
Soumya Kurian
 
Curriculum_Vitae
Curriculum_VitaeCurriculum_Vitae
Curriculum_Vitae
Ajay Sharma
 
Presentation on mini dictionary using C language
Presentation on  mini dictionary using C languagePresentation on  mini dictionary using C language
Presentation on mini dictionary using C language
Priya Yadav
 
Resume
ResumeResume
Mumtaz_Resume
Mumtaz_ResumeMumtaz_Resume
Mumtaz_Resume
mumtaz ahmad
 
Resume
ResumeResume
Deepak Pareek - Profile
Deepak Pareek - ProfileDeepak Pareek - Profile
Deepak Pareek - Profile
Deepak Pareek
 
Resume akanksha srivastava
Resume akanksha srivastavaResume akanksha srivastava
Resume akanksha srivastava
Akanksha Srivastava
 
Resume - Kedar Deo (Oct 2016)
Resume - Kedar Deo (Oct 2016)Resume - Kedar Deo (Oct 2016)
Resume - Kedar Deo (Oct 2016)
Kedar Deo
 
Shilpa Resume
Shilpa ResumeShilpa Resume
Shilpa Resume
SHILPA ARORA
 
Xlrigmpbrochure2010
Xlrigmpbrochure2010Xlrigmpbrochure2010
Xlrigmpbrochure2010
dheeraj_bhasin
 
1 . Update Resume (in doc)- Ankit Jain
1 . Update Resume (in doc)- Ankit Jain1 . Update Resume (in doc)- Ankit Jain
1 . Update Resume (in doc)- Ankit Jain
Ankit Jain
 
Shadab Afroz
Shadab AfrozShadab Afroz
Shadab Afroz
Shadab Afroz
 
srinu_java_3.4year_experience
srinu_java_3.4year_experiencesrinu_java_3.4year_experience
srinu_java_3.4year_experience
srinuvasu keta
 
Resume
ResumeResume
Resume
Beena Gupta
 
JnanaPrakash
JnanaPrakashJnanaPrakash
JnanaPrakash
Jnana Prakash
 
Anjan CV
Anjan CVAnjan CV
Anjan CV
Anjan Banerjee
 

Viewers also liked (20)

Vb.net session 01
Vb.net session 01Vb.net session 01
Vb.net session 01
 
Wipro resume
Wipro resumeWipro resume
Wipro resume
 
Rakesh G CV
Rakesh G CVRakesh G CV
Rakesh G CV
 
Soumya Resume
Soumya ResumeSoumya Resume
Soumya Resume
 
Curriculum_Vitae
Curriculum_VitaeCurriculum_Vitae
Curriculum_Vitae
 
Presentation on mini dictionary using C language
Presentation on  mini dictionary using C languagePresentation on  mini dictionary using C language
Presentation on mini dictionary using C language
 
Resume
ResumeResume
Resume
 
Mumtaz_Resume
Mumtaz_ResumeMumtaz_Resume
Mumtaz_Resume
 
Resume
ResumeResume
Resume
 
Deepak Pareek - Profile
Deepak Pareek - ProfileDeepak Pareek - Profile
Deepak Pareek - Profile
 
Resume akanksha srivastava
Resume akanksha srivastavaResume akanksha srivastava
Resume akanksha srivastava
 
Resume - Kedar Deo (Oct 2016)
Resume - Kedar Deo (Oct 2016)Resume - Kedar Deo (Oct 2016)
Resume - Kedar Deo (Oct 2016)
 
Shilpa Resume
Shilpa ResumeShilpa Resume
Shilpa Resume
 
Xlrigmpbrochure2010
Xlrigmpbrochure2010Xlrigmpbrochure2010
Xlrigmpbrochure2010
 
1 . Update Resume (in doc)- Ankit Jain
1 . Update Resume (in doc)- Ankit Jain1 . Update Resume (in doc)- Ankit Jain
1 . Update Resume (in doc)- Ankit Jain
 
Shadab Afroz
Shadab AfrozShadab Afroz
Shadab Afroz
 
srinu_java_3.4year_experience
srinu_java_3.4year_experiencesrinu_java_3.4year_experience
srinu_java_3.4year_experience
 
Resume
ResumeResume
Resume
 
JnanaPrakash
JnanaPrakashJnanaPrakash
JnanaPrakash
 
Anjan CV
Anjan CVAnjan CV
Anjan CV
 

Similar to Java Web Application Security - Denver JUG 2013

Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011
Matt Raible
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375
Alex Kosowski
 
Java2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudJava2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the Cloud
Werner Keil
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
Puma Security, LLC
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
The Modern Java Web Developer - Denver JUG 2013
The Modern Java Web Developer - Denver JUG 2013The Modern Java Web Developer - Denver JUG 2013
The Modern Java Web Developer - Denver JUG 2013
Matt Raible
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Magno Logan
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
CloudPassage
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
 
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFishJava API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Arun Gupta
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817   api management - enable your infrastructure for secure mobile and c...Con8817   api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
OracleIDM
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
CA API Management
 
Django Tutorial | Django Web Development With Python | Django Training and Ce...
Django Tutorial | Django Web Development With Python | Django Training and Ce...Django Tutorial | Django Web Development With Python | Django Training and Ce...
Django Tutorial | Django Web Development With Python | Django Training and Ce...
Edureka!
 
WebSockets: um upgrade de comunicação no HTML5
WebSockets: um upgrade de comunicação no HTML5WebSockets: um upgrade de comunicação no HTML5
WebSockets: um upgrade de comunicação no HTML5
Bruno Borges
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
Mario-Leander Reimer
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
QAware GmbH
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Roy Kim
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
Olivier DASINI
 

Similar to Java Web Application Security - Denver JUG 2013 (20)

Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011
 
Finally, EE Security API JSR 375
Finally, EE Security API JSR 375Finally, EE Security API JSR 375
Finally, EE Security API JSR 375
 
Java2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the CloudJava2Days - Security for JavaEE and the Cloud
Java2Days - Security for JavaEE and the Cloud
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
The Modern Java Web Developer - Denver JUG 2013
The Modern Java Web Developer - Denver JUG 2013The Modern Java Web Developer - Denver JUG 2013
The Modern Java Web Developer - Denver JUG 2013
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application ExploitationCyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
 
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFishJava API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFish
 
Con8817 api management - enable your infrastructure for secure mobile and c...
Con8817   api management - enable your infrastructure for secure mobile and c...Con8817   api management - enable your infrastructure for secure mobile and c...
Con8817 api management - enable your infrastructure for secure mobile and c...
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 
Django Tutorial | Django Web Development With Python | Django Training and Ce...
Django Tutorial | Django Web Development With Python | Django Training and Ce...Django Tutorial | Django Web Development With Python | Django Training and Ce...
Django Tutorial | Django Web Development With Python | Django Training and Ce...
 
WebSockets: um upgrade de comunicação no HTML5
WebSockets: um upgrade de comunicação no HTML5WebSockets: um upgrade de comunicação no HTML5
WebSockets: um upgrade de comunicação no HTML5
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
 
Secure Architecture and Programming 101
Secure Architecture and Programming 101Secure Architecture and Programming 101
Secure Architecture and Programming 101
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 

More from Matt Raible

Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Matt Raible
 
Micro Frontends for Java Microservices - Belfast JUG 2022
Micro Frontends for Java Microservices - Belfast JUG 2022Micro Frontends for Java Microservices - Belfast JUG 2022
Micro Frontends for Java Microservices - Belfast JUG 2022
Matt Raible
 
Micro Frontends for Java Microservices - Dublin JUG 2022
Micro Frontends for Java Microservices - Dublin JUG 2022Micro Frontends for Java Microservices - Dublin JUG 2022
Micro Frontends for Java Microservices - Dublin JUG 2022
Matt Raible
 
Micro Frontends for Java Microservices - Cork JUG 2022
Micro Frontends for Java Microservices - Cork JUG 2022Micro Frontends for Java Microservices - Cork JUG 2022
Micro Frontends for Java Microservices - Cork JUG 2022
Matt Raible
 
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Comparing Native Java REST API Frameworks - Seattle JUG 2022Comparing Native Java REST API Frameworks - Seattle JUG 2022
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Matt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Matt Raible
 
Comparing Native Java REST API Frameworks - Devoxx France 2022
Comparing Native Java REST API Frameworks - Devoxx France 2022Comparing Native Java REST API Frameworks - Devoxx France 2022
Comparing Native Java REST API Frameworks - Devoxx France 2022
Matt Raible
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Matt Raible
 
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Native Java with Spring Boot and JHipster - Garden State JUG 2021Native Java with Spring Boot and JHipster - Garden State JUG 2021
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Matt Raible
 
Java REST API Framework Comparison - PWX 2021
Java REST API Framework Comparison - PWX 2021Java REST API Framework Comparison - PWX 2021
Java REST API Framework Comparison - PWX 2021
Matt Raible
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Matt Raible
 
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Matt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Matt Raible
 
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021
Matt Raible
 
Java REST API Framework Comparison - UberConf 2021
Java REST API Framework Comparison - UberConf 2021Java REST API Framework Comparison - UberConf 2021
Java REST API Framework Comparison - UberConf 2021
Matt Raible
 
Native Java with Spring Boot and JHipster - SF JUG 2021
Native Java with Spring Boot and JHipster - SF JUG 2021Native Java with Spring Boot and JHipster - SF JUG 2021
Native Java with Spring Boot and JHipster - SF JUG 2021
Matt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Matt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Matt Raible
 
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Get Hip with JHipster - Colorado Springs Open Source User Group 2021Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Matt Raible
 
JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 

More from Matt Raible (20)

Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
 
Micro Frontends for Java Microservices - Belfast JUG 2022
Micro Frontends for Java Microservices - Belfast JUG 2022Micro Frontends for Java Microservices - Belfast JUG 2022
Micro Frontends for Java Microservices - Belfast JUG 2022
 
Micro Frontends for Java Microservices - Dublin JUG 2022
Micro Frontends for Java Microservices - Dublin JUG 2022Micro Frontends for Java Microservices - Dublin JUG 2022
Micro Frontends for Java Microservices - Dublin JUG 2022
 
Micro Frontends for Java Microservices - Cork JUG 2022
Micro Frontends for Java Microservices - Cork JUG 2022Micro Frontends for Java Microservices - Cork JUG 2022
Micro Frontends for Java Microservices - Cork JUG 2022
 
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Comparing Native Java REST API Frameworks - Seattle JUG 2022Comparing Native Java REST API Frameworks - Seattle JUG 2022
Comparing Native Java REST API Frameworks - Seattle JUG 2022
 
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
 
Comparing Native Java REST API Frameworks - Devoxx France 2022
Comparing Native Java REST API Frameworks - Devoxx France 2022Comparing Native Java REST API Frameworks - Devoxx France 2022
Comparing Native Java REST API Frameworks - Devoxx France 2022
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
 
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Native Java with Spring Boot and JHipster - Garden State JUG 2021Native Java with Spring Boot and JHipster - Garden State JUG 2021
Native Java with Spring Boot and JHipster - Garden State JUG 2021
 
Java REST API Framework Comparison - PWX 2021
Java REST API Framework Comparison - PWX 2021Java REST API Framework Comparison - PWX 2021
Java REST API Framework Comparison - PWX 2021
 
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
 
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
 
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021
 
Java REST API Framework Comparison - UberConf 2021
Java REST API Framework Comparison - UberConf 2021Java REST API Framework Comparison - UberConf 2021
Java REST API Framework Comparison - UberConf 2021
 
Native Java with Spring Boot and JHipster - SF JUG 2021
Native Java with Spring Boot and JHipster - SF JUG 2021Native Java with Spring Boot and JHipster - SF JUG 2021
Native Java with Spring Boot and JHipster - SF JUG 2021
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
 
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Get Hip with JHipster - Colorado Springs Open Source User Group 2021Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
 
JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020JHipster and Okta - JHipster Virtual Meetup December 2020
JHipster and Okta - JHipster Virtual Meetup December 2020
 

Recently uploaded

Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 

Recently uploaded (20)

Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 

Java Web Application Security - Denver JUG 2013

  • 1. Java Web Application Security Matt Raible http://raibledesigns.com @mraible Photos by Trish - http://mcginityphoto.com © 2013 Raible Designs
  • 2. Who is Matt Raible? Father, Skier, Cyclist Web Framework Connoisseur Founder of AppFuse Blogger on raibledesigns.com © 2013 Raible Designs
  • 3. Why am I here? Purpose To learn more about Java webapp security and transform myself into a security expert. Goals Show how to implement Java webapp security. Show how to penetrate a Java webapp. Show how to fix vulnerabilities. © 2013 Raible Designs
  • 4. Why are you here? For the free beer? Because you care about security? Have you used Java EE 6, Spring Security or Apache Shiro? What do you want to get from this talk? © 2013 Raible Designs
  • 5. Session Agenda Security Development Java EE 6, Spring Security, Apache Shiro SSL and Testing Verifying Security OWASP Top 10 & Zed Attack Proxy Commercial Tools and Services Conclusion Develop Penetrate Protect Relax © 2013 Raible Designs
  • 6. Develop © 2013 Raible Designs
  • 7. Dynamic Language Support? If it deploys on Tomcat, it has a web.xml Grails JRuby on Rails Lift Play! Framework © 2013 Raible Designs
  • 8. Java EE 6 Security constraints defined in web.xml web resource collection - URLs and methods authorization constraints - role names user data constraint - HTTP or HTTPS User Realm defined by App Server Declarative or Programmatic Authentication Annotations Support © 2013 Raible Designs
  • 9. Java EE 6 Demo http://www.youtube.com/watch?v=8bXBGU7uo4o © 2013 Raible Designs
  • 10. Servlet 3.0 HttpServletRequest authenticate(response) login(user, pass) logout() getRemoteUser() isUserInRole(name) © 2013 Raible Designs
  • 11. Servlet 3.0 and JSR 250 Annotations @ServletSecurity @HttpMethodConstraint @HttpConstraint @RolesAllowed @PermitAll @DenyAll © 2013 Raible Designs
  • 12. Java EE Security Limitations No error messages for failed logins No Remember Me Container has to be configured Doesn’t support regular expressions for URLs © 2013 Raible Designs
  • 13. Spring Security Filter defined in web.xml Separate security context file loaded by Spring Defines URLs, Roles and Authentication Providers Defines UserService (provided or custom) Password Encoding Remember Me © 2013 Raible Designs
  • 15. Securing Methods <global-method-security secured-annotations="enabled"/> @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account readAccount(Long id); @Secured("IS_AUTHENTICATED_ANONYMOUSLY") public Account[] findAccounts(); @Secured("ROLE_TELLER") public Account post(Account account, double amount); <global-method-security jsr250-annotations="enabled"/> © 2013 Raible Designs
  • 16. Securing Methods 3.x <global-method-security pre-post-annotations="enabled"/> @PreAuthorize("isAnonymous()") public Account readAccount(Long id); @PreAuthorize("isAnonymous()") public Account[] findAccounts(); @PreAuthorize("hasAuthority('ROLE_TELLER')") public Account post(Account account, double amount); © 2013 Raible Designs
  • 17. Spring Security Limitations Authentication mechanism in WAR Securing methods only works on Spring beans My remember me example doesn’t work © 2013 Raible Designs
  • 18. Apache Shiro Filter defined in web.xml shiro.ini loaded from classpath [main], [urls], [roles] Cryptography Session Management © 2013 Raible Designs
  • 20. Apache Shiro Limitations Limited Documentation Getting Roles via LDAP not supported No out-of-box support for Kerberos REST Support needs work © 2013 Raible Designs
  • 21. Testing with SSL Cargo doesn’t support http and https at same time Jetty and Tomcat plugins work for both Pass javax.net.ssl.trustStore & javax.net.ssl.trustStorePassword to maven-failsafe-plugin as <systemPropertyVariables> © 2013 Raible Designs
  • 23. Securing a REST API Use Basic or Form Authentication Use Developer Keys Use OAuth © 2013 Raible Designs
  • 24. OAuth © 2013 Raible Designs
  • 25. REST Security and OAuth Demo http://raibledesigns.com/rd/entry/implementing_oauth_with_gwt http://raibledesigns.com/rd/entry/grails_oauth_and_linkedin_apis © 2013 Raible Designs
  • 26. Integrating OAuth with AppFuse and REST http://raibledesigns.com/rd/entry/integrating_oauth_with_appfuse_and © 2013 Raible Designs
  • 27. REST Security Resources Implementing REST Authentication http://www.objectpartners.com/2011/06/16/ implementing-rest-authentication/ Swagger ApiAuthorizationFilter https://github.com/wordnik/swagger-core/tree/ master/samples/java-jaxrs © 2013 Raible Designs
  • 28. REST Security Resources Spring Security OAuth - version 1.0.1 Spring Social - version 1.0.2 Facebook, Twitter, LinkedIn, TripIt, and GitHub Bindings © 2013 Raible Designs
  • 29. Penetrate OWASP Testing Guide and Code Review Guide OWASP Top 10 OWASP Zed Attack Proxy Burp Suite OWASP WebGoat © 2013 Raible Designs
  • 30. OWASP The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. At OWASP you’ll find free and open ... Application security tools, complete books, standard security controls and libraries, cutting edge research http://www.owasp.org © 2013 Raible Designs
  • 32. Fixing ZAP Vulnerabilities <session-config> <session-timeout>15</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> <tracking-mode>COOKIE</tracking-mode> </session-config> <form action="${ctx}/j_security_check" id="loginForm" method="post" autocomplete="off"> © 2013 Raible Designs
  • 33. 7 Security (Mis)Configurations in web.xml 1. Error pages not configured 2. Authentication & Authorization Bypass 3. SSL Not Configured 4. Not Using the Secure Flag http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files © 2013 Raible Designs
  • 34. 7 Security (Mis)Configurations 5. Not Using the HttpOnly Flag 6. Using URL Parameters for Session Tracking 7. Not Setting a Session Timeout http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files © 2013 Raible Designs
  • 35. OWASP Top 10 for 2010 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF) © 2013 Raible Designs
  • 36. OWASP Top 10 for 2010 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL Access 9. Insufficient Transport Layer Protection 10.Unvalidated Redirects and Forwards © 2013 Raible Designs
  • 37. Protect [SWAT] Checklist Firewalls IDS and IDPs Audits Penetration Tests Code Reviews with Static Analysis Tools © 2013 Raible Designs
  • 38. © 2013 Raible Designs
  • 39. Firewalls Stateless Firewalls Stateful Firewalls Invented by Nir Zuk at Check Point in the mid-90s Web App Firewalls Inspired by the 1996 PHF CGI exploit WAF Market $234m in 2010 © 2013 Raible Designs
  • 40. Gartner on Firewalls © 2013 Raible Designs
  • 41. Content Security Policy An HTTP Header with whitelist of trusted content Bans inline <script> tags, inline event handlers and javascript: URLs No eval(), new Function(), setTimeout or setInterval Supported in Chrome 16+, Safari 6+, and Firefox 4+, and (very) limited in IE 10 © 2013 Raible Designs
  • 42. Content Security Policy © 2013 Raible Designs
  • 43. Relax Web App Firewalls: Imperva, F5, Breach Open Source: WebNight and ModSecurity Stateful Firewalls: Juniper, Check Point, Palo Alto IDP/IDS: Sourcefire, TippingPoint Open Source: Snort Audits: ENY, PWC, Grant Thornton Pen Testing: WhiteHat, Trustwave, Electric Alchemy Open Source: OWASP ZAP Static Analysis: Fortify, Veracode © 2013 Raible Designs
  • 44. Remember... “Security is a quality, and as all other quality, it is important that we build it into our apps while we are developing them, not patching it on afterwards like many people do.” -- Erlend Oftedal From a comment on my blog: http://bit.ly/mjufjR © 2013 Raible Designs
  • 45. Action! Use OWASP and Open Source Security Frameworks Don’t be afraid to contribute! Follow the Security Street Fighter Blog http://software-security.sans.org/blog Use OWASP ZAP to pentest your apps Don’t be afraid of security! © 2013 Raible Designs
  • 46. Additional Reading Securing a JavaScript-based Web Application http://eoftedal.github.com/WebRebels2012 Michal Zalewski’s “The Tangled Web” http://lcamtuf.coredump.cx/tangled © 2013 Raible Designs
  • 47. Additional Resources OWASP Denver https://www.owasp.org/index.php/Denver Next Meeting: Wednesday, February 20, 6-8pm Front Range OWASP Security Conference March 28 - 29 in Denver David Campbell of Electric Alchemy http://www.electricalchemy.net © 2013 Raible Designs
  • 48. Questions? Contact Information http://raibledesigns.com @mraible My Presentations http://slideshare.net/mraible © 2013 Raible Designs