10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019

72a2082c6a4dd79ad68befb3db911616?s=47 Matt Raible
November 08, 2019

10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019

Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.

This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!

You’ll learn how to add these features to a real application, using the Java language you know and love.

* YouTube video: https://www.youtube.com/watch?v=PpqNMhe4Bd0
* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/

72a2082c6a4dd79ad68befb3db911616?s=128

Matt Raible

November 08, 2019
Tweet

Transcript

  1. 1.

    Brian Vermeer and Matt Raible 10 Excellent Ways to Secure

    Your Spring Boot Application @BrianVerm | @mraible
  2. 4.

    Use HTTPS Everywhere! 4 Let’s Encrypt offers free HTTPS certificates

    certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
  3. 6.

    @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

    configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
  4. 7.

    @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

    configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }
  5. 9.
  6. 11.
  7. 13.

    Serverless Example: Fetch file & store in S3 'use strict';

    const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3
  8. 14.

    Serverless Example: Fetch file & store in S3 'use strict';

    const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
  9. 15.

    Serverless Example: Fetch file & store in S3 'use strict';

    const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
  10. 16.

    Serverless Example: Fetch file & store in S3 'use strict';

    const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) 191,155 Lines of Code https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }
  11. 18.
  12. 21.
  13. 22.

    How well do you know your dependencies? 22 Dependencies Dependency

    Health Indirect Dependencies Regular Commits Regular Releases
  14. 23.

    Check for Updates with npm npm i -g npm-check-updates ncu

    https://www.npmjs.com/package/npm-check-updates
  15. 27.

    @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

    configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
  16. 31.

    Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma:

    no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
  17. 32.

    @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

    configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https://trustedscripts.example.com; " + "object-src https://trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }
  18. 39.

    Spring Security OIDC Configuration spring: security: oauth2: client: registration: okta:

    client-id: {clientId} client-secret: {clientSecret} provider: okta: issuer-uri: https://{yourOktaDomain}/oauth2/default
  19. 46.

    It should not be predictable hash("TSD0") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD1") =

    98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2 hash("TSD2") = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef hash("TSD3") = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288
  20. 49.

    Hashed Passwords in Spring @Autowired private PasswordEncoder passwordEncoder; public String

    hashPassword(String password) { return passwordEncoder.encode(password); }
  21. 52.
  22. 56.

    Why char[] instead of String for password? Strings are immutable,

    can't wipe data String passwords can be accidentally printed https://www.baeldung.com/java-storing-passwords Printing String password -> password Printing char[] password -> [C@6e8cf4c6
  23. 58.

    OWASP Zed Attack Proxy Two approaches: Spider and Active Scan

    Spider starts with a seed of URLs Active Scan records a session then plays it back, scanning for known vulnerabilities
  24. 61.

    Code Review Topics 1. Identify and validate any third party

    input 2. Never store credentials as code/config 3. Test for new security vulnerabilities in third-party open source dependencies. 4. Authenticate inbound requests 5. Enforce the least privilege principle 6. Prefer whitelist over blacklist 7. Handle sensitive data with care 8. Do not allow back doors in your code 9. Protect against well-known attacks 10. Statically test your source code on every PR, automatically
  25. 63.

    10 Excellent Ways to Secure Spring Boot 1. Use HTTPS

    2. Scan dependencies 3. Dependencies up-to-date 4. Enable CSRF protection 5. Use a Content Security Policy 6. Use OIDC 7. Hash passwords 8. Store secrets securely 9. Test with OWASP's ZAP 10. Code review with experts
  26. 65.