10 Excellent Ways to Secure Your Spring Boot Application - The Secure Developer 2019

Transcript

1. 10 Excellent Ways to Secure Your Spring Boot Application June

   6, 2019 Simon Maple and Matt Raible @sjmaple | @mraible thesecuredeveloper.com

2. 10 Excellent Ways… http://bit.ly/secure-spring-boot

3. 1. Use HTTPS in Production

4. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot

   can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates

5. @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

   configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }

6. @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

   configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }

7. Life hack: Night lights

8. None

9. 2. Scan Your Dependencies for Vulnerabilities

10. None

11. Source: SecurityIntelligence.com Java Struts 2 RCE Vulnerability
 CVE 2017-5638

12. Java Struts 2 RCE Vulnerability
 CVE 2017-5638 Source: SecurityIntelligence.com

13. Your Code Your App

14. Serverless Example: Fetch file & store in s3
 (Serverless Framework

    Example) 19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) 191,155 Lines of Code

15. https://snyk.io/opensourcesecurity-2019

16. Demo

17. 3. Upgrade To Latest Releases

18. None

19. How well do you know your dependencies?

20. Checking for Updates with npm npm i -g npm-check-updates
 ncu

21. Checking for Updates with Maven mvn versions:display-dependency-updates

22. Checking for Updates with Gradle gradle dependencyUpdates -Drevision=release

23. Life hack: Straight cuts

24. None

25. 4. Enable CSRF Protection

26. @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

    configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }

27. 5. Use a Content Security Policy to Prevent XSS Attacks

28. @spring_io #springio17 Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0,

    must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

29. @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void

    configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https://trustedscripts.example.com; " + "object-src https://trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }

30. securityheaders.com

31. @spring_io #springio17 Better Web Site Security How-To developer.okta.com/blog/2019/04/11/site-security-cloudflare-netlify

32. Life hack: Peppermint tea

33. None

34. 6. Use OpenID Connect for Authentication

35. None

36. @spring_io #springio17 Spring Security OIDC Configuration spring: security: oauth2: client:

    registration: okta: client-id: {clientId} client-secret: {clientSecret} provider: okta: issuer-uri: https://{yourOktaDomain}/oauth2/default

37. OIDC Authentication Demo @Grab('spring-boot-starter-oauth2-client') @RestController class Application { @GetMapping('/') String

    home(java.security.Principal user) { ‘Hello ' + user.name } }

38. Works with Spring WebFlux developer.okta.com/blog/2018/11/26/spring-boot-2-dot-1-oidc-oauth2-reactive-apis

39. And JHipster! developer.okta.com/blog/2019/04/04/java-11-java-12-jhipster-oidc

40. 7. Managing Passwords? Use Password Hashing!

41. hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash(“TSD”)

    = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 Deterministic

42. One-way function hash(“TSD”) =3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 unhash(“3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3”) = ???

43. It should not be predictable hash(“TSD0”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash(“TSD1”) =

    98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2 hash(“TSD2”) = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef hash(“TSD3”) = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288

44. One to one mapping hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash(“123”) != 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3

45. @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } Hashed

    passwords in Spring

46. @Autowired private PasswordEncoder passwordEncoder; public String hashPassword(String password) { return

    passwordEncoder.encode(password); } Hashed passwords in Spring

47. Life hack: Pasta holder

48. None

49. 8. Store Secrets Securely

50. None

51. https://github.com/awslabs/git-secrets

52. <dependencies> <dependency> <groupId>org.springframework.vault</groupId> <artifactId>spring-vault-code</artifactId> <version>2.2.RELEASE</version> </dependency> </dependencies> Spring Vault

53. Spring Vault @Value(”${password}”) String password;

54. 9. Test Your App with OWASP’s ZAP

55. OWASP Zed Attack Proxy Two approaches: Spider and Active Scan

    Spider starts with a seed of URLs Active Scan records a session then plays it back, scanning for known vulnerabilities

56. Learn More about ZAP Homepage www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project GitHub github.com/zaproxy/zaproxy Twitter twitter.com/zaproxy

57. Life hack: Boiling water

58. None

59. 10. Have Your Security Team do a Code Review

60. Code Review topics 1. Identify and validate any third party

    input 2. Never store credentials as code/config 3. Test for new security vulnerabilities in third-party open source dependencies. 4. Authenticate inbound requests 5. Enforce the least privilege principle 6. Prefer whitelist over blacklist 7. Handle sensitive data with care 8. Do not allow back doors in your code 9. Protect against well-known attacks 10.Statically test your source code on every PR, automatically

61. 10 Excellent Ways to Secure Spring Boot 1. Use HTTPS

    2. Scan dependencies 3. Dependencies up-to-date 4. Enable CSRF protection 5. Use a Content Security Policy 6. Use OIDC 7. Hash passwords 8. Store secrets securely 9. Test with OWASP's ZAP 10.Code review with experts

62. snyk.io/blog/spring-boot-security-best-practices

63. Bonus: Don’t Allow Your Lack of Security to be Disturbing

64. None

65. Questions? Keep in touch! @sjmaple @mraible Presentation speakerdeck.com/mraible Code github.com/oktadeveloper