Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web App Security for Java Developers - UberConf 2021

Web App Security for Java Developers - UberConf 2021

Web app security is not just authentication and authorization. It's also the things you do to protect your web app from attackers with their XSS (cross-site scripting), SQL injection, DoS/DDoS attacks, and CSRF (cross-site request forgery), to name a few.

Web app security is a central component of any web-based business. The internet exposes web apps to attacks from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web applications, and web services such as APIs.

In this presentation, you'll learn seven ways to better web app security, using Spring Security for code samples. You'll also see some quick demos of Spring Boot, Angular, and JHipster with Okta.

72a2082c6a4dd79ad68befb3db911616?s=128

Matt Raible
PRO

October 08, 2021
Tweet

Transcript

  1. Matt Raible | @mraible October 8, 2021 Web App Security

    for Java Developers Photo by Michiel Leunens on https://unsplash.com/photos/fBB7FeS4Xas
  2. @mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker,

    Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
  3. None
  4. None
  5. None
  6. developer.okta.com

  7. @mraible Today’s Agenda What is web app security? 7 simple

    ways to better app security 3 quick demos 🍃 Spring Boot 🅰 Angular 🤓 JHipster
  8. What is web app security?

  9. 1. Use HTTPS 2. Scan your dependencies 3. Use the

    latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
  10. @mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS

    certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
  11. What is HTTPS? https://howhttps.works

  12. How HTTPS Works https://howhttps.works

  13. HTTPS for Static Sites too! https://www.troyhunt.com/heres-why-your-static-website-needs-https

  14. HTTPS is Easy!

  15. Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration extends

    WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
  16. Force HTTPS in the Cloud @Configuration public class SecurityConfiguration extends

    WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }
  17. Force HTTPS in Spring WebFlux @EnableWebFluxSecurity public class SecurityConfiguration {

    @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(withDefaults()); return http.build(); } }
  18. Force HTTPS in Spring WebFlux + Cloud @EnableWebFluxSecurity public class

    SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(redirect -> redirect .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } }
  19. @mraible “Why do we need HTTPS inside our network?”

  20. @mraible 2. Scan Your Dependencies

  21. @mraible GitHub + Dependabot

  22. @mraible Full-featured Dependency Scanners

  23. 3. Use the Latest Releases

  24. How well do you know your dependencies? Dependency Health Indirect

    Dependencies Regular Releases Regular commits Dependencies
  25. Check for Updates with npm npm i -g npm-check-updates ncu

  26. Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin

  27. Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.17"

    id("com.github.ben-manes.versions") version “0.39.0" ... } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin
  28. @mraible 4. Secure Your Secrets

  29. HashiCorp Vault and Azure Key Vault

  30. https://developer.okta.com/blog/2020/05/04/spring-vault Secure Secrets With Spring Cloud Config and Vault

  31. 5. Use a Content Security Policy

  32. Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma:

    no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
  33. Add a Content Security Policy with Spring Security @EnableWebSecurity public

    class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https: // trustedscripts.example.com; " + "object-src https: // trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }
  34. Test Your Security Headers https://securityheaders.com

  35. @mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect

    OAuth 2.0 HTTP OpenID Connect is for authentication 
 OAuth 2.0 is for authorization
  36. @mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway

  37. @mraible Does OAuth 2.0 feel like a maze of specs?

    https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
  38. @mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required

    for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use
  39. 7. Prevent CSRF Attacks

  40. Configure CSRF Protection with Spring Security @EnableWebSecurity public class SecurityConfiguration

    extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }
  41. SameSite Cookies

  42. @mraible Demos! 🍃 🅰 🤓

  43. 1. Use HTTPS 2. Scan your dependencies 3. Use the

    latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
  44. developer.okta.com/blog @oktadev

  45. Curious About Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

  46. Or Auth Security Patterns? https://bit.ly/mraible-springone-2021 https://youtu.be/CebTJ7Nq1Hs

  47. Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadev

    developer.okta.com
  48. developer.okta.com