Slide 1

Slide 1 text

Matt Raible | @mraible November 17, 2020 Web App Security made Simple Photo by Billy Williams on https://unsplash.com/photos/8wz1Q4Q_XAg

Slide 2

Slide 2 text

@mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

developer.okta.com

Slide 7

Slide 7 text

@mraible Today’s Agenda What is web app security? 7 simple ways to better app security 3 quick demos Spring Boot Angular JHipster

Slide 8

Slide 8 text

What is web app security?

Slide 9

Slide 9 text

1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)

Slide 10

Slide 10 text

@mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates

Slide 11

Slide 11 text

What is HTTPS? https://howhttps.works

Slide 12

Slide 12 text

HTTPS is Easy!

Slide 13

Slide 13 text

Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }

Slide 14

Slide 14 text

Force HTTPS in the Cloud @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r "-> r.getHeader("X-Forwarded-Proto") "!= null) .requiresSecure(); } }

Slide 15

Slide 15 text

@mraible “Why do we need HTTPS inside our network?”

Slide 16

Slide 16 text

@mraible 2. Scan Your Dependencies

Slide 17

Slide 17 text

@mraible GitHub + Dependabot

Slide 18

Slide 18 text

@mraible Full-featured Dependency Scanners

Slide 19

Slide 19 text

3. Use the Latest Releases

Slide 20

Slide 20 text

How well do you know your dependencies? Dependency Health Indirect Dependencies Regular Releases Regular commits Dependencies

Slide 21

Slide 21 text

Check for Updates with npm npm i -g npm-check-updates ncu

Slide 22

Slide 22 text

Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin

Slide 23

Slide 23 text

Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.13" id("com.github.ben-manes.versions") version "0.28.0" ""... } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin

Slide 24

Slide 24 text

@mraible 4. Secure Your Secrets

Slide 25

Slide 25 text

HashiCorp Vault and Azure Key Vault

Slide 26

Slide 26 text

https://developer.okta.com/blog/2020/05/04/spring-vault Secure Secrets With Spring Cloud Config and Vault

Slide 27

Slide 27 text

5. Use a Content Security Policy

Slide 28

Slide 28 text

Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

Slide 29

Slide 29 text

Add a Content Security Policy with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https:"//trustedscripts.example.com; " + "object-src https:"//trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }

Slide 30

Slide 30 text

Test Your Security Headers https://securityheaders.com

Slide 31

Slide 31 text

@mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication OAuth 2.0 is for authorization

Slide 32

Slide 32 text

@mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway

Slide 33

Slide 33 text

@mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

Slide 34

Slide 34 text

@mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use

Slide 35

Slide 35 text

7. Prevent CSRF Attacks

Slide 36

Slide 36 text

Configure CSRF Protection with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }

Slide 37

Slide 37 text

SameSite Cookies

Slide 38

Slide 38 text

@mraible Demos!

Slide 39

Slide 39 text

1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)

Slide 40

Slide 40 text

developer.okta.com/blog @oktadev

Slide 41

Slide 41 text

Curious about Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

Slide 42

Slide 42 text

Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadeveloper developer.okta.com

Slide 43

Slide 43 text

developer.okta.com