Slide 1

Slide 1 text

Brian Demers and Matt Raible 10 Excellent Ways to Secure Spring Boot Apps @briandemers | @mraible

Slide 2

Slide 2 text

10 Excellent Ways... https://bit.ly/secure-spring-boot

Slide 3

Slide 3 text

1. Use HTTPS

Slide 4

Slide 4 text

Use HTTPS Everywhere! 6 Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates

Slide 5

Slide 5 text

howhttps.works

Slide 6

Slide 6 text

@Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }

Slide 7

Slide 7 text

@Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); } }

Slide 8

Slide 8 text

2. Scan Dependencies

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Java Struts 2 RCE Vulnerability CVE 2017-5638 Source: SecurityIntelligence.com

Slide 11

Slide 11 text

Your App

Slide 12

Slide 12 text

Your App Your Code

Slide 13

Slide 13 text

Serverless Example: Fetch file & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3

Slide 14

Slide 14 text

Serverless Example: Fetch file & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }

Slide 15

Slide 15 text

Serverless Example: Fetch file & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }

Slide 16

Slide 16 text

Serverless Example: Fetch file & store in S3 'use strict'; const fetch = require('node-fetch'); const AWS = require('aws-sdk'); // eslint-disable-line import/no-extraneous-dependencies const s3 = new AWS.S3(); module.exports.save = (event, context, callback) => { fetch(event.image_url) .then((response) => { if (response.ok) { return response; } return Promise.reject(new Error( `Failed to fetch ${response.url}: ${response.status} ${response.statusText}`)); }) .then(response => response.buffer()) .then(buffer => ( s3.putObject({ Bucket: process.env.BUCKET, Key: event.key, Body: buffer, }).promise() )) .then(v => callback(null, v), callback); }; 19 Lines of Code 2 Direct dependencies 19 dependencies (incl. indirect) 191,155 Lines of Code https://github.com/serverless/examples/tree/master/aws-node-fetch-file-and-store-in-s3 { "dependencies": { "aws-sdk": "^2.7.9", "node-fetch": "^1.6.3" } }

Slide 17

Slide 17 text

https://snyk.io/opensourcesecurity-2019

Slide 18

Slide 18 text

Demo

Slide 19

Slide 19 text

Matt's Life Hack: Don't fix your socks; fix your toes!

Slide 20

Slide 20 text

3. Upgrade Libraries

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

How well do you know your dependencies? 24 Dependencies Dependency Health Indirect Dependencies Regular Commits Regular Releases

Slide 23

Slide 23 text

Check for Updates with npm npm i -g npm-check-updates ncu https://www.npmjs.com/package/npm-check-updates

Slide 24

Slide 24 text

Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin

Slide 25

Slide 25 text

Check for Updates with Gradle gradle dependencyUpdates \ -Drevision=release https://github.com/ben-manes/gradle-versions-plugin

Slide 26

Slide 26 text

4. Enable CSRF

Slide 27

Slide 27 text

@EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse()); } }

Slide 28

Slide 28 text

Brian's Life Hack: Tennis Ball Storage

Slide 29

Slide 29 text

5. Use a CSP

Slide 30

Slide 30 text

Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

Slide 31

Slide 31 text

@EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https://trustedscripts.example.com; " + "object-src https://trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); } }

Slide 32

Slide 32 text

https://securityheaders.com

Slide 33

Slide 33 text

https://developer.okta.com/blog/2019/04/11/site-security-cloudflare-netlify

Slide 34

Slide 34 text

Brian's Life Hack Laptop Charger Snack-Warmer

Slide 35

Slide 35 text

6. Use OIDC for Auth

Slide 36

Slide 36 text

OIDC Authorization Code Flow

Slide 37

Slide 37 text

Spring Security OIDC Configuration spring: security: oauth2: client: registration: okta: client-id: {clientId} client-secret: {clientSecret} provider: okta: issuer-uri: https://{yourOktaDomain}/oauth2/default

Slide 38

Slide 38 text

OIDC Authentication Demo @Grab('spring-boot-starter-oauth2-client') @RestController class Application { @GetMapping('/') String home(java.security.Principal user) { 'Hello ' + user.name } }

Slide 39

Slide 39 text

Want less code? Use Okta! okta: oauth2: issuer: https://{yourOktaDomain}/oauth2/default client-id: {yourClientId} client-secret: {yourClientSecret} com.okta.spring okta-spring-boot-starter 1.3.0

Slide 40

Slide 40 text

Works with Spring WebFlux https://developer.okta.com/blog/2018/11/26/spring-boot-2-dot-1-oidc-oauth2-reactive-apis

Slide 41

Slide 41 text

And JHipster! https://developer.okta.com/blog/2019/04/04/java-11-java-12-jhipster-oidc

Slide 42

Slide 42 text

7. Hash Passwords

Slide 43

Slide 43 text

One-way Function hash("TSD") =3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 unhash("3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3") = ???

Slide 44

Slide 44 text

Deterministic hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3

Slide 45

Slide 45 text

It should not be predictable hash("TSD0") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("TSD1") = 98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2 hash("TSD2") = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef hash("TSD3") = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288

Slide 46

Slide 46 text

One-to-one mapping hash("TSD") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3 hash("123") != 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3

Slide 47

Slide 47 text

Hashed Passwords in Spring @Bean public PasswordEncoder passwordEncoder() { return new SCryptPasswordEncoder(); }

Slide 48

Slide 48 text

Hashed Passwords in Spring @Autowired private PasswordEncoder passwordEncoder; public String hashPassword(String password) { return passwordEncoder.encode(password); }

Slide 49

Slide 49 text

Matt's Life Hack: Clean hard-to-reach places with

Slide 50

Slide 50 text

8. Use Secure Secrets

Slide 51

Slide 51 text

No content

Slide 52

Slide 52 text

https://github.com/awslabs/git-secrets

Slide 53

Slide 53 text

Spring Vault org.springframework.vault spring-vault-core 2.2.0.RELEASE

Slide 54

Slide 54 text

Spring Vault @Value("${password}") char[] password;

Slide 55

Slide 55 text

Why char[] instead of String for password? Strings are immutable, can't wipe data String passwords can be accidentally printed https://www.baeldung.com/java-storing-passwords Printing String password -> password Printing char[] password -> [C@6e8cf4c6

Slide 56

Slide 56 text

9. Test with ZAP

Slide 57

Slide 57 text

OWASP Zed Attack Proxy Two approaches: Spider and Active Scan Spider starts with a seed of URLs Active Scan records a session then plays it back, scanning for known vulnerabilities

Slide 58

Slide 58 text

Learn More About ZAP Homepage https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project GitHub https://github.com/zaproxy/zaproxy Twitter @zaproxy

Slide 59

Slide 59 text

10. Security Reviews

Slide 60

Slide 60 text

Code Review Topics 1. Identify and validate any third party input 2. Never store credentials as code/config 3. Test for new security vulnerabilities in third-party open source dependencies. 4. Authenticate inbound requests 5. Enforce the least privilege principle 6. Prefer whitelist over blacklist 7. Handle sensitive data with care 8. Do not allow back doors in your code 9. Protect against well-known attacks 10. Statically test your source code on every PR, automatically

Slide 61

Slide 61 text

10 Excellent Ways to Secure Spring Boot 1. Use HTTPS 2. Scan dependencies 3. Dependencies up-to-date 4. Enable CSRF protection 5. Use a Content Security Policy 6. Use OIDC 7. Hash passwords 8. Store secrets securely 9. Test with OWASP's ZAP 10. Code review with experts

Slide 62

Slide 62 text

https://snyk.io/blog/spring-boot-security-best-practices

Slide 63

Slide 63 text

No content

Slide 64

Slide 64 text

Life Hack: Use a toilet seat for a TV dinner setup

Slide 65

Slide 65 text

Questions? 69 Keep in Touch! @mraible @briandemers Presentation speakerdeck.com/mraible Code github.com/oktadeveloper