Web App Security for Java Developers - London JUG 2022

Slide 1

Slide 1 text

Matt Raible | @mraible October 27, 2022 Web App Security for Java Developers Photo by Lachlan Gowen on https://unsplash.com/photos/RZ5TKFpdaWM

Slide 2

Slide 2 text

@mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

developer.okta.com

Slide 7

Slide 7 text

developer.auth0.com

Slide 8

Slide 8 text

@mraible Today’s Agenda What is web app security? 7 simple ways to better app security 3 quick demos 🍃 Spring Boot 🅰 Angular 🤓 JHipster

Slide 9

Slide 9 text

What is web app security?

Slide 10

Slide 10 text

1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)

Slide 11

Slide 11 text

@mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates

Slide 12

Slide 12 text

What is HTTPS? https://howhttps.works

Slide 13

Slide 13 text

How HTTPS Works https://howhttps.works

Slide 14

Slide 14 text

HTTPS for Static Sites too! https://www.troyhunt.com/heres-why-your-static-website-needs-https

Slide 15

Slide 15 text

HTTPS is Easy!

Slide 16

Slide 16 text

Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration { @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); return http.build(); } }

Slide 17

Slide 17 text

Force HTTPS in the Cloud @Configuration public class SecurityConfiguration { @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); return http.build(); } }

Slide 18

Slide 18 text

Force HTTPS in Spring WebFlux @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(withDefaults()); return http.build(); } }

Slide 19

Slide 19 text

Force HTTPS in Spring WebFlux + Cloud @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(redirect -> redirect .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } }

Slide 20

Slide 20 text

@mraible “Why do we need HTTPS inside our network?”

Slide 21

Slide 21 text

@mraible 2. Scan Your Dependencies

Slide 22

Slide 22 text

@mraible GitHub + Dependabot

Slide 23

Slide 23 text

@mraible Full-featured Dependency Scanners

Slide 24

Slide 24 text

3. Use the Latest Releases

Slide 25

Slide 25 text

How well do you know your dependencies? Dependency Health Indirect Dependencies Regular Releases Regular commits Dependencies

Slide 26

Slide 26 text

Check for Updates with npm npx npm-check-updates

Slide 27

Slide 27 text

Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin

Slide 28

Slide 28 text

Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.18" id("com.github.ben-manes.versions") version "0.42.0" ... } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin

Slide 29

Slide 29 text

@mraible 4. Secure Your Secrets

Slide 30

Slide 30 text

HashiCorp Vault and Azure Key Vault

Slide 31

Slide 31 text

https://developer.okta.com/blog/2022/10/20/spring-vault Secure Secrets With Spring Cloud Config and Vault

Slide 32

Slide 32 text

5. Use a Content Security Policy

Slide 33

Slide 33 text

Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

Slide 34

Slide 34 text

Add a Content Security Policy with Spring Security @Configuration public class SecurityConfiguration { @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https: // trustedscripts.example.com; " + "object-src https: // trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); return http.build(); } }

Slide 35

Slide 35 text

Test Your Security Headers https://securityheaders.com

Slide 36

Slide 36 text

@mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication   OAuth 2.0 is for authorization

Slide 37

Slide 37 text

@mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway

Slide 38

Slide 38 text

@mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

Slide 39

Slide 39 text

@mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use

Slide 40

Slide 40 text

7. Prevent CSRF Attacks

Slide 41

Slide 41 text

Configure CSRF Protection with Spring Security @Configuration public class SecurityConfiguration { @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); return http.build(); } }

Slide 42

Slide 42 text

SameSite Cookies

Slide 43

Slide 43 text

@mraible Demos! 🍃 🅰 🤓

Slide 44

Slide 44 text

1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)

Slide 45

Slide 45 text

developer.okta.com/blog/tags/java @oktadev

Slide 46

Slide 46 text

developer.auth0.com @auth0

Slide 47

Slide 47 text

Curious About Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

Slide 48

Slide 48 text

Or Auth Security Patterns? https://bit.ly/mraible-springone-2021 https://youtu.be/CebTJ7Nq1Hs

Slide 49

Slide 49 text

Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadev developer.okta.com developer.auth0.com

Slide 50

Slide 50 text

developer.okta.com