© 2013 SpringOne 2GX. All rights reserved. Do not distribute without permission.

Application Security PitfallsBy Mike Wiesner

mwiesner@gopivotal.comhttps://github.com/mikewiesner/security-patterns-2013

Mike Wiesner• Technical Instructor @Pivotal• 10+ years experience in Java

–As developer, consultant and instructor• Focus on Application Security and Enterprise Integration• Spring Security contributor

2

ApplicationSecurity?

Enterprise Java = Spring

Spring + Security=

Spring Security

Done?

OWASP Top Ten

7

Spring Security

Spring Security3.2

• Injection• Cross-Site Scripting (XSS)• Broken Authentication and Session Management• Insecure Direct Object References• Cross-Site Request Forgery (CSRF)• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict URL Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards•

Security is a process

select * from users whereuser = 'user' andpassword = '' or '1' = '1'

Login

BBI Webserver

Client

Database

' or '1' = '1

user

9

SQL Injection

XML Processing

10

fromFile newOrderXml

download

box

downloadSecured

boxSecured

11

XML Processing

Still awake?

DemoTime!

InputValidation

public class Address {

@NotNull @Length(max=30)private String addressline1;

@Length(max=30)private String addressline2;

}

15

JSR-303: Bean Validation

TrustZones

DemoTime!

OWASP Top Ten

20

Spring Security

Spring Security3.2

Your code

• Injection• Cross-Site Scripting (XSS)• Broken Authentication and Session Management• Insecure Direct Object References• Cross-Site Request Forgery (CSRF)• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict URL Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards•

Spring MVC

Services

Spring Data Repos

DB

21

Typical Architecture

Spring MVC

Services

Spring Data Repos

DB

webmvc-config.xml

application-context.xml

application-context-jpa.xmlpersistence.xml

prod/test-infrastructure.xml

Servlet Container web.xml

22

Spring XML & Servlet 2.5 config

Spring MVC

Services

Spring Data Repos

DB

SpringWebMvcConfig.java

SpringCoreConfig.java

SpringRepoConfig.java

InfraProductionConfig.java

Servlet Container WebContainerConfig.java

23

Spring Java and Servlet 3.x config

DemoTime!

Servlet 3.x web.xml replacements• Dynamic configuration available with:• Annotated web components

–E.g. @WebServlet, @WebFilter–Disable with metadata-complete="true" in web.xml

• Web fragments–web-fragmet.xml–E.g. Spring WebApplicationInitializer–Disable with <absolute-ordering/> in web.xml

25

spring-web.jar

META-INF/web-fragment.xml

META-INF/services/javax.servlet.ServletContainerInitializer

org.springframework.web.SpringServletContainerInitializer

org.springframework.web.WebApplicationInitializer

How Springs WAI works

26

DemoTime!

“Hidden” Framework features

DemoTime!

OWASP Top Ten

30

Spring Security

Spring Security3.2

Your code

• Injection• Cross-Site Scripting (XSS)• Broken Authentication and Session Management• Insecure Direct Object References• Cross-Site Request Forgery (CSRF)• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict URL Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards

Done?

Internet Tomcat

Browser

File-System

../

%C0%AE%C0%AE%C0%AF

32

Encoding Problems

Defensein Depth

Conclusion• Application Security is a process, not a feature.• EVERY developer needs to know about Application Security• Shouldn’t negatively impact innovation and architecture• Frameworks can help you

–But you need to understand them

34

Learn More. Stay Connected.

Questions?mwiesner@gopivotal.comhttps://github.com/mikewiesner/security-patterns-2013

Talk to us on Twitter: @springcentralFind session replays on YouTube: spring.io/video