Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love.
YouTube: https://www.thesecuredeveloper.com/post/10-excellent-ways-to-secure-your-spring-boot-application
Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
4. Use HTTPS Everywhere!
Let’s Encrypt offers free HTTPS certificates
certbot can be used to generate certificates
mkcert can be used to create localhost certificates
Spring Boot Starter ACME for automating certificates
5. @Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().anyRequest().requiresSecure();
}
}
43. It should not be predictable
hash(“TSD0”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
hash(“TSD1”) = 98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2
hash(“TSD2”) = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef
hash(“TSD3”) = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288
44. One to one mapping
hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
hash(“123”) != 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
55. OWASP Zed Attack Proxy
Two approaches: Spider and Active Scan
Spider starts with a seed of URLs
Active Scan records a session then plays it back, scanning for known
vulnerabilities
56. Learn More about ZAP
Homepage
www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
GitHub
github.com/zaproxy/zaproxy
Twitter
twitter.com/zaproxy
60. Code Review topics
1. Identify and validate any third party input
2. Never store credentials as code/config
3. Test for new security vulnerabilities in third-party open source dependencies.
4. Authenticate inbound requests
5. Enforce the least privilege principle
6. Prefer whitelist over blacklist
7. Handle sensitive data with care
8. Do not allow back doors in your code
9. Protect against well-known attacks
10.Statically test your source code on every PR, automatically
61. 10 Excellent Ways to Secure Spring Boot
1. Use HTTPS
2. Scan dependencies
3. Dependencies up-to-date
4. Enable CSRF protection
5. Use a Content Security Policy
6. Use OIDC
7. Hash passwords
8. Store secrets securely
9. Test with OWASP's ZAP
10.Code review with experts