Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love. YouTube: https://www.thesecuredeveloper.com/post/10-excellent-ways-to-secure-your-spring-boot-application Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/

1. 10 Excellent Ways to Secure Your Spring
Boot Application
June 6, 2019
Simon Maple and Matt Raible
@sjmaple | @mraible
thesecuredeveloper.com

2. 10 Excellent Ways…
http://bit.ly/secure-spring-boot

3. 1. Use HTTPS in Production

4. Use HTTPS Everywhere!
Let’s Encrypt offers free HTTPS certificates
certbot can be used to generate certificates
mkcert can be used to create localhost certificates
Spring Boot Starter ACME for automating certificates

5. @Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel().anyRequest().requiresSecure();
}
}

6. @Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requiresChannel()
.requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null)
.requiresSecure();
}
}

7. Life hack: Night lights

9. 2. Scan Your Dependencies
for Vulnerabilities

11. Source: SecurityIntelligence.com
Java Struts 2 RCE Vulnerability
CVE 2017-5638

12. Java Struts 2 RCE Vulnerability
CVE 2017-5638
Source: SecurityIntelligence.com

13. Your Code
Your App

14. Serverless Example: Fetch file & store in s3
(Serverless Framework Example)
19 Lines of Code
2 Direct dependencies
19 dependencies (incl. indirect)
191,155 Lines of Code

15. https://snyk.io/opensourcesecurity-2019

16. Demo

17. 3. Upgrade To Latest Releases

19. How well do you know your dependencies?

20. Checking for Updates with npm
npm i -g npm-check-updates
ncu

21. Checking for Updates with Maven
mvn versions:display-dependency-updates

22. Checking for Updates with Gradle
gradle dependencyUpdates -Drevision=release

23. Life hack: Straight cuts

25. 4. Enable CSRF Protection

26. @EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.csrfTokenRepository(
CookieCsrfTokenRepository.withHttpOnlyFalse());
}
}

27. 5. Use a Content Security Policy to
Prevent XSS Attacks

28. @spring_io
#springio17
Default Spring Security Headers
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

29. @EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers()
.contentSecurityPolicy("script-src 'self' " +
"https://trustedscripts.example.com; " +
"object-src https://trustedplugins.example.com; " +
"report-uri /csp-report-endpoint/");
}
}

30. securityheaders.com

31. @spring_io
#springio17
Better Web Site Security How-To
developer.okta.com/blog/2019/04/11/site-security-cloudflare-netlify

32. Life hack: Peppermint tea

34. 6. Use OpenID Connect for
Authentication

36. @spring_io
#springio17
Spring Security OIDC Configuration
spring:
security:
oauth2:
client:
registration:
okta:
client-id: {clientId}
client-secret: {clientSecret}
provider:
okta:
issuer-uri: https://{yourOktaDomain}/oauth2/default

37. OIDC Authentication Demo
@Grab('spring-boot-starter-oauth2-client')
@RestController
class Application {
@GetMapping('/')
String home(java.security.Principal user) {
‘Hello ' + user.name
}
}

38. Works with Spring WebFlux
developer.okta.com/blog/2018/11/26/spring-boot-2-dot-1-oidc-oauth2-reactive-apis

39. And JHipster!
developer.okta.com/blog/2019/04/04/java-11-java-12-jhipster-oidc

40. 7. Managing Passwords?
Use Password Hashing!

41. hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
Deterministic

42. One-way function
hash(“TSD”) =3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
unhash(“3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3”) = ???

43. It should not be predictable
hash(“TSD0”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
hash(“TSD1”) = 98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2
hash(“TSD2”) = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef
hash(“TSD3”) = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288

44. One to one mapping
hash(“TSD”) = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
hash(“123”) != 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3

45. @Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
Hashed passwords in Spring

46. @Autowired
private PasswordEncoder passwordEncoder;
public String hashPassword(String password) {
return passwordEncoder.encode(password);
}
Hashed passwords in Spring

47. Life hack: Pasta holder

49. 8. Store Secrets Securely

51. https://github.com/awslabs/git-secrets

52. <dependencies>
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-code</artifactId>
<version>2.2.RELEASE</version>
</dependency>
</dependencies>
Spring Vault

53. Spring Vault
@Value(”${password}”)
String password;

54. 9. Test Your App with OWASP’s ZAP

55. OWASP Zed Attack Proxy
Two approaches: Spider and Active Scan
Spider starts with a seed of URLs
Active Scan records a session then plays it back, scanning for known
vulnerabilities

56. Learn More about ZAP
Homepage
www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
GitHub
github.com/zaproxy/zaproxy
Twitter
twitter.com/zaproxy

57. Life hack: Boiling water

59. 10. Have Your Security Team
do a Code Review

60. Code Review topics
1. Identify and validate any third party input
2. Never store credentials as code/config
3. Test for new security vulnerabilities in third-party open source dependencies.
4. Authenticate inbound requests
5. Enforce the least privilege principle
6. Prefer whitelist over blacklist
7. Handle sensitive data with care
8. Do not allow back doors in your code
9. Protect against well-known attacks
10.Statically test your source code on every PR, automatically

61. 10 Excellent Ways to Secure Spring Boot
1. Use HTTPS
2. Scan dependencies
3. Dependencies up-to-date
4. Enable CSRF protection
5. Use a Content Security Policy
6. Use OIDC
7. Hash passwords
8. Store secrets securely
9. Test with OWASP's ZAP
10.Code review with experts

62. snyk.io/blog/spring-boot-security-best-practices

63. Bonus: Don’t Allow Your
Lack of Security to be Disturbing

65. Questions?
Keep in touch!
@sjmaple
@mraible
Presentation
speakerdeck.com/mraible
Code
github.com/oktadeveloper