real world java web security
play

Real World Java Web Security Java User Group Karlsruhe Dominik - PowerPoint PPT Presentation

Dec 20, 2022 •38 likes •738 views

Real World Java Web Security Java User Group Karlsruhe Dominik Schadow | bridgingIT Who thinks about architecture while coding? architecture before coding? Who thinks about security while coding? security before

  1. Real World Java Web Security Java User Group Karlsruhe Dominik Schadow | bridgingIT

  2. Who thinks about … … architecture while coding? … architecture before coding?

  3. Who thinks about … … security while coding? … security before coding?

  4. OWASP TOP 10 2013 (1) Injection (2) Broken Authentication and Session Management (3) Cross-Site Scripting (XSS) (4) Insecure Direct Object References (5) Security Misconfiguration (6) Sensitive Data Exposure (7) Missing Function Level Access Control (8) Cross-Site Request Forgery (CSRF) (9) Using Components with Known Vulnerabilities (10) Unvalidated Redirects and Forwards

  5. Software that is secure by design Know the web application Know all external entities Identify all data flows Identify all risks

  6. Threat model

  7. Avoid design flaws

  9. Fight the identified threats

  10. Maintain all threat models

  11. Instrument the Browser

  12. Defense in Depth

  13. Force HTTPS

  14. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

  15. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

  16. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

  17. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

  18. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

  19. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926;includeSubDomains"); chain.doFilter(req, response); } // … }

  20. Prevent framing

  21. response.addHeader( "X-Frame-Options", "DENY" );

  22. response.addHeader( "X-Frame-Options", "DENY" );

  23. response.addHeader( "X-Frame-Options", "DENY" );

  24. response.addHeader( "X-Frame-Options", "SAME-ORIGIN" );

  25. response.addHeader( "X-Frame-Options", "ALLOW-FROM http://www.safe.de" );

  26. Prevent Cross-Site Scripting

  27. response.addHeader( "Content-Security-Policy", "default-src 'self'" );

  28. response.addHeader( "Content-Security-Policy", "default-src 'self'" );

  29. response.addHeader( "Content-Security-Policy", "default-src 'self'" );

  30. Content Security Policy Directives default-src default if specific directive is not set object-src Sources in object, embed or applet tags script-src Script sources (includes XSLT) connect-src XMLHttpRequest, WebSocket, … font-src Font sources frame-src Sources embeddable as frames img-src Image sources media-src Video and audio sources style-src CSS sources (does not include XSLT) www.w3.org/TR/CSP

  31. response.addHeader( "Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; report-uri CSPReporting" );

  32. response.addHeader( "Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; report-uri CSPReporting" );

  33. Violation Report { "document-uri":"http://.../reporting.jsp? name=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", „referrer“:"http://www.sample.com/security-header/ index.jsp", "blocked-uri":"self", "violated-directive":"default-src http://www.sample.com", "source-file":"http://.../reporting.jsp? 
 name=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", "script-sample":"alert('XSS')", "line-number":10 }

  34. Content Security Policy Level 2 frame-ancestors Allow resource frame embedding Obsoletes X-Frame-Options header reflected-xss (De-)activate user agent XSS heuristics Obsoletes X-XSS-Protection header child-src Replaces frame-src form-action Form targets to send data to plugin-types Allowed plug-ins (their MIME type) referrer Referrer URL exposed to others sandbox Load resource in restricted sandbox www.w3.org/TR/CSP2

  35. response.addHeader( "Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'" );

  36. response.addHeader( "Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'" );

  39. Demo

  40. And now?

  41. OWASP TOP 10 Proactive Controls (1) Parameterize Queries (1) Parameterize Queries (2) Encode Data (2) Encode Data (3) Validate All Inputs (3) Validate All Inputs (4) Implement Appropriate Access Controls (4) Implement Appropriate Access Controls (5) Establish Identity and Authentication Controls (5) Establish Identity and Authentication Controls (6) Protect Data and Privacy (6) Protect Data and Privacy (7) Implement Logging, Error Handling and Intrusion Detection (7) Implement Logging, Error Handling and Intrusion Detection (8) Leverage Security Features of Frameworks and Security Libraries (8) Leverage Security Features of Frameworks and Security Libraries (9) Include Security-Specific Requirements (9) Include Security-Specific Requirements (10) Design and Architect Security in (10) Design and Architect Security in Threat Modeling

  42. Leverage Security Features of Frameworks and Security Libraries

  43. Use it!

  44. Spring Security (Java config) adds headers automatically X-Content-Type-Options Cache-Control X-Frame-Options HTTP Strict Transport Security X-XSS-Protection

  45. Frameworks and libraries decline

  47. <reporting> <plugins><plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>1.3.1</version> <reportSets> <reportSet> <reports> <report>aggregate</report> </reports> </reportSet> </reportSets> </plugin></plugins> </reporting>

  50. Implement Appropriate Access Controls Establish Identity and Authentication Controls

  51. Standardized building blocks

  52. 4E01EF46D8446D1C 10CB5C08EDA69DD1 User usually receives a session id when visiting web application

  53. Demo

  54. Protect Data and Privacy

  56. Slow down brute force attacks

  57. PBKDF2 Iterations against brute force attacks Available in plain Java

  58. Demo

  59. bcrypt Iterations against brute force attacks Integrated in Spring Security

  60. @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

  61. @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

  62. @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

  63. @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

  64. scrypt Memory against brute force attacks Best protection against dictionary attacks

  65. Summary

  66. Plan security with threat modeling

  67. Think (like an attacker) during implementation

  68. Keep 3rd party libraries up-to-date

  69. Enjoy secure programming

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next,

Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next,

CS 166: Information Security Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next, we look at real protocols SSH a simple &amp; useful security protocol SSL practical security on the Web

1.27k views • 112 slides
Computer Security in the Real World Butler Lampson Microsoft 1 Security: The Goal Computers

Computer Security in the Real World Butler Lampson Microsoft 1 Security: The Goal Computers

Computer Security in the Real World Butler Lampson Microsoft 1 Security: The Goal Computers are as secure as real world systems, and people believe it . This is hard because: Computers can do a lot of damage fast. There are many

391 views • 28 slides
Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph

Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph

Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph Kiniry Department of Computer Science University College Dublin Asynchronous VLSI What is AVLSI? delay insensitive circuits power invariant

255 views • 13 slides
XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( ) 2006.10 RSS is cool ! RSS RSS Really Simple Syndication Tired of checking your favorite news and blogs sites everyday?

786 views • 75 slides
Security Profs. Bracy and Van Renesse based on slides by Prof. Sirer Security in the real world

Security Profs. Bracy and Van Renesse based on slides by Prof. Sirer Security in the real world

Security Profs. Bracy and Van Renesse based on slides by Prof. Sirer Security in the real world Security decisions based on: Value: How much is it worth? Locks: How hard is it to circumvent protection? Police: What are the

980 views • 47 slides
Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting applications against malicious / unauthorized actions Desktop What kind of code is executed by the application, on the client machine? Where

702 views • 33 slides
Serverless and Java in the Real World @johnchapin | john@symphonia.io Fearless AWS Lambdas QCon

Serverless and Java in the Real World @johnchapin | john@symphonia.io Fearless AWS Lambdas QCon

Serverless and Java in the Real World @johnchapin | john@symphonia.io Fearless AWS Lambdas QCon NYC 2017 https://bit.ly/symph-qcon-fearless Learning Lambda Mike Roberts mike@symphonia.io https://bit.ly/symph-ll Agenda 1. Choosing Java for

724 views • 45 slides
Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security

Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security

Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security It s about risk, locks, and deterrence . Risk management: cost of security &lt; expected loss Perfect security costs way too much

707 views • 26 slides
Java in the Real World Final Exam Logistics The final exam is next Wednesday, March 21 from

Java in the Real World Final Exam Logistics The final exam is next Wednesday, March 21 from

Java in the Real World Final Exam Logistics The final exam is next Wednesday, March 21 from 12:15PM 3:15PM Rooms divvied up by last name: A B: Go to 300-300 C L: Go to Cubberly Auditorium M R: Go to Hewlett 201

621 views • 18 slides
1 Hello, World! Hello, World! System.out is an A program is a sequence of instructions expressed

1 Hello, World! Hello, World! System.out is an A program is a sequence of instructions expressed

Course Overview Web site Syllabus CSC 2014 Java Bootcamp Schedule Lecture slides Reading Assignments &amp; Textbook Handouts Lecture 1 Welcome, Strings &amp; Printing 2 The Java Programming Language The Java

558 views • 6 slides
Real-Time Java for Latency Critical Banking Applications Real-Time Bertrand Delsart System

Real-Time Java for Latency Critical Banking Applications Real-Time Bertrand Delsart System

Real-Time Java for Latency Critical Banking Applications Real-Time Bertrand Delsart System JavaRTS Technical Leader Author of Sun's RTGC technology Agenda Background Benefits of a Real-Time Java Virtual Machine Benefits of

554 views • 36 slides
CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong Applying Differential Privacy Real world deployments of differential privacy OnTheMap RAPPOR Module 4 Tutorial: Differential Privacy in the Wild

617 views • 30 slides
Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy ibenik, Croatia June 17 th , 2019 Outline Security of the Diffie-Hellman Key Exchange Man-in-the-Middle attacks

1.09k views • 85 slides
Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 24 Example 1: the Morris worm (1988) first

695 views • 24 slides
The need for a formal model of Java Safety guarantees of Java definedness type safety

The need for a formal model of Java Safety guarantees of Java definedness type safety

Making the Java Memory Model Safe Andreas Lochbihler Institute for Information Security ETH Zurich supported by DFG Sn11/10-1,2 The need for a formal model of Java Safety guarantees of Java definedness type safety security

595 views • 44 slides
Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability Gap in Online Banking NSPW Presentation - Sep 19, 2007 Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van Oorschot Carleton University Mohammad Mannan Sep 19, 2007 1 Security

544 views • 22 slides
COSC 4P14 What else could we discuss? Brock University Brock University What else could we

COSC 4P14 What else could we discuss? Brock University Brock University What else could we

COSC 4P14 What else could we discuss? Brock University Brock University What else could we discuss? 1 / 28 Theres so much more out there! No matter how much time we spent here, we could never hope to cover every notable networked

673 views • 28 slides
7/11/2019 Quality Improvement in Primary Healthcare Melissa Williams Go to training Open and

7/11/2019 Quality Improvement in Primary Healthcare Melissa Williams Go to training Open and

7/11/2019 Quality Improvement in Primary Healthcare Melissa Williams Go to training Open and hide your control panel Join audio: Choose Mic &amp; Speakers to use VoIP or you can Choose Telephone and dial using the

318 views • 13 slides
Integrating Financial Capability Services Kori Hattemer HPOG Annual Meeting February 18, 2016

Integrating Financial Capability Services Kori Hattemer HPOG Annual Meeting February 18, 2016

Integrating Financial Capability Services Kori Hattemer HPOG Annual Meeting February 18, 2016 www.cfed.org @CFED /CFEDNews cfed.org/blog/inclusiveeconomy Who We Are Our mission at CFED is to make it possible for millions of people to

615 views • 35 slides
Todays Host @CFEDNews facebook.com/CFEDNews cfed.org/blog/inclusiveeconomy @CFEDNews

Todays Host @CFEDNews facebook.com/CFEDNews cfed.org/blog/inclusiveeconomy @CFEDNews

Todays Host @CFEDNews facebook.com/CFEDNews cfed.org/blog/inclusiveeconomy @CFEDNews facebook.com/CFEDNews cfed.org/blog/inclusiveeconomy Housekeeping Trouble dialing in? Just listen through your computer with speakers or

661 views • 26 slides
Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner

Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner

Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Table of Contents Presentation Stored XSS Reflected

792 views • 50 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314 Chapter 18: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314 Chapter 18: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314 Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTML + HTTP CSS data request web server backend systems Chapter 18: 3 Web 1.0 Shorthand

1.09k views • 91 slides
Building a Scalable Recommender System with Apache Spark, Apache Kafka and Elasticsearch About

Building a Scalable Recommender System with Apache Spark, Apache Kafka and Elasticsearch About

Nov / 14 / 16 Nick Pentreath Building a Scalable Recommender System with Apache Spark, Apache Kafka and Elasticsearch About @MLnick Principal Engineer, IBM Apache Spark PMC Focused on machine learning Author of Machine Learning

666 views • 53 slides
Modeling Social Networking Privacy Carolina Dania IMDEA Software Institute - Spain Universidad

Modeling Social Networking Privacy Carolina Dania IMDEA Software Institute - Spain Universidad

Modeling Social Networking Privacy Carolina Dania IMDEA Software Institute - Spain Universidad Complutense de Madrid (Partially funded by NeSSOS) Supervisors Manuel Clavel Marina Egea IMDEA Software Institute Atos Research &amp; Innovation

1.31k views • 109 slides

More recommend