secure by default web applications with apache sling
play

Secure by Default Web Applications With Apache Sling Robert - PowerPoint PPT Presentation

Feb 07, 2023 •199 likes •610 views

Secure by Default Web Applications With Apache Sling Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems ApacheCon Core 2016 http://robert.muntea.nu @rombert Who I am $DAYJOB Open Source Adobe

  1. Secure by Default Web Applications With Apache Sling Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems ApacheCon Core 2016 http://robert.muntea.nu @rombert

  2. Who I am  $DAYJOB  Open Source  Adobe Experience  Apache Sling Manager  MantisBT  Apache Sling  Mylyn Connector for MantisBT  Apache Jackrabbit  Mylyn Connector for Review  Apache Felix Board http://robert.muntea.nu @rombert

  3. Purpose of the talk Scope Cost Schedule http://robert.muntea.nu @rombert

  4. Purpose of the talk Scope Cost Schedule http://robert.muntea.nu @rombert

  5. Purpose of the talk Scope Cost Schedule http://robert.muntea.nu @rombert

  6. Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A http://robert.muntea.nu @rombert

  7. Apache Sling – Brief History 200x 2007 2009 2015 Pre-Apache Incubation TLP Version 8 http://robert.muntea.nu @rombert

  8. Apache Sling – Code Statistics http://robert.muntea.nu @rombert

  9. Apache Sling – Contributor activity http://robert.muntea.nu @rombert

  10. Apache Sling – Value proposition ● Content-oriented ● RESTful ● Lightweight ● Integrated authentication and authorization ● OSGi-powered ● Scripting inside ● Easily deployable http://robert.muntea.nu @rombert

  11. Apache Sling – Content-Oriented Blog posts Images Users and Groups http://robert.muntea.nu @rombert

  12. Apache Sling – Content-Oriented Server-side templates and scripts Configurations http://robert.muntea.nu @rombert

  13. Apache Sling – RESTful ↵ $ h t t p l o c a l h o s t : 8 0 8 0 / c o n t e n t / b l o g / p o s t s / h e l l o _ w o r l d . h t m l j s o n x m l t x t p d f p h p 3 http://robert.muntea.nu @rombert

  14. Apache Sling – RESTful http://robert.muntea.nu @rombert

  15. Apache Sling – Persistence via JCR http://robert.muntea.nu @rombert

  16. Apache Sling – Topologies Standalone High Availability http://robert.muntea.nu @rombert

  17. Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A http://robert.muntea.nu @rombert

  18. Demo App – main page http://robert.muntea.nu @rombert

  19. Demo App – Article Page http://robert.muntea.nu @rombert

  20. Demo App – Submitting comments http://robert.muntea.nu @rombert

  21. Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A http://robert.muntea.nu @rombert

  22. Threat modelling “Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could afgect your application” Threat Modeling Web Applications on MSDN http://robert.muntea.nu @rombert

  23. Threat Modelling - Assets http://robert.muntea.nu @rombert

  24. Threat Modelling - Assets ● Availability ● Content ● User Credentials ● Ability to execute code on server ● Ability to execute code in the browser context http://robert.muntea.nu @rombert

  25. Threat Modelling - Trust Levels http://robert.muntea.nu @rombert

  26. Threat Modelling - Trust Levels 1. Anonymous 2. Author 3. Administrator http://robert.muntea.nu @rombert

  27. Threat Modelling - Threats OWASP http://robert.muntea.nu @rombert

  28. Threat Modelling - Threats 1. Denial of Service 2. Defacement / Deletion 3. Leaking credentials 4. SQL/Shell Injection 5. Stored/Reflected XSS http://robert.muntea.nu @rombert

  29. Threat Modelling - Mitigation http://robert.muntea.nu @rombert

  30. Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A http://robert.muntea.nu @rombert

  31. Apache Sling Security – Natural layering of ACEs http://robert.muntea.nu @rombert

  32. Apache Sling Security – Security applied at the lowest level $ h t t p - - a u t h b o b : b o b l o c a l h o s t : 8 0 8 0 / c o n t e n t / b l o g / p o s t s / n e w _ b l o g _ p o s t ' j c r \ : t i t l e = N e w p o s t ' http://robert.muntea.nu @rombert

  33. Apache Sling Security – Context-aware templating language < d i v c l a s s = " c o m m e n t c l e a r f i x " > < i m g c l a s s = " a v a t a r i m g - r o u n d e d p u l l - l e f t " s r c = " $ { r e s o u r c e . v a l u e M a p [ ' a u t h o r A v a t a r ' ] } " / > < h 3 > $ { r e s o u r c e . v a l u e M a p [ ' j c r : t i t l e ' ] } < / h 3 > < p > $ { r e s o u r c e . v a l u e M a p [ ' j c r : d e s c r i p t i o n ' ] } < / p > < / d i v > http://robert.muntea.nu @rombert

  34. Apache Sling Security – Injection-safe APIs Children of /content/blog/posts http://robert.muntea.nu @rombert

  35. Apache Sling Security – Injection-safe APIs Children of /content/blog/comments/ hello_world http://robert.muntea.nu @rombert

  36. Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A http://robert.muntea.nu @rombert

  37. Demo Application – Actual demo!!!!1oneone http://robert.muntea.nu @rombert

  38. Conclusions – Security ● Aim to be “Secure by Default” ● Build a threat model for your application ● Look for components that eliminate problems altogether http://robert.muntea.nu @rombert

  39. Conclusions – Apache Sling ● Simple to be “Secure by Default” ● Eventing, Thread Pooling, Job Management, Caching ● Scripting: Groovy, Scala, JSP, Sightly, Java, Ruby, Thymeleaf ● Flexible resource rendering with resource types ● Very extensible due to being internally powered by OSGi – most extension points available to clients http://robert.muntea.nu @rombert

  40. Resources ● Apache Sling – https://sling.apache.org ● Apache Jackrabbit ● https://jackrabbit.apache.org ● http://jackrabbit.apache.org/oak/ ● OWASP - https://www.owasp.org ● https://www.owasp.org/index.php/OWASP_Top_Ten _Cheat_Sheet ● https://www.owasp.org/index.php/Application_Thre at_Modeling http://robert.muntea.nu @rombert

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Apache Sling A REST-based Web Application Framework Carsten Ziegeler | cziegeler@apache.org

Apache Sling A REST-based Web Application Framework Carsten Ziegeler | cziegeler@apache.org

Apache Sling A REST-based Web Application Framework Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About cziegeler@apache.org @cziegeler RnD Team at Adobe Research Switzerland Member of the Apache So fu ware

847 views • 59 slides
Server-side OSGi with Apache Sling Felix Meschberger Day Management AG 124 About Felix

Server-side OSGi with Apache Sling Felix Meschberger Day Management AG 124 About Felix

Server-side OSGi with Apache Sling Felix Meschberger Day Management AG 124 About Felix Meschberger &gt; Senior Developer, Day Management AG &gt; fmeschbe@day.com &gt; http://blog.meschberger.ch &gt; VP Apache Sling &gt; Apache

584 views • 32 slides
REST... with Peace Content Management with Apache Sling 1 Freitag, 25. Februar 2011 The Problem

REST... with Peace Content Management with Apache Sling 1 Freitag, 25. Februar 2011 The Problem

REST... with Peace Content Management with Apache Sling 1 Freitag, 25. Februar 2011 The Problem (abstract) Store large amounts of different types of content Associate meta data to content Access control Search for stuff

539 views • 16 slides
APACHE SLING &amp; FRIENDS TECH MEETUP BERLIN, 26-28 SEPTEMBER 2016 Test Driven Development with

APACHE SLING &amp; FRIENDS TECH MEETUP BERLIN, 26-28 SEPTEMBER 2016 Test Driven Development with

APACHE SLING &amp; FRIENDS TECH MEETUP BERLIN, 26-28 SEPTEMBER 2016 Test Driven Development with AEM Jan Wloka, Quatico Solutions Inc. From the talk Get the Flow Test coverage is the natural enemy of fast coding. [...] It is a

330 views • 20 slides
Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member

Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member

Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member and long time Apache user Interested in usability and lowering the learning curve for Apache Comanche GUI configuration tool Teach Yourself

258 views • 25 slides
Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com

Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com

Karlsruher Entwicklertag 2014 Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com ashakirin.blogspot.com/ Agenda Introduction in Apache CXF Security Requirements Apply security features to CXF Services

930 views • 49 slides
DEVELOPING CORDOVA APPLICATIONS WITH ECLIPSE IDE Gorkem Ercan Red Hat APACHE CORDOVA A platform

DEVELOPING CORDOVA APPLICATIONS WITH ECLIPSE IDE Gorkem Ercan Red Hat APACHE CORDOVA A platform

DEVELOPING CORDOVA APPLICATIONS WITH ECLIPSE IDE Gorkem Ercan Red Hat APACHE CORDOVA A platform for building native mobile applications using HTML , CSS and JavaScript MANDATORY PHONEGAP EXPLANATION Contributed to Apache SF to create the

266 views • 12 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff &amp; Kenneth R. Van Wyk

753 views • 17 slides
Developing Applications with APR Paul Querna pquerna@apache.org July 21, 2005

Developing Applications with APR Paul Querna pquerna@apache.org July 21, 2005

Developing Applications with APR Paul Querna pquerna@apache.org July 21, 2005 http://www.outoforder.cc/presentations/ A.P.R. Apache Portable Runtime Origin: httpd Platforms: Unix, Netware, OS/2, Windows. Your Application APR-Util

497 views • 34 slides
Tapestry Code less, deliver more. Rayland Jeans What is Apache Tapestry? Apache Tapestry

Tapestry Code less, deliver more. Rayland Jeans What is Apache Tapestry? Apache Tapestry

Tapestry Code less, deliver more. Rayland Jeans What is Apache Tapestry? Apache Tapestry is an open-source framework designed to create scalable web applications in Java. Tapestry allows developers to create web applications that

792 views • 38 slides
QEMU for Xen secure by default Deprivileging the PC system emulator Ian Jackson

QEMU for Xen secure by default Deprivileging the PC system emulator Ian Jackson

QEMU for Xen secure by default Deprivileging the PC system emulator Ian Jackson &lt;ian.jackson@eu.citrix.com&gt; FOSDEM 2016 with assistance from Stefano Stabellini guest guest Xen PV driver IDE driver Xen PV protocol mmio, dma, etc.

115 views • 7 slides
Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Networking Secure apps Aims Crypto Basics Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 26 June 2014

389 views • 26 slides
Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer,

Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer,

1 Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer, Cloudera April 07, 2014 2 Outline Introduction Hadoop security primer Authentication Authorization Data Protection Governance

492 views • 30 slides
site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak

site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak

Building search engine for Drupal site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak Kumar (drupal.org id deepak_123) 1. Drupal default search 2. Limitations of drupal default search 3.

700 views • 19 slides
but also prof. dr. Andrej Filipi , IJS, UNG prof. dr. Borut P . Kerevan , Uni Lj, IJS Dejan

but also prof. dr. Andrej Filipi , IJS, UNG prof. dr. Borut P . Kerevan , Uni Lj, IJS Dejan

Joef Stefan Institute SLING - Slovenian Supercomputing Network Site Report for NDGF all Hands 2017 Barbara Kroovec Jan Jona Javorek http://www.arnes.si http://www.ijs.si/ barbara.krasovec@arnes.si http://www.sling.si/

748 views • 25 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
Mathematical Interests of Kiran Chilakamarri Ken W. Smith Sam Houston State University

Mathematical Interests of Kiran Chilakamarri Ken W. Smith Sam Houston State University

Mathematical Interests of Kiran Chilakamarri Ken W. Smith Sam Houston State University CombinaTexas, May 2016 Ken W. Smith (Sam Houston State University) Chilakamarri May 2016 1 / 31 Kiran Chilakamarri Kiran Babu Chilakamarri passed away on

1.34k views • 98 slides
I/O and Disks Thierry Sans I/O I/O management I/O devices vary greatly and new types of I/O

I/O and Disks Thierry Sans I/O I/O management I/O devices vary greatly and new types of I/O

I/O and Disks Thierry Sans I/O I/O management I/O devices vary greatly and new types of I/O devices appear frequently Various methods to control them and to manage their performances Ports, buses, device controllers connect to

775 views • 33 slides
Storage and File Systems Chester Rebeiro IIT Madras 1 Two views of a file system rwx rwx

Storage and File Systems Chester Rebeiro IIT Madras 1 Two views of a file system rwx rwx

Storage and File Systems Chester Rebeiro IIT Madras 1 Two views of a file system rwx rwx protection attributes system calls Application View Look &amp; Feel File system Hardware view 2 Magnetic Disks Chester Rebeiro IIT Madras 3

952 views • 60 slides
Unit Testing with AEM Mocks Ask the AEM Community Expert Stefan Seifert About the Speaker

Unit Testing with AEM Mocks Ask the AEM Community Expert Stefan Seifert About the Speaker

Unit Testing with AEM Mocks Ask the AEM Community Expert Stefan Seifert About the Speaker AEM Developer Apache Sling PMC Maintainer of wcm.io CTO of pro!vision GmbH Stefan Seifert https://www.pro-vision.de 2 About AEM Mocks

265 views • 25 slides
Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About

Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About

Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About cziegeler@apache.org @cziegeler RnD Team at Adobe Research Switzerland Member of the Apache So fu ware Foundation Apache Felix and Apache

725 views • 26 slides
Agile RESTful Web Development Michael Marth Michael Drig v e l o p e r n i o r D e

Agile RESTful Web Development Michael Marth Michael Drig v e l o p e r n i o r D e

Agile RESTful Web Development Michael Marth Michael Drig v e l o p e r n i o r D e S e T e c h n o l o g y E v a n g e l i s t m i c h a e c o m l . m a r t h @ i g @ d a y . d a y .

777 views • 39 slides
The Vaginal Mesh Mania: Consultant Johnson &amp; Johnson Facts &amp; Fiction Olga Ramm,

The Vaginal Mesh Mania: Consultant Johnson &amp; Johnson Facts &amp; Fiction Olga Ramm,

Disclosures The Vaginal Mesh Mania: Consultant Johnson &amp; Johnson Facts &amp; Fiction Olga Ramm, MD MS Division of Urogynecology - FPMRS Department of OB/Gyn Kaiser Permanente East Bay Fellowship Director, KPEB - UCSF FPMRS

404 views • 6 slides
We Have Your Back A Worker Safety Collaborative An Initiative of the Florida Hospital Association

We Have Your Back A Worker Safety Collaborative An Initiative of the Florida Hospital Association

1 We Have Your Back A Worker Safety Collaborative An Initiative of the Florida Hospital Association WORKER SAFETY WEDNESDAY WEBINAR SERIES: SELECTING THE RIGHT PATIENT LIFT EQUIPMENT FOR YOUR FACILITY - LESSONS LEARNED WEDNESDAY, JUNE 28,

487 views • 34 slides

More recommend