Web App Security for Java Developers - London JUG 2022

Transcript

1. Matt Raible | @mraible October 27, 2022 Web App Security

   for Java Developers Photo by Lachlan Gowen on https://unsplash.com/photos/RZ5TKFpdaWM

2. @mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker,

   Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
3. None
4. None
5. None

6. developer.okta.com

7. developer.auth0.com

8. @mraible Today’s Agenda What is web app security? 7 simple

   ways to better app security 3 quick demos 🍃 Spring Boot 🅰 Angular 🤓 JHipster

9. What is web app security?

10. 1. Use HTTPS 2. Scan your dependencies 3. Use the

    latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)

11. @mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS

    certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates

12. What is HTTPS? https://howhttps.works

13. How HTTPS Works https://howhttps.works

14. HTTPS for Static Sites too! https://www.troyhunt.com/heres-why-your-static-website-needs-https

15. HTTPS is Easy!

16. Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration {

    @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); return http.build(); } }

17. Force HTTPS in the Cloud @Configuration public class SecurityConfiguration {

    @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.requiresChannel() .requestMatchers(r -> r.getHeader("X-Forwarded-Proto") != null) .requiresSecure(); return http.build(); } }

18. Force HTTPS in Spring WebFlux @EnableWebFluxSecurity public class SecurityConfiguration {

    @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(withDefaults()); return http.build(); } }

19. Force HTTPS in Spring WebFlux + Cloud @EnableWebFluxSecurity public class

    SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(redirect -> redirect .httpsRedirectWhen(e -> e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } }

20. @mraible “Why do we need HTTPS inside our network?”

21. @mraible 2. Scan Your Dependencies

22. @mraible GitHub + Dependabot

23. @mraible Full-featured Dependency Scanners

24. 3. Use the Latest Releases

25. How well do you know your dependencies? Dependency Health Indirect

    Dependencies Regular Releases Regular commits Dependencies

26. Check for Updates with npm npx npm-check-updates

27. Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin

28. Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.18"

    id("com.github.ben-manes.versions") version "0.42.0" ... } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin

29. @mraible 4. Secure Your Secrets

30. HashiCorp Vault and Azure Key Vault

31. https://developer.okta.com/blog/2022/10/20/spring-vault Secure Secrets With Spring Cloud Config and Vault

32. 5. Use a Content Security Policy

33. Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma:

    no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

34. Add a Content Security Policy with Spring Security @Configuration public

    class SecurityConfiguration { @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http.headers() .contentSecurityPolicy("script-src 'self' " + "https: // trustedscripts.example.com; " + "object-src https: // trustedplugins.example.com; " + "report-uri /csp-report-endpoint/"); return http.build(); } }

35. Test Your Security Headers https://securityheaders.com

36. @mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect

    OAuth 2.0 HTTP OpenID Connect is for authentication 
 OAuth 2.0 is for authorization

37. @mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway

38. @mraible Does OAuth 2.0 feel like a maze of specs?

    https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

39. @mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required

    for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use

40. 7. Prevent CSRF Attacks

41. Configure CSRF Protection with Spring Security @Configuration public class SecurityConfiguration

    { @Bean SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .csrf() .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()); return http.build(); } }

42. SameSite Cookies

43. @mraible Demos! 🍃 🅰 🤓

44. 1. Use HTTPS 2. Scan your dependencies 3. Use the

    latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)

45. developer.okta.com/blog/tags/java @oktadev

46. developer.auth0.com @auth0

47. Curious About Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns

48. Or Auth Security Patterns? https://bit.ly/mraible-springone-2021 https://youtu.be/CebTJ7Nq1Hs

49. Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadev

    developer.okta.com developer.auth0.com

50. developer.okta.com