real world java web security
play

Real World Java Web Security Java User Group Karlsruhe Dominik - PowerPoint PPT Presentation

Dec 20, 2022 •38 likes •738 views

Real World Java Web Security Java User Group Karlsruhe Dominik Schadow | bridgingIT Who thinks about architecture while coding? architecture before coding? Who thinks about security while coding? security before

  1. Real World Java Web Security Java User Group Karlsruhe Dominik Schadow | bridgingIT

  2. Who thinks about … … architecture while coding? … architecture before coding?

  3. Who thinks about … … security while coding? … security before coding?

  4. OWASP TOP 10 2013 (1) Injection (2) Broken Authentication and Session Management (3) Cross-Site Scripting (XSS) (4) Insecure Direct Object References (5) Security Misconfiguration (6) Sensitive Data Exposure (7) Missing Function Level Access Control (8) Cross-Site Request Forgery (CSRF) (9) Using Components with Known Vulnerabilities (10) Unvalidated Redirects and Forwards

  5. Software that is secure by design Know the web application Know all external entities Identify all data flows Identify all risks

  6. Threat model

  7. Avoid design flaws

  9. Fight the identified threats

  10. Maintain all threat models

  11. Instrument the Browser

  12. Defense in Depth

  13. Force HTTPS

  14. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

  15. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

  16. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

  17. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

  18. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926"); chain.doFilter(req, response); } // … }

  19. @WebFilter(urlPatterns = {"/*"}) public class HSTS implements Filter { public void doFilter(…) { HttpServletResponse response = (HttpServletResponse) res; response.addHeader( "Strict-Transport-Security", "max-age=31556926;includeSubDomains"); chain.doFilter(req, response); } // … }

  20. Prevent framing

  21. response.addHeader( "X-Frame-Options", "DENY" );

  22. response.addHeader( "X-Frame-Options", "DENY" );

  23. response.addHeader( "X-Frame-Options", "DENY" );

  24. response.addHeader( "X-Frame-Options", "SAME-ORIGIN" );

  25. response.addHeader( "X-Frame-Options", "ALLOW-FROM http://www.safe.de" );

  26. Prevent Cross-Site Scripting

  27. response.addHeader( "Content-Security-Policy", "default-src 'self'" );

  28. response.addHeader( "Content-Security-Policy", "default-src 'self'" );

  29. response.addHeader( "Content-Security-Policy", "default-src 'self'" );

  30. Content Security Policy Directives default-src default if specific directive is not set object-src Sources in object, embed or applet tags script-src Script sources (includes XSLT) connect-src XMLHttpRequest, WebSocket, … font-src Font sources frame-src Sources embeddable as frames img-src Image sources media-src Video and audio sources style-src CSS sources (does not include XSLT) www.w3.org/TR/CSP

  31. response.addHeader( "Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; report-uri CSPReporting" );

  32. response.addHeader( "Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; report-uri CSPReporting" );

  33. Violation Report { "document-uri":"http://.../reporting.jsp? name=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", „referrer“:"http://www.sample.com/security-header/ index.jsp", "blocked-uri":"self", "violated-directive":"default-src http://www.sample.com", "source-file":"http://.../reporting.jsp? 
 name=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", "script-sample":"alert('XSS')", "line-number":10 }

  34. Content Security Policy Level 2 frame-ancestors Allow resource frame embedding Obsoletes X-Frame-Options header reflected-xss (De-)activate user agent XSS heuristics Obsoletes X-XSS-Protection header child-src Replaces frame-src form-action Form targets to send data to plugin-types Allowed plug-ins (their MIME type) referrer Referrer URL exposed to others sandbox Load resource in restricted sandbox www.w3.org/TR/CSP2

  35. response.addHeader( "Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'" );

  36. response.addHeader( "Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'" );

  39. Demo

  40. And now?

  41. OWASP TOP 10 Proactive Controls (1) Parameterize Queries (1) Parameterize Queries (2) Encode Data (2) Encode Data (3) Validate All Inputs (3) Validate All Inputs (4) Implement Appropriate Access Controls (4) Implement Appropriate Access Controls (5) Establish Identity and Authentication Controls (5) Establish Identity and Authentication Controls (6) Protect Data and Privacy (6) Protect Data and Privacy (7) Implement Logging, Error Handling and Intrusion Detection (7) Implement Logging, Error Handling and Intrusion Detection (8) Leverage Security Features of Frameworks and Security Libraries (8) Leverage Security Features of Frameworks and Security Libraries (9) Include Security-Specific Requirements (9) Include Security-Specific Requirements (10) Design and Architect Security in (10) Design and Architect Security in Threat Modeling

  42. Leverage Security Features of Frameworks and Security Libraries

  43. Use it!

  44. Spring Security (Java config) adds headers automatically X-Content-Type-Options Cache-Control X-Frame-Options HTTP Strict Transport Security X-XSS-Protection

  45. Frameworks and libraries decline

  47. <reporting> <plugins><plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>1.3.1</version> <reportSets> <reportSet> <reports> <report>aggregate</report> </reports> </reportSet> </reportSets> </plugin></plugins> </reporting>

  50. Implement Appropriate Access Controls Establish Identity and Authentication Controls

  51. Standardized building blocks

  52. 4E01EF46D8446D1C 10CB5C08EDA69DD1 User usually receives a session id when visiting web application

  53. Demo

  54. Protect Data and Privacy

  56. Slow down brute force attacks

  57. PBKDF2 Iterations against brute force attacks Available in plain Java

  58. Demo

  59. bcrypt Iterations against brute force attacks Integrated in Spring Security

  60. @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

  61. @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

  62. @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

  63. @Configuration @EnableWebMvcSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(10); } }

  64. scrypt Memory against brute force attacks Best protection against dictionary attacks

  65. Summary

  66. Plan security with threat modeling

  67. Think (like an attacker) during implementation

  68. Keep 3rd party libraries up-to-date

  69. Enjoy secure programming

Recommend

Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next,

Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next,

CS 166: Information Security Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next, we look at real protocols SSH a simple &amp; useful security protocol SSL practical security on the Web

1.27k views • 112 slides
Computer Security in the Real World Butler Lampson Microsoft 1 Security: The Goal Computers

Computer Security in the Real World Butler Lampson Microsoft 1 Security: The Goal Computers

Computer Security in the Real World Butler Lampson Microsoft 1 Security: The Goal Computers are as secure as real world systems, and people believe it . This is hard because: Computers can do a lot of damage fast. There are many

391 views • 28 slides
Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph

Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph

Using Formal Methods for VLSI Development Using Java and JML in the Real World Joseph Kiniry Department of Computer Science University College Dublin Asynchronous VLSI What is AVLSI? delay insensitive circuits power invariant

255 views • 13 slides
XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( ) 2006.10 RSS is cool ! RSS RSS Really Simple Syndication Tired of checking your favorite news and blogs sites everyday?

786 views • 75 slides
Security Profs. Bracy and Van Renesse based on slides by Prof. Sirer Security in the real world

Security Profs. Bracy and Van Renesse based on slides by Prof. Sirer Security in the real world

Security Profs. Bracy and Van Renesse based on slides by Prof. Sirer Security in the real world Security decisions based on: Value: How much is it worth? Locks: How hard is it to circumvent protection? Police: What are the

980 views • 47 slides
Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting

Java Technologies Java EE Security Securing Applications Software Security - Protecting applications against malicious / unauthorized actions Desktop What kind of code is executed by the application, on the client machine? Where

702 views • 33 slides
Serverless and Java in the Real World @johnchapin | john@symphonia.io Fearless AWS Lambdas QCon

Serverless and Java in the Real World @johnchapin | john@symphonia.io Fearless AWS Lambdas QCon

Serverless and Java in the Real World @johnchapin | john@symphonia.io Fearless AWS Lambdas QCon NYC 2017 https://bit.ly/symph-qcon-fearless Learning Lambda Mike Roberts mike@symphonia.io https://bit.ly/symph-ll Agenda 1. Choosing Java for

724 views • 45 slides
Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security

Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security

Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security It s about risk, locks, and deterrence . Risk management: cost of security &lt; expected loss Perfect security costs way too much

707 views • 26 slides
Java in the Real World Final Exam Logistics The final exam is next Wednesday, March 21 from

Java in the Real World Final Exam Logistics The final exam is next Wednesday, March 21 from

Java in the Real World Final Exam Logistics The final exam is next Wednesday, March 21 from 12:15PM 3:15PM Rooms divvied up by last name: A B: Go to 300-300 C L: Go to Cubberly Auditorium M R: Go to Hewlett 201

621 views • 18 slides
1 Hello, World! Hello, World! System.out is an A program is a sequence of instructions expressed

1 Hello, World! Hello, World! System.out is an A program is a sequence of instructions expressed

Course Overview Web site Syllabus CSC 2014 Java Bootcamp Schedule Lecture slides Reading Assignments &amp; Textbook Handouts Lecture 1 Welcome, Strings &amp; Printing 2 The Java Programming Language The Java

558 views • 6 slides
Real-Time Java for Latency Critical Banking Applications Real-Time Bertrand Delsart System

Real-Time Java for Latency Critical Banking Applications Real-Time Bertrand Delsart System

Real-Time Java for Latency Critical Banking Applications Real-Time Bertrand Delsart System JavaRTS Technical Leader Author of Sun's RTGC technology Agenda Background Benefits of a Real-Time Java Virtual Machine Benefits of

554 views • 36 slides
CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong

CS573 Data Privacy and Security Differential Privacy Real World Deployments Li Xiong Applying Differential Privacy Real world deployments of differential privacy OnTheMap RAPPOR Module 4 Tutorial: Differential Privacy in the Wild

617 views • 30 slides
Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on

Real-World Authenticated Key Exchange Tibor Jager Paderborn University Summer School on Real-World Crypto and Privacy ibenik, Croatia June 17 th , 2019 Outline Security of the Diffie-Hellman Key Exchange Man-in-the-Middle attacks

1.09k views • 85 slides
Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert

Software Security Smashing the Stack: Real-World Examples Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 24 Example 1: the Morris worm (1988) first

695 views • 24 slides
The need for a formal model of Java Safety guarantees of Java definedness type safety

The need for a formal model of Java Safety guarantees of Java definedness type safety

Making the Java Memory Model Safe Andreas Lochbihler Institute for Information Security ETH Zurich supported by DFG Sn11/10-1,2 The need for a formal model of Java Safety guarantees of Java definedness type safety security

595 views • 44 slides
Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability Gap in Online Banking NSPW Presentation - Sep 19, 2007 Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van Oorschot Carleton University Mohammad Mannan Sep 19, 2007 1 Security

544 views • 22 slides
Roadmap of Section 5.2 Real Time Specification for Java RTSJ Features RealtimeThreads

Roadmap of Section 5.2 Real Time Specification for Java RTSJ Features RealtimeThreads

5. Real-Time Programming 5.2 Real-Time Java Roadmap of Section 5.2 Real Time Specification for Java RTSJ Features RealtimeThreads Memory Management RawMemoryAccess Asynchronous Transfer of Control Asynchronous Event

609 views • 25 slides
Institute for Cyber Security The University of Texas at San Antonio World-Leading Research with

Institute for Cyber Security The University of Texas at San Antonio World-Leading Research with

Institute for Cyber Security The University of Texas at San Antonio World-Leading Research with Real-World Impact! April 20, 2010 To: Julian Thrash From: Jeff Reich, Director of Operations for the Institute for Cyber Security Subject:

176 views • 3 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Compiling Java for Real-Time Systems Anders Nilsson andersn@cs.lth.se Department of Computer

Compiling Java for Real-Time Systems Anders Nilsson andersn@cs.lth.se Department of Computer

Compiling Java for Real-Time Systems Anders Nilsson andersn@cs.lth.se Department of Computer Science, Lund University, Sweden Compiling Java for Real-Time Systems p.1 Outline Introduction Approach Real-Time Execution Platform

385 views • 38 slides
CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code,

210 views • 18 slides
CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed:

CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed:

CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code, we

211 views • 18 slides
CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code,

445 views • 18 slides
Java Security: From HotJava to Netscape and Beyond Drew Dean, Ed Felten, Dan Wallach Safe

Java Security: From HotJava to Netscape and Beyond Drew Dean, Ed Felten, Dan Wallach Safe

Java Security: From HotJava to Netscape and Beyond Drew Dean, Ed Felten, Dan Wallach Safe Internet Programming Group Princeton University The Java Model Web server Web browser Java program URL lookup applet code byte code Verifier

458 views • 14 slides

More recommend