secure by default web applications with apache sling
play

Secure by Default Web Applications With Apache Sling Robert - PowerPoint PPT Presentation

Feb 07, 2023 •199 likes •610 views

Secure by Default Web Applications With Apache Sling Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems ApacheCon Core 2016 http://robert.muntea.nu @rombert Who I am $DAYJOB Open Source Adobe

  1. Secure by Default Web Applications With Apache Sling Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems ApacheCon Core 2016 http://robert.muntea.nu @rombert

  2. Who I am  $DAYJOB  Open Source  Adobe Experience  Apache Sling Manager  MantisBT  Apache Sling  Mylyn Connector for MantisBT  Apache Jackrabbit  Mylyn Connector for Review  Apache Felix Board http://robert.muntea.nu @rombert

  3. Purpose of the talk Scope Cost Schedule http://robert.muntea.nu @rombert

  4. Purpose of the talk Scope Cost Schedule http://robert.muntea.nu @rombert

  5. Purpose of the talk Scope Cost Schedule http://robert.muntea.nu @rombert

  6. Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A http://robert.muntea.nu @rombert

  7. Apache Sling – Brief History 200x 2007 2009 2015 Pre-Apache Incubation TLP Version 8 http://robert.muntea.nu @rombert

  8. Apache Sling – Code Statistics http://robert.muntea.nu @rombert

  9. Apache Sling – Contributor activity http://robert.muntea.nu @rombert

  10. Apache Sling – Value proposition ● Content-oriented ● RESTful ● Lightweight ● Integrated authentication and authorization ● OSGi-powered ● Scripting inside ● Easily deployable http://robert.muntea.nu @rombert

  11. Apache Sling – Content-Oriented Blog posts Images Users and Groups http://robert.muntea.nu @rombert

  12. Apache Sling – Content-Oriented Server-side templates and scripts Configurations http://robert.muntea.nu @rombert

  13. Apache Sling – RESTful ↵ $ h t t p l o c a l h o s t : 8 0 8 0 / c o n t e n t / b l o g / p o s t s / h e l l o _ w o r l d . h t m l j s o n x m l t x t p d f p h p 3 http://robert.muntea.nu @rombert

  14. Apache Sling – RESTful http://robert.muntea.nu @rombert

  15. Apache Sling – Persistence via JCR http://robert.muntea.nu @rombert

  16. Apache Sling – Topologies Standalone High Availability http://robert.muntea.nu @rombert

  17. Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A http://robert.muntea.nu @rombert

  18. Demo App – main page http://robert.muntea.nu @rombert

  19. Demo App – Article Page http://robert.muntea.nu @rombert

  20. Demo App – Submitting comments http://robert.muntea.nu @rombert

  21. Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A http://robert.muntea.nu @rombert

  22. Threat modelling “Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could afgect your application” Threat Modeling Web Applications on MSDN http://robert.muntea.nu @rombert

  23. Threat Modelling - Assets http://robert.muntea.nu @rombert

  24. Threat Modelling - Assets ● Availability ● Content ● User Credentials ● Ability to execute code on server ● Ability to execute code in the browser context http://robert.muntea.nu @rombert

  25. Threat Modelling - Trust Levels http://robert.muntea.nu @rombert

  26. Threat Modelling - Trust Levels 1. Anonymous 2. Author 3. Administrator http://robert.muntea.nu @rombert

  27. Threat Modelling - Threats OWASP http://robert.muntea.nu @rombert

  28. Threat Modelling - Threats 1. Denial of Service 2. Defacement / Deletion 3. Leaking credentials 4. SQL/Shell Injection 5. Stored/Reflected XSS http://robert.muntea.nu @rombert

  29. Threat Modelling - Mitigation http://robert.muntea.nu @rombert

  30. Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A http://robert.muntea.nu @rombert

  31. Apache Sling Security – Natural layering of ACEs http://robert.muntea.nu @rombert

  32. Apache Sling Security – Security applied at the lowest level $ h t t p - - a u t h b o b : b o b l o c a l h o s t : 8 0 8 0 / c o n t e n t / b l o g / p o s t s / n e w _ b l o g _ p o s t ' j c r \ : t i t l e = N e w p o s t ' http://robert.muntea.nu @rombert

  33. Apache Sling Security – Context-aware templating language < d i v c l a s s = " c o m m e n t c l e a r f i x " > < i m g c l a s s = " a v a t a r i m g - r o u n d e d p u l l - l e f t " s r c = " $ { r e s o u r c e . v a l u e M a p [ ' a u t h o r A v a t a r ' ] } " / > < h 3 > $ { r e s o u r c e . v a l u e M a p [ ' j c r : t i t l e ' ] } < / h 3 > < p > $ { r e s o u r c e . v a l u e M a p [ ' j c r : d e s c r i p t i o n ' ] } < / p > < / d i v > http://robert.muntea.nu @rombert

  34. Apache Sling Security – Injection-safe APIs Children of /content/blog/posts http://robert.muntea.nu @rombert

  35. Apache Sling Security – Injection-safe APIs Children of /content/blog/comments/ hello_world http://robert.muntea.nu @rombert

  36. Agenda ● Apache Sling ● Demo application review ● Threat model ● Security with Apache Sling ● Demo ● Conclusion ● Q&A http://robert.muntea.nu @rombert

  37. Demo Application – Actual demo!!!!1oneone http://robert.muntea.nu @rombert

  38. Conclusions – Security ● Aim to be “Secure by Default” ● Build a threat model for your application ● Look for components that eliminate problems altogether http://robert.muntea.nu @rombert

  39. Conclusions – Apache Sling ● Simple to be “Secure by Default” ● Eventing, Thread Pooling, Job Management, Caching ● Scripting: Groovy, Scala, JSP, Sightly, Java, Ruby, Thymeleaf ● Flexible resource rendering with resource types ● Very extensible due to being internally powered by OSGi – most extension points available to clients http://robert.muntea.nu @rombert

  40. Resources ● Apache Sling – https://sling.apache.org ● Apache Jackrabbit ● https://jackrabbit.apache.org ● http://jackrabbit.apache.org/oak/ ● OWASP - https://www.owasp.org ● https://www.owasp.org/index.php/OWASP_Top_Ten _Cheat_Sheet ● https://www.owasp.org/index.php/Application_Thre at_Modeling http://robert.muntea.nu @rombert

Recommend

Apache Sling A REST-based Web Application Framework Carsten Ziegeler | cziegeler@apache.org

Apache Sling A REST-based Web Application Framework Carsten Ziegeler | cziegeler@apache.org

Apache Sling A REST-based Web Application Framework Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About cziegeler@apache.org @cziegeler RnD Team at Adobe Research Switzerland Member of the Apache So fu ware

847 views • 59 slides
Server-side OSGi with Apache Sling Felix Meschberger Day Management AG 124 About Felix

Server-side OSGi with Apache Sling Felix Meschberger Day Management AG 124 About Felix

Server-side OSGi with Apache Sling Felix Meschberger Day Management AG 124 About Felix Meschberger &gt; Senior Developer, Day Management AG &gt; fmeschbe@day.com &gt; http://blog.meschberger.ch &gt; VP Apache Sling &gt; Apache

584 views • 32 slides
REST... with Peace Content Management with Apache Sling 1 Freitag, 25. Februar 2011 The Problem

REST... with Peace Content Management with Apache Sling 1 Freitag, 25. Februar 2011 The Problem

REST... with Peace Content Management with Apache Sling 1 Freitag, 25. Februar 2011 The Problem (abstract) Store large amounts of different types of content Associate meta data to content Access control Search for stuff

539 views • 16 slides
APACHE SLING &amp; FRIENDS TECH MEETUP BERLIN, 26-28 SEPTEMBER 2016 Test Driven Development with

APACHE SLING &amp; FRIENDS TECH MEETUP BERLIN, 26-28 SEPTEMBER 2016 Test Driven Development with

APACHE SLING &amp; FRIENDS TECH MEETUP BERLIN, 26-28 SEPTEMBER 2016 Test Driven Development with AEM Jan Wloka, Quatico Solutions Inc. From the talk Get the Flow Test coverage is the natural enemy of fast coding. [...] It is a

330 views • 20 slides
Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member

Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member

Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member and long time Apache user Interested in usability and lowering the learning curve for Apache Comanche GUI configuration tool Teach Yourself

258 views • 25 slides
Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com

Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com

Karlsruher Entwicklertag 2014 Secure Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com ashakirin.blogspot.com/ Agenda Introduction in Apache CXF Security Requirements Apply security features to CXF Services

930 views • 49 slides
DEVELOPING CORDOVA APPLICATIONS WITH ECLIPSE IDE Gorkem Ercan Red Hat APACHE CORDOVA A platform

DEVELOPING CORDOVA APPLICATIONS WITH ECLIPSE IDE Gorkem Ercan Red Hat APACHE CORDOVA A platform

DEVELOPING CORDOVA APPLICATIONS WITH ECLIPSE IDE Gorkem Ercan Red Hat APACHE CORDOVA A platform for building native mobile applications using HTML , CSS and JavaScript MANDATORY PHONEGAP EXPLANATION Contributed to Apache SF to create the

266 views • 12 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff &amp; Kenneth R. Van Wyk

753 views • 17 slides
Developing Applications with APR Paul Querna pquerna@apache.org July 21, 2005

Developing Applications with APR Paul Querna pquerna@apache.org July 21, 2005

Developing Applications with APR Paul Querna pquerna@apache.org July 21, 2005 http://www.outoforder.cc/presentations/ A.P.R. Apache Portable Runtime Origin: httpd Platforms: Unix, Netware, OS/2, Windows. Your Application APR-Util

497 views • 34 slides
Tapestry Code less, deliver more. Rayland Jeans What is Apache Tapestry? Apache Tapestry

Tapestry Code less, deliver more. Rayland Jeans What is Apache Tapestry? Apache Tapestry

Tapestry Code less, deliver more. Rayland Jeans What is Apache Tapestry? Apache Tapestry is an open-source framework designed to create scalable web applications in Java. Tapestry allows developers to create web applications that

792 views • 38 slides
QEMU for Xen secure by default Deprivileging the PC system emulator Ian Jackson

QEMU for Xen secure by default Deprivileging the PC system emulator Ian Jackson

QEMU for Xen secure by default Deprivileging the PC system emulator Ian Jackson &lt;ian.jackson@eu.citrix.com&gt; FOSDEM 2016 with assistance from Stefano Stabellini guest guest Xen PV driver IDE driver Xen PV protocol mmio, dma, etc.

115 views • 7 slides
Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Networking Secure apps Aims Crypto Basics Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 26 June 2014

389 views • 26 slides
Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer,

Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer,

1 Secure Your Hadoop Cluster With Apache Sentry (Incubating) Xuefu Zhang |Software Engineer, Cloudera April 07, 2014 2 Outline Introduction Hadoop security primer Authentication Authorization Data Protection Governance

492 views • 30 slides
site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak

site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak

Building search engine for Drupal site with Apache solr Presentation by Janmejaya Mishra (drupal.org id - janmejaya) Deepak Kumar (drupal.org id deepak_123) 1. Drupal default search 2. Limitations of drupal default search 3.

700 views • 19 slides
but also prof. dr. Andrej Filipi , IJS, UNG prof. dr. Borut P . Kerevan , Uni Lj, IJS Dejan

but also prof. dr. Andrej Filipi , IJS, UNG prof. dr. Borut P . Kerevan , Uni Lj, IJS Dejan

Joef Stefan Institute SLING - Slovenian Supercomputing Network Site Report for NDGF all Hands 2017 Barbara Kroovec Jan Jona Javorek http://www.arnes.si http://www.ijs.si/ barbara.krasovec@arnes.si http://www.sling.si/

748 views • 25 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
Secure by default Anti-exploit techniques and hardenings in SUSE products Johannes Segitz SUSE

Secure by default Anti-exploit techniques and hardenings in SUSE products Johannes Segitz SUSE

Secure by default Anti-exploit techniques and hardenings in SUSE products Johannes Segitz SUSE Security Team 2019-04-02/04 1 of 46 Who am I? Johannes Segitz, security engineer (Nuremberg, Germany) Code review Product pentesting 2 of

1.49k views • 122 slides
Enterprise Development with What needs to be done to run JEE like applications inside Karaf?

Enterprise Development with What needs to be done to run JEE like applications inside Karaf?

Enterprise Development with What needs to be done to run JEE like applications inside Karaf? @anierbeck - Karaf PMC, Apache Member - OPS4j Pax Web Project Lead - Senior IT Consultant @codecentric - co-Author of Apache Karaf Cookbook 3

1.28k views • 100 slides
Apache PredictionIO End-to-End Machine Learning Server with Apache Spark What is Machine

Apache PredictionIO End-to-End Machine Learning Server with Apache Spark What is Machine

Apache PredictionIO End-to-End Machine Learning Server with Apache Spark What is Machine Learning? What is Machine Learning? Examples of machine learning applications: Facial recognition software E-mail spam detectors Automated

302 views • 17 slides
Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N A N D R I T I T I K A M A M O O R J A N A N I Introduction Topics Covered Security Checking using Nikto Dangers of Default

262 views • 22 slides
The Anatomy of a Secure Web App Using JavaEE, Spring Security and Apache Fortress May 18, 2017

The Anatomy of a Secure Web App Using JavaEE, Spring Security and Apache Fortress May 18, 2017

The Anatomy of a Secure Web App Using JavaEE, Spring Security and Apache Fortress May 18, 2017 ApacheCon NA, Miami Objective Think about how a web app would behave, if we spared no expense for security. ApacheCon NA, Miami 2017 2 @play

1.03k views • 85 slides
OpenStack Workload Reference Architecture: Web Applications Web applications are the most

OpenStack Workload Reference Architecture: Web Applications Web applications are the most

OpenStack Workload Reference Architecture: Web Applications Web applications are the most prevalent Apache, MySQL, and PHP/Python/Perl and is applications in business today. They are driven considered by many as the platform of choice by user

106 views • 9 slides
Using XSL and mod_transform in Apache Applications Paul Querna chip@OutOfOrder.cc What is XSL?

Using XSL and mod_transform in Apache Applications Paul Querna chip@OutOfOrder.cc What is XSL?

Using XSL and mod_transform in Apache Applications Paul Querna chip@OutOfOrder.cc What is XSL? Extensible Stylesheet Language (XSL) A family of Standards for XML by the W3C: XSL Transformations (XSLT) XML Path Language (Xpath)

4.45k views • 29 slides
Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About

Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About

Apache Felix Web Console Carsten Ziegeler | cziegeler@apache.org ApacheCon NA 2014 About cziegeler@apache.org @cziegeler RnD Team at Adobe Research Switzerland Member of the Apache So fu ware Foundation Apache Felix and Apache

725 views • 26 slides

More recommend