Successfully reported this slideshow.

Java ist doch schon sicher?!

838 Aufrufe

Veröffentlicht am

Vortrag von Dominik Schadow auf dem Entwicklertag in Karlsruhe am 21.05.2014

Veröffentlicht in: Software
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Java ist doch schon sicher?!

  1. 1. Java ist doch schon sicher?! Entwicklertag - 21.05.2014! Dominik Schadow - bridgingIT
  2. 2. Java Runtime Backend Services Frontend
  3. 3. Java Runtime takes care of the security baseline
  4. 4. Cross-Site! Scripting Cross-Site! Request Forgery 3rd party! library usage
  5. 5. Cross-Site Scripting (XSS)
  6. 6. Access victims’ session credentials Site defacement Undermine CSRF defense Redirects (phishing) Load scripts Data theft
  7. 7. Attacker injected code executed in web application Attacker Victim Victim DOM Based XSS Reflected XSS Stored XSS
  8. 8. Always validate all input and escape all output
  9. 9. Libraries for Cross-Site Scripting countermeasures Coverity Security Library OWASP Java Encoder Output escaping OWASP HTML Sanitizer Allow selected HTML tags/ attributes
  10. 10. Content Security Policy is framework independent Blocks ALL inline scripts response.setHeader("Content-Security-Policy", "default-src 'self'; img-src *; object-src; script-src; style-src *"); Whitelist valid resource URLs response.setHeader("Content-Security-Policy- Report-Only", "default-src 'self'; report-uri CSPReporting"); Report only as test mode
  11. 11. Session-Cookie protection via web.xml <?xml version="1.0" encoding="UTF-8"?>
 <web-app ... version="3.1">
 <!-- ... -->
 </web-app> Tomcat 7
  12. 12. Intercept requests/ responses with OWASP ZAP
  13. 13. Demo
  14. 14. Content Security Policy as second layer of defense
  15. 15. Cross-Site Request Forgery (CSRF)
  16. 16. Using victims’ credentials to gain access
  17. 17. CSRF utilizes fire and forget requests 1 3 4 2
  18. 18. Stop fake requests with random anti CSRF tokens
  19. 19. CSRF protection in libraries and frameworks JavaServer Faces (improved in 2.2) Built-in protection Spring Security 3.2 Enterprise Security API CSRF extension
  20. 20. Test your CSRF protection with faked tokens
  21. 21. Demo
  22. 22. 3rd party library usage
  23. 23. Code, libraries and configuration belong together
  24. 24. Test the functionality you rely on
  25. 25. Outdated libraries imply a false sense of security
  26. 26. Find insecure libs with OWASP Dependency Check
  27. 27. Not every vulnerability may affect your application
  28. 28. Widespread outdated libs impose a greater risk
  29. 29. Developers make the difference Java is as (in)secure as most other languages Java can’t prevent every development bug (Web) application security is always the developers’ job
  30. 30. Dominik Schadow" BridgingIT GmbH
 Königstraße 42
 70173 Stuttgart " Blog
 Twitter/ADN @dschadow Demo Projects" OWASP" Pictures