Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.
This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!
You’ll learn how to add these features to a real application, using the Java language you know and love.
* YouTube video: https://www.youtube.com/watch?v=PpqNMhe4Bd0
* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
4. Use HTTPS Everywhere!
4
Let’s Encrypt offers free HTTPS certificates
certbot can be used to generate certificates
mkcert can be used to create localhost certificates
Spring Boot Starter ACME for automating certificates
46. It should not be predictable
hash("TSD0") = 3c9c93e0f8eb2161e5787f7cd3e4b67f8d98fbd80b7d237cc757583b06daa3e3
hash("TSD1") = 98eadd540e6c0579a1bcbe375c8d1ae2863beacdfb9af803e5f4d6dd1f8926c2
hash("TSD2") = 665ec59d7fb01f6070622780e744040239f0aaa993eae1d088bc4f0137d270ef
hash("TSD3") = 7ae89eb10a765ec2459bee59ed1d3ed97dbb9f31ec5c7bd13d19380bc39f5288
58. OWASP Zed Attack Proxy
Two approaches: Spider and Active Scan
Spider starts with a seed of URLs
Active Scan records a session then plays it back, scanning for known
vulnerabilities
59. Learn More About ZAP
Homepage
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
GitHub https://github.com/zaproxy/zaproxy
Twitter @zaproxy
61. Code Review Topics
1. Identify and validate any third
party input
2. Never store credentials as
code/config
3. Test for new security
vulnerabilities in third-party
open source dependencies.
4. Authenticate inbound requests
5. Enforce the least privilege
principle
6. Prefer whitelist over blacklist
7. Handle sensitive data with care
8. Do not allow back doors in your
code
9. Protect against well-known
attacks
10. Statically test your source code
on every PR, automatically
63. 10 Excellent Ways to Secure Spring Boot
1. Use HTTPS
2. Scan dependencies
3. Dependencies up-to-date
4. Enable CSRF protection
5. Use a Content Security Policy
6. Use OIDC
7. Hash passwords
8. Store secrets securely
9. Test with OWASP's ZAP
10. Code review with experts
��