owasp appseceu 2016 rome - building secure cloud native apps
TRANSCRIPT
Andreas Falk
Building secure cloud-native apps
with spring boot & security
About me
Building secure cloud-native apps with spring boot & security 2
Andreas Falk / Germany
NovaTec Consulting GmbH [email protected]
@Agile_Security
Agile
Threat Modeling
Clo
ud
Spring
Security
Scrum
Kan
ba
n
TDD
Code Review
Cle
an
Cod
e
Static Analysis
Architecture
OWASP
Java EE
Mic
rose
rvic
es
IoT
BDD
Dev
Op
s
Web
Ja
va
SSO
OAuth2
SAML
Developers vs. Security
Building secure cloud-native apps with spring boot & security 3
Java
Developers vs. Security
Building secure cloud-native apps with spring boot & security 4
Cloud
IoT Microservices
BigData Single Page Apps
Testing
NoSQL DevOps
Agile
Cross-Functional
Security?
Java8
Secure Web Application in 5 minutes
Building secure cloud-native apps with spring boot & security 5
Live Coding Demo
Cloud Native
Building secure cloud-native apps with spring boot & security 6
Cloud Native
Building secure cloud-native apps with spring boot & security 7
DevOps
Continuous Delivery
Microservices
Containers
Culture
Process
Architecture
Technology
JP Morgan Chase‘s Cloud Native MM
Building secure cloud-native apps with spring boot & security 8
Cloud Native Level 3
Cloud Resilient Level 2
Cloud Friendly Level 1
Cloud Ready Level 0
JP Morgan Chase‘s Cloud Native MM
Building secure cloud-native apps with spring boot & security 9
Cloud Native Level 3
Cloud Resilient Level 2
Cloud Friendly Level 1
Cloud Ready Level 0
12 Factor App
One Code Base
Externalize Configuration
…
http://12factor.net
Process
Process Process
From Monolith To Microservices
Building secure cloud-native apps with spring boot & security 10
Process Process
Java
Process
C#
Process
Python
Process
Java
Microservice = Spring Boot
Standalone Spring Apps
Auto Configuration
Embedded Servlet Container
„Make JAR Not WAR“
Production-Ready Features
Building secure cloud-native apps with spring boot & security 11
Cloud Native
Building secure cloud-native apps with spring boot & security 12
Secure
Secure Continuous Delivery ?
Building secure cloud-native apps with spring boot & security 13
Time
Attacks (24x7)
Deployments Penetration Test
Sprint Sprint Sprint Sprint Sprint Sprint
Agile Security / SecDevOps
Building secure cloud-native apps with spring boot & security
Sprint
Releasable
Increment
Ops /
Support Product
Backlog
Continuous Delivery
Vision
+ Security 14
Today‘s Session !!!
Secure Cloud-Native Applications
Secure
+
Cloud-Native
Building secure cloud-native apps with spring boot & security 15
Spring Security
+
Spring Boot
=
Spring Security
„Secure By Default“ Configuration
Authentication / Authorization
Secure Password Encoding
Testing Support
Building secure cloud-native apps with spring boot & security 16
„Secure By Default“ Configuration Require Authentication for all URLs: On
Session Fixation Protection: On
Session Cookie (HttpOnly, Secure): On
CSRF Attack Protection: On
Security Response Headers: On
Building secure cloud-native apps with spring boot & security 17
Java
Security Response Headers
Building secure cloud-native apps with spring boot & security 18
Cache Control
X-Content-Type-Options
X-Frame-Options
X-XSS-Protection
HTTP Strict Transport Security (SSL)
Secure Password Encoding
public interface PasswordEncoder {
String encode(CharSequence rawPassword);
boolean matches(
CharSequence rawPassword,
String encodedPassword);
}
Building secure cloud-native apps with spring boot & security 19
Java
Secure Password Encoding
public interface PasswordEncoder {
String encode(CharSequence rawPassword);
boolean matches(
CharSequence rawPassword,
String encodedPassword);
}
Building secure cloud-native apps with spring boot & security 20
Java
Encoder Implementations
BCryptPasswordEncoder
SCryptPasswordEncoder
Pbkdf2PasswordEncoder
BytesEncryptor (implementation for BouncyCastle)
„Secure By Default“ Conventions
Building secure cloud-native apps with spring boot & security 21
Live Coding Demo
Secure Cloud Architectures
Building secure cloud-native apps with spring boot & security 22
Microservice
API-Gateway Microservice
Microservice
UI
Secure Cloud with OAuth2
Building secure cloud-native apps with spring boot & security 23
Microservice
API-Gateway Microservice
Microservice
UI
OAuth2
Token
Token Token
Token
Token
OAuth2 Client
Authorization Server
Resource Server
Secure Cloud with OAuth2
Building secure cloud-native apps with spring boot & security 24
Microservice
API-Gateway Microservice
Microservice
UI
OAuth2
Token
Token Token
Token
Token
OAuth2 Client
Authorization Server
Resource Server
More Details on OAuth2:
Session on OpenId Connect
earlier today @AppSecEU
Tweetable OAuth2 Application
Building secure cloud-native apps with spring boot & security 25
Java
Secure Microservices With OAuth2
Building secure cloud-native apps with spring boot & security 26
Live Coding Demo
Runtime Application
Self-Protection
Building secure cloud-native apps with spring boot & security 27
RASP With AppSensor
Building secure cloud-native apps with spring boot & security 28
http://appsensor.org
https://github.com/jtmelton/appsensor
Cloud Native
App AppSensor
Integration 1: Event
3: Response
2: Attack
AppSensor UI Analytics
Policy Detection
Points
AppSensor
UI
Building secure cloud-native apps with spring boot & security 30
AppSensor
UI
Building secure cloud-native apps with spring boot & security 31
AppSensor
UI
Building secure cloud-native apps with spring boot & security 32
Wrap Up: Secure Cloud-Native Apps
Building secure cloud-native apps with spring boot & security 33
Web
C
lou
d
Spring Security
Spring Boot
Spring IO Platform
Spring Security OAuth2
Spring Cloud
R
A
S
P
Wrap Up: Secure Cloud-Native Apps
Building secure cloud-native apps with spring boot & security 34
„Secure By Default“ Conventions !!
„Secure By Default“ Developer API‘s !!
Java
Questions?
Building secure cloud-native apps with spring boot & security 35
Andreas Falk
NovaTec Consulting GmbH [email protected]
@Agile_Security
https://github.com/andifalk/appseceu2016
http://projects.spring.io/spring-security
http://projects.spring.io/spring-security-oauth