Upload
hdiv-security
View
596
Download
4
Embed Size (px)
Citation preview
Securing RESTful services with Spring HATEOAS & Hdiv
Roberto Velasco@hdivroberto
About me
Spring I/O 2016
Roberto Velasco
CEO at Hdiv Security
Working as Java Software Architectsince 2004
About me
Spring I/O 2016
Involved in Software Securitysince 2001
Roberto Velasco
CEO at Hdiv Security
About me
Spring I/O 2016
Hdiv Security Frameworkfounder in 2008
Roberto Velasco
CEO at Hdiv Security
It’s not about
Spring I/O 2016
Authentication
Role BasedAccess Control
Best Practices
Security Automation
Security by Design
It’s about
About this talk
Agenda
APIs security overview
Spring I/O 2016
1
2
3
4
WhyThe solution
Spring HATEOAS & Hdiv
Spring I/O 2016
1APIS SECURITY OVERVIEW
APIs everywhere
Spring I/O 2016
Spring I/O 2016
The old new things
What about security in this new scenario?
Spring I/O 2016
LET’S SEE A DEMO
Spring HATEOAS & Android
Spring I/O 2016
The old new things
The most important remains the samerepresented by
OWASP Top 10
Client-side approach let us more exposed
Controller inside the client
More business logic in the client side
Spring I/O 2016
Spring I/O 2016
86% of all websitestested had at least1 serious vulnerability
How big is the problem
Spring I/O 2016
WHY
2
Spring I/O 2016
Security issues
Design FlawsBugsSQL Injection
XSS
etc.
Forget authenticate an user.Non authorized access to a register.
Easy to find and fix
No tool to findand complex to fix
Spring I/O 2016
Design FlawsIEEE Cyber Security
Spring I/O 2016
Spring I/O 2016
Why
Current technology to developservices is insecure by default
Spring I/O 2016
Spring I/O 2016
Why
Don’t protect from bugsand design flaws
Spring I/O 2016
Spring I/O 2016
Securitydepends on people
Why
Spring I/O 2016
Security solutions
Recommended for security bugs Detected issues must be solved by developers
ASTApplication Security Testing
Spring I/O 2016
WAFWeb Application Firewall
Security solutions
Try to protect from bugs and security design flaws
but…
Spring I/O 2016
WAFWeb Application Firewall
Security solutions
False positivesCostly implementation
Spring I/O 2016
Summary
Foundational software providersDon’t protect from bugs neither security design flaws
Security providersBugs are well detected by ASTRepresents a significant fixing work from developers
Design flaws not properly covered by WAFs
Spring I/O 2016
THE SOLUTION
3
The solution
Different problems require different solutions
Spring I/O 2016
The solution for…Design flaws
Spring I/O 2016
Current approachEverything open, close manually
Spring I/O 2016
Proposed approachSecurity By Default
The solution for…Design flaws
Everything closed by default, open manually
Spring I/O 2016
The server defines what is allowed
The solution for…Design flaws
Spring I/O 2016
The server defines what is allowed
The solution for…Design flaws
Hypermedia
Spring I/O 2016
The solution for…Design flaws
The server rejects all the request that don’t respect the original contract
Spring I/O 2016
The solution for…Design flaws
B O R N S E C U R E
The server rejects all the request that don’t respect the original contract
Spring I/O 2016
Integrity validation for read-only data
The solution for…Design flaws
B O R N S E C U R E
White & Black list validation for editable data (text fields)
Spring I/O 2016
We need a detection mechanism
The solution for…Bugs
Spring I/O 2016
We need a detection mechanism
The solution for…Bugs
AST tools
Spring I/O 2016
We need to automate the protection of the detected issues
The solution for…Bugs
Spring I/O 2016
We need to automate the protection of the detected issues
The solution for…Bugs
B O R N S E C U R E
Spring I/O 2016
Don’t do anything for read-only data
The solution for…Bugs
B O R N S E C U R E
Strict white-list validation from vulnerable text fieldsShows the error in the text field
Spring I/O 2016
SPRING HATEOAS & Hdiv
4
Spring HATEOAS
Spring I/O 2016
The most important HATEOAS implementation in Java
Includes a format for links
Form complete definition not covered
Based on HAL
Form support Pull Request
Spring I/O 2016
Mike Amundsen
Participants & Collaborators
https://github.com/spring-projects/spring-hateoas/pull/447
B O R N S E C U R E
Dietrich Schulten
OliverGierke
Supported hypermedia formats
Forms: HAL-FORMS, Siren, HTMLLinks: HAL
Spring I/O 2016
Form Support in Action
@RequestMapping(method = RequestMethod.GET)public ResourceSupport charge() {
ResourceSupport resourceSupport = new ResourceSupport();resourceSupport.add(linkTo(methodOn(TransferController.class).charge(new Charge())).build());// code omitted here
return resourceSupport;}
public class Charge {private String fromAccount;private double amount;
public Charge(@Select(options = CashAccountOptions.class) String fromAccount,@Input(editable = true, required = true) double amount) {// code omitted here
}}
Form definition example
Spring I/O 2016
{"_links": {"self": {"href": "http://localhost:9000/hdiv-‐ee-‐bank-‐services/api/transfer?rel=halforms:make-‐transfer"},"curies": [{"href":"{href}{?rel}", "name" : "halforms", "templated": true}
]},"_templates": {"default": {"method": "POST","properties": [{"name": "fromAccount", "readOnly": true, "suggest": [{"value":"00948343154448310446", "prompt":"Checking Account"}, {"value":"91123204989505683033", "prompt":"Individual Retirement Accounts (IRAs)"}
]},{"name":"toAccount", "readOnly":false, required": true},{"name":"description", "readOnly": false, "required": true},{"name":"amount", "readOnly": false, "value": "0.0", "required": true},{"name":"fee", "readOnly": true, "value": "5.0"},]}
}}
Several form formats are supportedHAL-FORMS example
Spring I/O 2016
Spring I/O 2016
Try it!hdivsecurity.com/try-it-springio
B O R N S E C U R E
Summary
Spring I/O 2016
Hypermedia offers an excelentfoundation to cover security design
Summary
Spring I/O 2016
Hypermedia helps to automate the protection
against detected security bugs
Summary
Spring I/O 2016
It is necessary hypermedia formatsto cover 100% of interactions
Summary
Spring I/O 2016
Spring HATEOAS and Hdivmake it possible to automate
many security tasks
Spring I/O 2016
Questions&
Answers