Sicher in die Cloud mit Angular 2 und Spring Boot

Sicher in die Cloud mit Angular 2 und Spring Boot

Andreas FalkGerman OWASP Day

29.11.2016


2

Andreas Falk / GermanyNovaTec Consulting [email protected]

@agile_security

AgileThreat Modeling

Clou

d

Spring

SecurityScrum

Kanb

an

TDD

Code ReviewClea

n Co

deStatic Analysis

ArchitectureOWASP

Java EE

Mic

rose

rvic

es

IoTBDD

DevO

ps

Web

Java

SSO

OAuth2

SAML

mailto:[email protected]


3


4

DevOpsProduct Owner

Entwicklung

QA

Betrieb

InfoSec

Crossfunktionale Teams


5

DevOpsProduct Owner

Entwicklung

QA

Betrieb

InfoSec

Crossfunktionale Teams


7

Identity Server

Angular 2

API Gateway

Microservice

HTTPS

Microservice

HTTPS

HTTPS HTTPS

DB

DB

JDBC

JDBC

Architektur / Threat Model

HTTPS


8

Angular 2https://angular.io


9

https://angularjs.blogspot.de/2016/09/angular-16-expression-sandbox-removal.html

Angular 1.x

Angular 2


10

https://github.com/angular/angular/issues/8511


11

Sicherheitseinstufung in Angular 2Alle Werte (Alles was ins DOM wandert)

Angular Templates (Vorsicht: Template-Injection)

Kontextabhängige Sanitization und EscapingHTML (z.B. Bindings mit „innerHtml“)

Style (CSS Bindings)

URL (URL Eigenschaften wie <a href>

Resource URL (z.B. <image src> oder <script src>)


12

https://angular.io/docs/ts/latest/api/platform-browser/index/DomSanitizer-class.html


13

„Double Submit Cookie“ Support in Angular 2

XSRF-TOKEN Cookie

Client ServerX-XSRF-TOKEN Header +

XSRF-TOKEN Cookie

CSRF Schutz


14

Backendhttps://spring.io/platform


15

Spring Boot

Spring Security

Spring Data JPA

Spring Framework


16

Eine sichere Web-Anwendung in 5 Minuten


17

Authentifizierung aller URLs

Session Fixation Schutz

Session Cookie (HttpOnly, Secure)

CSRF Angriffschutz

Security Response Header

„Secure By Default“ Konfiguration


18

@Configurationpublic class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override protected void configure(HttpSecurity http) throws Exception { … http .csrf().csrfTokenRepository( CookieCsrfTokenRepository.withHttpOnlyFalse() );}

CSRF Konfiguration für Angular 2


19

public interface PasswordEncoder { String encode(CharSequence rawPassword);

boolean matches( CharSequence rawPassword, String encodedPassword);}

Sichere Passwortverschlüsselung


20

Sichere Passwortverschlüsselung

Encoder Implementierungen:

BCryptPasswordEncoder

SCryptPasswordEncoder

Pbkdf2PasswordEncoder

BytesEncryptor (BouncyCastle)


21

Authorization Server

Client Resource Server

OAuth2 = Autorisierung

https://oauth.net/2


22

OpenID Connect = Authentifizierung

https://openid.net/connect

OAuth 2

JWT JWS JWE

OpenID Connect

JWK


23

Tweetable OAuth2 Application


24

https://github.com/IdentityServer/IdentityServer3


25

@Entitypublic class Person extends AbstractPersistable<Long> {

@NotNull @Pattern(regexp = "^[A-Za-z0-9- ]{1,30}$") private String lastName;

@NotNull @Enumerated(EnumType.STRING) private GenderEnum gender; ...}

Input ValidierungTypisierung und Bean Validation (REST Interface UND in JPA Entity)


26

@Query("select u from User u where u.username = " + " :username and u.password = :password")User findByUsernameAndPassword( @Param("username") String username, @Param("password") String password);

SQL Injection SchutzPrepared Statements mit Spring Data JPA


27

public class UserBoundaryService {

@PreAuthorize("hasRole('ADMIN')") public List<User> findAllUsers() {…}}-------------------------------------public class TaskBoundaryService {

@PreAuthorize("hasPermission(#task.getProject().getId(), @permissionTargetType.PROJECT, @accessType.WRITE)") public Task createTask(Task task) {…}}

Autorisierung der REST APIRollen- oder Rechtebasiert


28

public class AuthorizationIntegrationTest {

@WithMockUser(roles = "ADMIN") @Test public void verifyFindAllUsersIsAuthorized() {…}

@WithMockUser(roles = "USER") @Test(expected = AccessDeniedException.class) public void verifyFindAllUsersIsUnauthorized() {…} …}

Test der REST APIServerseitige Tests (mit Security)


29

Cloud Plattformhttps://www.cloudfoundry.org/


30

Rotate

Repair

Repavehttps://www.youtube.com/watch?v=NUXpz0Dni50Justin Smith, Pivotal


31

What if every server inside my data center had a maximum lifetime of two hours?This approach would frustrate malware writers, because it limits the amount of time to exploit known vulnerabilities before they are patched.

“

“Justin Smith, Pivotal

Repave


32

Rotate

MicroserviceDB

JDBC

Service Binding Credentials


33

RepairSpring Boot + Spring Platform

CloudFoundry Java Buildpack

CloudFoundry OPS Manager

AWS Azure OpenStack30 Cloudfoundry Releases in 2016!


34

Verify for Security Early and Often

Parameterize Queries

Encode Data

Validate All Inputs

DevOps / Code Reviews

Spring Data JPA

Angular 2 Kontext-Sanitizer

Typisierte Eingaben / Bean Validation

Summary (1)

https://www.owasp.org/index.php/OWASP_Proactive_Controls


35

Implement Identity and Authentication Controls

Implement Access Controls

Protect Data

OAuth2 + OpenID Connect

Summary (2)


Spring Security Autorisierung

Spring Security Password Encoder


36

Implement Logging and Intrusion Detection

Leverage Security Frameworks and Libraries

Error and Exception Handling Spring Error ControllerJava Exception Handling

Slf4J Logger, Splunk, Auditing, (AppSensor)

Spring SecuritySpring Boot + Spring Platform

Summary (3)



37

Andreas Falk / GermanyNovaTec Consulting [email protected]

@agile_security

mailto:[email protected]

Documents

Sicher in die Cloud mit Angular 2 und Spring Boot