SlideShare uma empresa Scribd logo

Slides for the #JavaOne Session ID: CON11881

Transferir como PPTX, PDF
Masoud Kalali
Masoud Kalali

Addressing top 10 OWASP security concerns in Java EE and GlassFish

Tecnologia
1 de 61
Java EE 6 Security in practice with GlassFish Markus Eisele & Masoud Kalali
Agenda • Introduction • The Top 10 Most Critical Web Application Security Risks • Take Away
Masoud Kalali Markus Eisele http://kalali.me http://blog.eisele.net http://twitter.com/MasoudKalali http://twitter.com/myfear Masoud.Kalali@oracle.com Markus.eisele@msg-systems.com software engineer, Java EE 7 EG, author, blogger, architect, husband, father of two, climber and flute enthusiast photographer, speaker, writer
Java EE 6 & GlassFish glassfish.org
Galleria Project https://bitbucket.org/VineetReynolds/java-ee-6-galleria/
Galleria Project ? http://blog.eisele.net/2012/03/java-ee-6-galleria-example-part-1.html
Galleria and Security • Form based authentication • JDBCRealm • request.login(userId, new String(password)); • @RolesAllowed({ "RegisteredUsers" }) Enough? State-of-the-Art? Feeling-good-with-it™?
Motivation for this talk • Seen a lot • Providing a starting point • Sharing something • Making you aware • Plus: Finding out about “the security state of Galleria”
The Top 10 Most Critical Web Application Security Risks Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
What is OWASP? • Open Web Application Security Project • Improving the security of (web) application software – Not-for-profit organization since 2001 – Raise interest in secure development • Documents – Top 10 – Cheat Sheets – Development Guides • Solutions – Enterprise Security API (ESAPI) – WebScarab – WebGoat
A1 - Injection
What is it? • Sending unintended data to applications • Manipulating and reading Data stores (e.g. DB, LDAP) • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP) – Database access (JPA, JDBC)
How to spot it String id = "x'; DROP TABLE members; --"; // user-input Query query = em.createNativeQuery("SELECT * FROM PHOTO WHERE ID =" + id, Photo.class); Query query2 = em.createNativeQuery("SELECT * FROM MAG WHERE ID ?1", Magazine.class); query2.setParameter(1, id);
Prevent Injection • Sanitize the input • Escape/Quotesafe the input • Use bound parameters (the PREPARE statement) • Limit database permissions and segregate users • Use stored procedures for database access (might work) • Isolate the webserver • Configure error reporting
A2 - Cross-Site Scripting (XSS)
What is it? • Inject malicious code into user interfaces • Get access to browser information – E.g. javascript:alert(document.cookie) • Steal user’s session, steal sensitive data • Rewrite web page or parts • Redirect user to phishing or malware site • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP)
How to spot it • Problems with sanitizing <h:outputText value="#{user.content}" escape="false"/> • Weird Input <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4=">T est</a>
Prevent • Sanitize the input • Escape/Quotesafe the input • Use Cookie flags: – httpOnly (prevents XSS access) https://code.google.com/p/owasp-esapi-java/
A3 - Broken Authentication and Session Management
What is it? • Container Security vs. own solution • Session Binding / Session Renewal • Passwords – Strength (length/complexity) – Plain text passwords (http/https) – Recovery mechanisms • Number of factors used for authentication • Java EE 6 affected: – JAAS / JASPIC – Filter / PhaseListener – Container and Web-App configuration
How to spot it • Authentication over http • Custom security filter • Not using Container Functionality • No password strength requirements • No HttpSession binding • Way of saving Passwords • Not testing security
Best Practices • Go with provided Standard Realms and LoginModules whenever possible • If you need custom ones: Test them extremely carefully! • Use transport layer encryption (TLS/SSL) • Use Cookie flags: – secure (avoid clear text transmission)
A4 – Insecure Direct Object References
What is it? • Accessing domain objects with their PK https://you.com/user/1 => https://you.com/user/21 • Opening opportunities for intruders • Information hiding on the client • Parameter value tampering • Java EE 6 affected: – All layers – Especially data access
How to spot it • Data separation for users (tenants) • Request mode access for data (RUD) • Query constraints
Best Practices • Use AccessReferenceMaps http://app?file=Report123.xls http://app?file=1 http://app?id=9182374 http://app?id=7d3J93 • Validate object references • Use data-driven security • Always Perform additional data authorization on the view
A5 - Cross Site Request Forgery (CSRF)
What is it? • Basically a capture-replay attack • Malicious code executes functions on your behalf while being authenticated • Deep links make this easier • JavaEE 6 affected: – UI technology of choice (e.g. JSF, JSP)
How to spot it • A “secret Cookie” • Only POST requests • Wizard like transactions • Simple URL rewriting
Best Practices • Add Unpredictability (tokens) – Hidden Field, Single-Use URLs – Request or Session Scope • CSRFPreventionForm (JSF 1.2 & 2) http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html • Use OWASP ESAPI http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross- site-request-forgery-csrf/
A6 - Security Misconfiguration
What is it? • Applies to – Operating System – Application Server – Databases – Additional Services • Includes (beside _many_ others) – All security relevant configuration – Missing Patches – Default accounts
Worst Practices • Not restricting GlassFish user nor enabling security manager • Network interfaces/sockets access control • Relaxed File system access control • Using any defaults like: – Passwords: Admin, master password – Network interface binding: Listening on 0.0.0.0 – Certificates: Self signed certificate • Using a not hardened OS!
Policy Files location • Global Policy File: java.home/jre/lib/security/java.policy • User Policy File: user.home/.java.policy • Domain Policy File: domain.home/config/server.policy • Application Policy File: domain.home/generated/policy/<app.name>/ <module.name>/granted.policy
Running GlassFish in a Secure Environment • Use the latest version (3.1.2.2) • Enable secure admin (TLS/https) • Use password aliasing • Enable security manager and put forth a proper security policy file • Set correct file system permissions http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html http://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
Review the *.policy files • Policy files precedence order • Remove unused grants • Add extra permissions only to applications or modules that require them, not to all applications deployed to a domain. • Document your changes!
A7 - Failure to Restrict URL Access
What is it? • Presentation layer access control • Related to A4 – Insecure Direct Object References
Worst Practice • Using home-grown security features instead of container provided ones • Assuming people wont know some URLs to try them • Assuming no one would misuse the extra permission and access they have
Java EE 6 • What you do to prevent, A4 plus: – Use Container security (security-constraint) – Use programmatic login of Java EE 6 if needed. – Properly configure security realms – Accurately map roles to principal/groups (auth- constraint / security-role-mapping) – Only allow supported/required HTTP methods – Accurately Categorize the URL patterns and permit the relevant roles for each
Best Practices • Any none public URL should be protected • Use container authentication/authorization features or extend on top of them • If not enough use proven frameworks/ products to protect the resources • If user can get /getpic?id=1x118uf it does not mean you should show /getpic?id=1x22ug
A8 - Insecure Cryptographic Storage
What is it? • Sensitive data kept unprotected • Sensitive data exposed to wrong persons • Could be: – Passwords – Financial/Health care data – Credit cards
Worst Practices • Storing sensitive data unencrypted • Storing comparative data unhashed (passwords/security question answer…) • Keeping clear text copies of encrypted data • Not keeping the keys/passwords well guarded
GlassFish • Protect the keystore • Protect GlassFish accounts – Use aliasing to protect the password and keep the master password safe to protect the aliases • Ignoring digest authentication/hashed password storage
Prevention • Identify sensitive data • Wisely encrypt sensitive data – On every level (application, appserver, db) – with the right algorithm and – with the right mechanism • Don’t keep clear text copies • To decrypt and view clear text should be restricted to authorized personnel • Keep the keys as protected as possible (HSM) • Keep offsite encrypted backups in addition to on-site copies
A9- Insufficient Transport Layer Protection
What is it?
Worst Practice • Using basic/form authentication without SSL • Not using HTTPS for pages with private information • Using default self signed certificate • Storing unencrypted cookies • Not setting cookies to be securely transmitted Cookie.setSecure(true) • Forgetting about the rest of the infrastructure
GlassFish • Properly configure HTTPS listener/s (set the right keystore) • Install the right server certificates to be used by SSL listeners • Properly configure the ORB over SSL listeners if needed (set the right keystore) • Enable auditing under Security and access log under HTTP Service
Java EE • Group the resources in regard to transport sensitivity using web-resource-collection • Use user-data-constraint as widely as you need for data integrity and encryption needs • Ensure that login/logout pages (in case of form auth-type) are protected by <transport- guarantee>CONFIDENTIAL</transport- guarantee>
Best Practice • Use TLS on all connections with sensitive data • Individually encrypt messages • Sign messages before transmission • Use standard strong algorithms • Use proven mechanisms when sufficient
A10 - Unvalidated Redirects and Forwards
What is it? • Redirecting to another URL computed by user provided parameters • Forward to another URL computed by user provided parameters http://www.java.net/external?url=http://www.adam- bien.com/roller/abien/entry/conveniently_transactionally_a nd_legally_starting
Worst Practices • Not using a proper access control mechanism (e.g container managed and proper security- constraint ) • Redirecting to a user provided parameter, e.g to an external website • Not to validate/verify the target with user’s access level before doing the forward
Java EE 6 • Don’t use redirect or forward as much as possible • Accurately verify/validate the target URL before forwarding or redirecting • Redirects are safe when using container managed authentication/authorization properly • Forwards happen without authentication and thus requires triple check to prevent unauthorized access.
WRAP-UP
Galleria Wrap Up
Security isn‘t all candy.. … but you will love it in the end!
CC picture reference • http://www.flickr.com/photos/wallyg/2439494447/sizes/l/in/photostream/ • http://www.flickr.com/photos/62983199@N04/7188112487/sizes/l/in/photostream/ • http://www.flickr.com/photos/stuckincustoms/3466470709/sizes/l/in/photostream/ • http://www.flickr.com/photos/lukemontague/187987292/sizes/l/in/photostream/ • http://www.flickr.com/photos/082007/7108942911/sizes/l/in/photostream/ • http://www.flickr.com/photos/ndrwfgg/140411433/sizes/l/in/photostream/ • http://www.flickr.com/photos/gingerblokey/4130969725/sizes/l/in/photostream/ • http://www.flickr.com/photos/bpc009/3328427457/sizes/l/in/photostream/ • http://www.flickr.com/photos/marine_corps/6950409157/sizes/l/in/photostream/ • http://www.flickr.com/photos/cindy47452/2898015652/sizes/l/in/photostream/

Recomendados

Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 

Recomendados

Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
Java Security
Java SecurityJava Security
Java Securityelliando dias
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework'sMohammed Fazuluddin
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechFernando Redondo Ramírez
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017Michael Furman
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseCodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseSeth Law
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 

Mais conteúdo relacionado

Mais procurados

Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security ToolsLalit Kale
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum
 
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseCodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseSeth Law
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security toolsNico Penaredondo
 

Mais procurados (20)

Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
Java Security
Java SecurityJava Security
Java Security
 
Java Security Framework's
Java Security Framework'sJava Security Framework's
Java Security Framework's
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3
 
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
 
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & DefenseCodeMash 2.0.1.5 - Practical iOS App Attack & Defense
CodeMash 2.0.1.5 - Practical iOS App Attack & Defense
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web application Security tools
Web application Security toolsWeb application Security tools
Web application Security tools
 

Semelhante a Slides for the #JavaOne Session ID: CON11881

Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONSMarkus Eisele
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMark Swarbrick
 
Writing Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoWriting Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoEli Robillard
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 

Semelhante a Slides for the #JavaOne Session ID: CON11881 (20)

Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONS
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QA
 
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 Security
 
Codefest2015
Codefest2015Codefest2015
Codefest2015
 
Web Security
Web SecurityWeb Security
Web Security
 
Writing Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday TorontoWriting Secure SharePoint Code - SharePoint Saturday Toronto
Writing Secure SharePoint Code - SharePoint Saturday Toronto
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
 

Mais de Masoud Kalali

Real world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsReal world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsMasoud Kalali
 
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EECON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EEMasoud Kalali
 
BOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyBOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyMasoud Kalali
 
Real-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsReal-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsMasoud Kalali
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceMasoud Kalali
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityMasoud Kalali
 
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Masoud Kalali
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingMasoud Kalali
 
An Overview of RUP methodology
An Overview of RUP methodologyAn Overview of RUP methodology
An Overview of RUP methodologyMasoud Kalali
 
An overview of software development methodologies.
An overview of software development methodologies.An overview of software development methodologies.
An overview of software development methodologies.Masoud Kalali
 
NIO.2, the I/O API for the future
NIO.2, the I/O API for the futureNIO.2, the I/O API for the future
NIO.2, the I/O API for the futureMasoud Kalali
 

Mais de Masoud Kalali (12)

Real world RESTful service development problems and solutions
Real world RESTful service development problems and solutionsReal world RESTful service development problems and solutions
Real world RESTful service development problems and solutions
 
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EECON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
CON 2107- Think Async: Embrace and Get Addicted to the Asynchronicity of EE
 
BOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectivelyBOF 2193 - How to work from home effectively
BOF 2193 - How to work from home effectively
 
Real-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and SolutionsReal-World RESTful Service Development Problems and Solutions
Real-World RESTful Service Development Problems and Solutions
 
Java EE 7 overview
Java EE 7 overviewJava EE 7 overview
Java EE 7 overview
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
 
Utilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE SecurityUtilize the Full Power of GlassFish Server and Java EE Security
Utilize the Full Power of GlassFish Server and Java EE Security
 
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
Server Sent Events, Async Servlet, Web Sockets and JSON; born to work together!
 
Security in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missingSecurity in java ee platform: what is included, what is missing
Security in java ee platform: what is included, what is missing
 
An Overview of RUP methodology
An Overview of RUP methodologyAn Overview of RUP methodology
An Overview of RUP methodology
 
An overview of software development methodologies.
An overview of software development methodologies.An overview of software development methodologies.
An overview of software development methodologies.
 
NIO.2, the I/O API for the future
NIO.2, the I/O API for the futureNIO.2, the I/O API for the future
NIO.2, the I/O API for the future
 

Último

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Último (20)

AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Slides for the #JavaOne Session ID: CON11881

  • 1. Java EE 6 Security in practice with GlassFish Markus Eisele & Masoud Kalali
  • 2. Agenda • Introduction • The Top 10 Most Critical Web Application Security Risks • Take Away
  • 3. Masoud Kalali Markus Eisele http://kalali.me http://blog.eisele.net http://twitter.com/MasoudKalali http://twitter.com/myfear Masoud.Kalali@oracle.com Markus.eisele@msg-systems.com software engineer, Java EE 7 EG, author, blogger, architect, husband, father of two, climber and flute enthusiast photographer, speaker, writer
  • 4. Java EE 6 & GlassFish glassfish.org
  • 6. Galleria Project ? http://blog.eisele.net/2012/03/java-ee-6-galleria-example-part-1.html
  • 7.
  • 8. Galleria and Security • Form based authentication • JDBCRealm • request.login(userId, new String(password)); • @RolesAllowed({ "RegisteredUsers" }) Enough? State-of-the-Art? Feeling-good-with-it™?
  • 9. Motivation for this talk • Seen a lot • Providing a starting point • Sharing something • Making you aware • Plus: Finding out about “the security state of Galleria”
  • 10. The Top 10 Most Critical Web Application Security Risks Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
  • 11. What is OWASP? • Open Web Application Security Project • Improving the security of (web) application software – Not-for-profit organization since 2001 – Raise interest in secure development • Documents – Top 10 – Cheat Sheets – Development Guides • Solutions – Enterprise Security API (ESAPI) – WebScarab – WebGoat
  • 13. What is it? • Sending unintended data to applications • Manipulating and reading Data stores (e.g. DB, LDAP) • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP) – Database access (JPA, JDBC)
  • 14. How to spot it String id = "x'; DROP TABLE members; --"; // user-input Query query = em.createNativeQuery("SELECT * FROM PHOTO WHERE ID =" + id, Photo.class); Query query2 = em.createNativeQuery("SELECT * FROM MAG WHERE ID ?1", Magazine.class); query2.setParameter(1, id);
  • 15. Prevent Injection • Sanitize the input • Escape/Quotesafe the input • Use bound parameters (the PREPARE statement) • Limit database permissions and segregate users • Use stored procedures for database access (might work) • Isolate the webserver • Configure error reporting
  • 16. A2 - Cross-Site Scripting (XSS)
  • 17. What is it? • Inject malicious code into user interfaces • Get access to browser information – E.g. javascript:alert(document.cookie) • Steal user’s session, steal sensitive data • Rewrite web page or parts • Redirect user to phishing or malware site • Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP)
  • 18. How to spot it • Problems with sanitizing <h:outputText value="#{user.content}" escape="false"/> • Weird Input <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgvWFNTLyk8L3NjcmlwdD4=">T est</a>
  • 19. Prevent • Sanitize the input • Escape/Quotesafe the input • Use Cookie flags: – httpOnly (prevents XSS access) https://code.google.com/p/owasp-esapi-java/
  • 20. A3 - Broken Authentication and Session Management
  • 21. What is it? • Container Security vs. own solution • Session Binding / Session Renewal • Passwords – Strength (length/complexity) – Plain text passwords (http/https) – Recovery mechanisms • Number of factors used for authentication • Java EE 6 affected: – JAAS / JASPIC – Filter / PhaseListener – Container and Web-App configuration
  • 22. How to spot it • Authentication over http • Custom security filter • Not using Container Functionality • No password strength requirements • No HttpSession binding • Way of saving Passwords • Not testing security
  • 23. Best Practices • Go with provided Standard Realms and LoginModules whenever possible • If you need custom ones: Test them extremely carefully! • Use transport layer encryption (TLS/SSL) • Use Cookie flags: – secure (avoid clear text transmission)
  • 24. A4 – Insecure Direct Object References
  • 25. What is it? • Accessing domain objects with their PK https://you.com/user/1 => https://you.com/user/21 • Opening opportunities for intruders • Information hiding on the client • Parameter value tampering • Java EE 6 affected: – All layers – Especially data access
  • 26. How to spot it • Data separation for users (tenants) • Request mode access for data (RUD) • Query constraints
  • 27. Best Practices • Use AccessReferenceMaps http://app?file=Report123.xls http://app?file=1 http://app?id=9182374 http://app?id=7d3J93 • Validate object references • Use data-driven security • Always Perform additional data authorization on the view
  • 28. A5 - Cross Site Request Forgery (CSRF)
  • 29. What is it? • Basically a capture-replay attack • Malicious code executes functions on your behalf while being authenticated • Deep links make this easier • JavaEE 6 affected: – UI technology of choice (e.g. JSF, JSP)
  • 30. How to spot it • A “secret Cookie” • Only POST requests • Wizard like transactions • Simple URL rewriting
  • 31. Best Practices • Add Unpredictability (tokens) – Hidden Field, Single-Use URLs – Request or Session Scope • CSRFPreventionForm (JSF 1.2 & 2) http://blog.eisele.net/2011/02/preventing-csrf-with-jsf-20.html • Use OWASP ESAPI http://www.jtmelton.com/2010/05/16/the-owasp-top-ten-and-esapi-part-6-cross- site-request-forgery-csrf/
  • 32. A6 - Security Misconfiguration
  • 33. What is it? • Applies to – Operating System – Application Server – Databases – Additional Services • Includes (beside _many_ others) – All security relevant configuration – Missing Patches – Default accounts
  • 34. Worst Practices • Not restricting GlassFish user nor enabling security manager • Network interfaces/sockets access control • Relaxed File system access control • Using any defaults like: – Passwords: Admin, master password – Network interface binding: Listening on 0.0.0.0 – Certificates: Self signed certificate • Using a not hardened OS!
  • 35. Policy Files location • Global Policy File: java.home/jre/lib/security/java.policy • User Policy File: user.home/.java.policy • Domain Policy File: domain.home/config/server.policy • Application Policy File: domain.home/generated/policy/<app.name>/ <module.name>/granted.policy
  • 36. Running GlassFish in a Secure Environment • Use the latest version (3.1.2.2) • Enable secure admin (TLS/https) • Use password aliasing • Enable security manager and put forth a proper security policy file • Set correct file system permissions http://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.html http://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
  • 37. Review the *.policy files • Policy files precedence order • Remove unused grants • Add extra permissions only to applications or modules that require them, not to all applications deployed to a domain. • Document your changes!
  • 38. A7 - Failure to Restrict URL Access
  • 39. What is it? • Presentation layer access control • Related to A4 – Insecure Direct Object References
  • 40. Worst Practice • Using home-grown security features instead of container provided ones • Assuming people wont know some URLs to try them • Assuming no one would misuse the extra permission and access they have
  • 41. Java EE 6 • What you do to prevent, A4 plus: – Use Container security (security-constraint) – Use programmatic login of Java EE 6 if needed. – Properly configure security realms – Accurately map roles to principal/groups (auth- constraint / security-role-mapping) – Only allow supported/required HTTP methods – Accurately Categorize the URL patterns and permit the relevant roles for each
  • 42. Best Practices • Any none public URL should be protected • Use container authentication/authorization features or extend on top of them • If not enough use proven frameworks/ products to protect the resources • If user can get /getpic?id=1x118uf it does not mean you should show /getpic?id=1x22ug
  • 43. A8 - Insecure Cryptographic Storage
  • 44. What is it? • Sensitive data kept unprotected • Sensitive data exposed to wrong persons • Could be: – Passwords – Financial/Health care data – Credit cards
  • 45. Worst Practices • Storing sensitive data unencrypted • Storing comparative data unhashed (passwords/security question answer…) • Keeping clear text copies of encrypted data • Not keeping the keys/passwords well guarded
  • 46. GlassFish • Protect the keystore • Protect GlassFish accounts – Use aliasing to protect the password and keep the master password safe to protect the aliases • Ignoring digest authentication/hashed password storage
  • 47. Prevention • Identify sensitive data • Wisely encrypt sensitive data – On every level (application, appserver, db) – with the right algorithm and – with the right mechanism • Don’t keep clear text copies • To decrypt and view clear text should be restricted to authorized personnel • Keep the keys as protected as possible (HSM) • Keep offsite encrypted backups in addition to on-site copies
  • 48. A9- Insufficient Transport Layer Protection
  • 50. Worst Practice • Using basic/form authentication without SSL • Not using HTTPS for pages with private information • Using default self signed certificate • Storing unencrypted cookies • Not setting cookies to be securely transmitted Cookie.setSecure(true) • Forgetting about the rest of the infrastructure
  • 51. GlassFish • Properly configure HTTPS listener/s (set the right keystore) • Install the right server certificates to be used by SSL listeners • Properly configure the ORB over SSL listeners if needed (set the right keystore) • Enable auditing under Security and access log under HTTP Service
  • 52. Java EE • Group the resources in regard to transport sensitivity using web-resource-collection • Use user-data-constraint as widely as you need for data integrity and encryption needs • Ensure that login/logout pages (in case of form auth-type) are protected by <transport- guarantee>CONFIDENTIAL</transport- guarantee>
  • 53. Best Practice • Use TLS on all connections with sensitive data • Individually encrypt messages • Sign messages before transmission • Use standard strong algorithms • Use proven mechanisms when sufficient
  • 54. A10 - Unvalidated Redirects and Forwards
  • 55. What is it? • Redirecting to another URL computed by user provided parameters • Forward to another URL computed by user provided parameters http://www.java.net/external?url=http://www.adam- bien.com/roller/abien/entry/conveniently_transactionally_a nd_legally_starting
  • 56. Worst Practices • Not using a proper access control mechanism (e.g container managed and proper security- constraint ) • Redirecting to a user provided parameter, e.g to an external website • Not to validate/verify the target with user’s access level before doing the forward
  • 57. Java EE 6 • Don’t use redirect or forward as much as possible • Accurately verify/validate the target URL before forwarding or redirecting • Redirects are safe when using container managed authentication/authorization properly • Forwards happen without authentication and thus requires triple check to prevent unauthorized access.
  • 60. Security isn‘t all candy.. … but you will love it in the end!
  • 61. CC picture reference • http://www.flickr.com/photos/wallyg/2439494447/sizes/l/in/photostream/ • http://www.flickr.com/photos/62983199@N04/7188112487/sizes/l/in/photostream/ • http://www.flickr.com/photos/stuckincustoms/3466470709/sizes/l/in/photostream/ • http://www.flickr.com/photos/lukemontague/187987292/sizes/l/in/photostream/ • http://www.flickr.com/photos/082007/7108942911/sizes/l/in/photostream/ • http://www.flickr.com/photos/ndrwfgg/140411433/sizes/l/in/photostream/ • http://www.flickr.com/photos/gingerblokey/4130969725/sizes/l/in/photostream/ • http://www.flickr.com/photos/bpc009/3328427457/sizes/l/in/photostream/ • http://www.flickr.com/photos/marine_corps/6950409157/sizes/l/in/photostream/ • http://www.flickr.com/photos/cindy47452/2898015652/sizes/l/in/photostream/

Notas do Editor

  1. I like this one 