 Hello and welcome. My name is Matt Raebel. I'm a hick from the sticks I grew up in the backwoods of Montana with no electricity, no running water Some people like to call me Raebel. So just get that out of the way It's Raebel and I'm here with my good friend Brian Demers. Would you like to introduce yourself Brian? Hi, everyone. I'm Brian Demers. I grew up with power It also sort of in the sticks in Maine so other part of the country, but you know still still the north I would say right Yeah, we're both from the north Today we'd like to present ten excellent ways to secure spring food applications And you should know that this is based on a blog post that I originally wrote with Simon Maples Good friend of mine fellow Java champion and he works at a company called SNCC You can also call that company sneak I've heard so it's it's ambiguous kind of like Brian and I's last names I call Brian Demers all the time, but it's or a Demers, right? But it's Demers, so it is if you'd like to read instead of watch you can Google for this blog post and find it or click on that link at the bottom there and Simon and I wrote this at jcrete, which is an awesome conference in Crete And so just want to let you know that that if you want to read it you can and so Ten excellent ways we're gonna start with one of my favorites and that is to use HTTPS and so HTTPS in Production primarily so the only reason I didn't put production on here is if I had put in production It would have slid across the octa aura on the right there and so didn't want to do that So also called TLS that's the official name for HTTPS and you might have heard it called SSL in the past right secure socket slayers, and that's the deprecated name So it's a cryptographic protocol that provides secure communication over a computer network It's primary goals to ensure privacy and data integrity between computer applications and as of July 24 2018 just a week before this original article was published Chrome now labels HTTP sites as not secure so try to use HTTPS as much as you can especially in production and You know let's encrypt offers free HTTPS certificates So it's very easy to use HTTPS and TLS these days It used to be that Certificate authorities would charge you a fair amount of cash for an SSL certificate Especially a wild car certificate for all your subdomains, but now you can get those for free from let's encrypt you can use cert bot to Generate certificates from let's encrypt if you want and there's also a tool that I like to use locally called make cert So MK cert you can use to create locals local host certificates And so that works better than generating them like with the Java SDK because make cert actually adds them to your local CA certificate authority on your operating system And so you don't get this prompt in your browser that says you know Do you want to proceed like it actually works through and through so that's pretty nice And there's also a spring boot starter ACME ACME stands for automatic certificate management environment for automating renewing those certificates from let's encrypt So you could you know add that to your app and then you don't have to worry about doing it My personal website on Raveldesigns.com my hosting provider actually just as a cron job that goes out and renews the certificate every I think 90 days and then you'll have a nice logo like you see here in the bottom of the slide that says hey You're you're encrypted and I'd also recommend if you don't know a lot about HTTPS There's a how HTTPS that works and that is a valid URL that works as a valid TLD And it's fun because a cat explains how HTTPS works in a comic So you could even you know, maybe read it to your kids or go over on an iPad at night with your kids It's kind of like a bedtime story. So I'd encourage you to check that out If you're using a spring boot, which I assume you are otherwise you wouldn't be at this webinar You can force HTTPS in your spring boot app by extending the web security configure adapter and Overwriting the configure method and then saying, you know requires channel and your request requires secure So that's an easy way that it will actually take if you you know tried to access the app with HTTP to redirect you to HTTPS And so if you're on local host 8080 It'll go to 8443 and so it automatically has that mapping if you're on 80 It goes to 443 and if you want to do any custom, you know ports, then you might need to configure things a bit different and What I recommend like I said in the beginning is only use it in production because even though you can use makes her and Run it locally and it's pretty easy in you know development A lot of times it can be a pain with a self-sign certificate So if you use in heroku cloud foundry or most of the cloud providers this code here Using looking for the exported proto header will actually Indicate that the client is trying to access with HTTPS and it will force it to go there And so this is a configuration that I use in most of my projects So now turn it over to Brian for the next Excellent way to secure your spring boot app. All right. So next up you need to make sure where you're scanning your dependencies for vulnerabilities All right, so all of our applications contain dependencies and we need to make sure they're safe Right historically. This has kind of been difficult. I know when I first started out we should just check jar files into source control and With no version information and it was it was basically impossible to figure out which versions you had running and and that led to a whole bunch of other nightmares but then along came tools like Maven and Maybe we're going the other way right now. It's too easy to add Dependencies to your project. So now we need to make sure they're safe or something like this might happen Right. So everyone's heard of the Equivax the Equivax breach a couple years ago There was a stretch to vulnerability and Equivax didn't patch their service on time and Then they got hit so their service The sorry the vulnerability had been released two months prior and they hadn't updated their their service But if we think about it right like Matt, do you have any applications running that have been running for two months? Oh, yeah I got they've been running for ten years, right, right? So So we need to make sure we're we're updating everything and making sure that we both, you know Are checking for our dependencies for issues and then updating them after the fact So let me slide you over here So here's a timeline of the attack right sorry sorry this timeline the CVE so on March 10th The official CVE notice went out. So that's when you know, basically the world found out that there was a problem And then less than two weeks later you have a giant spike in attacks So if you think about it, that's really your window, right is is it's less than two weeks So we need to make sure you can both find it find the issues and then Update your application within two weeks, you know, obviously sooner sooner when possible, right? So this is your application, right? Your whole glorious application your code your dependencies everything inside of that. However The little dot in the middle is what's actually your code So no very real sense your dependencies are are more important than the code you write as it's a bigger surface area So, you know, our code is standing on the shoulders of giants So I have this little example here And Matt you may be able to tell right away here, but I have 19 lines of code How many how many dependencies in node do you think I have I? See to with the requires at the top there. Yeah spot on right so yeah So two to direct dependencies, right? So like like Matt said you can kind of cheat and just look at the top But how many total dependencies do you think I have so, you know, my dependencies and their dependencies and those dependencies dependencies And we keep going on and on forever The transitive dependencies. I'm gonna guess maybe five How about 19 total whoa, right? So that's one for every line of code. That's that's a pretty good ratio But it gets you it gets even more interesting, right? So how many total lines of code do you think this is? Mmm, if you count all right because JavaScript doesn't have binary. So it's source code. So let's go with 2000 all right, you're close almost 200,000 So it's 10 10,000 times more code than I wrote right so It's very difficult to To keep track of all this so in in some communities, right? So in our Java in the Java community node and in Ruby most of our dependencies are Indirect or transitive it becomes harder to manage them because generally we don't we don't think about them, right? We just think about I'm gonna depend on my favorite library and that's all I care about But that's that's not really the case, right because those transitive dependencies could have issues because it's complicated You know, you kind of need a tool to manage this for you So as Matt mentioned before our friends over at sneak or sneak I'm gonna call it sneak have have a great little Application you can use that scan your dependencies So I'm gonna jump over to my browser and I'm gonna Share my screen Here's a little dashboard. You can see the These demo projects that I have in here are filled with issues That way you can see hopefully your real applications don't have this many issues so I'm gonna jump into this one called spring goof and You can see I Think I clicked on it. There we go You can see there's there's some serious issues here So there's 13 high severity issues 6 medium and 2 low so you can see the types of issues we have here We have some deserialization issues remote code expectation And a bunch of other things so You know the quick demo is I want to fix as many of these as possible with as little Effort right so I'm gonna click the open to fix PR button And this takes a few minutes or seconds anyway because like I said this this this repository has a few issues so Snick is going through and Trying to see which ones I can fix and hopefully by the time I'm done talking It'll it'll pop up and it'll show me a list of everything you can automatically fix for me. There we go. All right, so As you can see here So these all of these issues can automatically be fixed for me and there's a couple here at the bottom that have partial fixes and Some that I would have to go in and fix myself So there's no there's no known issue or maybe it requires some sort of custom code But you know 80 90% of this is all done for me with a click of a button So all I need to do is click this open a fix PR button and it'll send me over to kithub and Most of the most of the code will already be taken care of for me So if we jump back to our slides, I think you have some tips for us right Matt Yeah, so when we started writing this presentation We thought that we would include a bunch of you know hacker tips But then we were trying to make you more secure not less secure and we don't want to have people hacking into stuff So we decided to include some life hacking tips And so the first one I would like to make you aware of is that you don't have to fix your socks You can fix your toes So if you have a hole in your sock right or on your big toe like this picture shows You can just grab a sharpie preferably a dark one and then you know color in your toe And no one will even know that you have a hole in your sock So I really like is I generally travel with a sharpie my socks are white But I mean I think it could work right right you could well, maybe whiteout would work better for those Okay All right, so the next up as we have you need to make sure our libraries are updated So I sort of hinted about this before we found issues we found vulnerabilities the next step is you know update them So we all know in the in spring world that starting a new project and keeping it up to date Are starting a new project with the latest dependencies is really easy You just go to start that spring I oh and click on the green button And you'll pretty much know right away. You have all the latest dependencies However, you know two months rolls around you probably want to keep updating them, right? So that that cool button at the the bottom there the control space the explore button you could You'd look at that and copy and paste the newer dependencies, right? That's one way. I like that. That's it That's a great idea. That's that's a relatively new feature, right? Yeah, that's only the last couple months. I think yeah, it's good All right, so we need to make sure we have good dependencies, right? So how well do you know your dependencies? Are they healthy? You know, did you get them from a trusted source like Maven central? Would you download them from some random bit bucket repo you found on stack overflow? I know I know Matt you would never do anything like that, right? Never, right? All right, me neither So so some other tips to make sure that your dependencies are healthy You know, you want to make sure that the projects has regular commits regular releases. They have some sort of active mailing list or a slack or some other form you can go ask questions and get help and Doesn't that project itself include other random, you know maybe questionable Transitive dependencies that would get sucked into your application and if any of those things, you know Raise flags. Maybe you don't want to use that project or maybe you want to jump in and help You know, if it's an open source project, you can contribute fixes for them and then, you know, everybody's better off Luckily, there are some other great tools to help us out So in the node community, you can use NCU To list whatever node packages you need to be updated Maven We have the great versions plug-in. So I know that this goal here that display dependency updates We'll just show you a list a report and then there's also one there's also another goal to apply those changes too And then of course gradle has a similar tool so moving on to More of the website of things I tend to like both the back end and the front end but One of the things that can happen with front-end applications is CSRF. And so that stands for Cross-site request forgery and it's basically an attack that forces a user to execute on a lot of actions an application they're currently logged into so let's say you logged into your bank and then You went to another malicious website and they happen to have an image That's hidden on the page and references your bank website Well, they can read the cookie then and actually, you know, maybe go and you know Change your password or change your email on your bank and then all of a sudden they've compromised your account And they can make withdrawals and no one really wants unauthorized withdrawals from their account. So If it's a normal user a successful attack and do just date changing requests like transferring funds or changing the email address but if they have elevated attack they can compromise the whole application, right? If it's like a bank manager that's logged into the banking app and someone, you know, gets their credentials Then that's bad news. So you definitely want to protect from CSRF. And so the slide here says enable CSRF And again, I eliminated the protection part But maybe I should have put on there because you don't really want to enable CSRF. So with spring security It allows you to do that again by extending web security configure adapter And if you happen to be using web flocks with spring boot There's a way to do it there as well The main difference between your security configuration with spring security and spring mvc versus web flux Is you'll extend web security configure adapter when you're using spring mvc And when you're using web flux instead of using enable web security use an enable web flux security And then you'll have beans that override specific behavior. So a little bit different configuration But for the most part it looks pretty similar. So they have excellent support for CSRF in spring security If you use in spring mvc's form tag, for instance, or time leaf and enable web security like you see here The CSRF token will automatically get added to all your requests as a hidden input field So that's great. And if you're using a javascript framework like angular reactor view You will actually need to configure something like this. So in this case, what I'm doing here is I'm modifying the CSRF configuration to say That send the cookie with HTTP only false because HTTP only true is a default And if it's HTTP only cookie the javascript can't read it So the javascript will be unable to read that CSRF token and send it back So if you're using angular angular is really smart and it reads what's called the name of the token is x s r f dash token and it sends it back as an x s r f token header And if you're doing something like react, you might have to do that yourself View similar, but you can do that with interceptors pretty easily with all those frameworks And and then you have CSR protection with your javascript apps as well So I think this was one of Brian's life hacks here Yeah, so a little while ago my wife started getting into tennis, right? So my basement is filled with tennis balls Right. So, you know storage became a problem. So I found out how to cut my storage in half Right, so I can fit twice as many tennis balls in a package now if I just cut them in half Right, you're a genius for that, right? Oh, she loved it. Yeah And and you know, it didn't start with tennis balls So I play a lot of ping pong and I can cut those in half too and I can fit like a thousand ping pong balls in a little box Beautiful good life. It's great. All right. So Use a CSP as another one that's for web applications And what a CSP stands for is content security policy And so what this can do is prevent XSS attacks And it basically is an added layer of security XSS stands for cross site scripting and data injection So this will often happen in applications where you've put it out there on the internet And you've been successful and then someone at your company decides to add You know some tracking or something like that and maybe one of those gets compromised because as developers We never put any malicious JavaScript code in our apps, right? We always use frameworks and you know, maybe we source them from the cdm But usually maybe we source them locally and you know, we know that they don't have any vulnerabilities in them Well, everything's successful until you go to production and marketing gets involved And then they start these third-party tracking tools and you know, maybe those get intercepted or compromised And so what a CSP allows you to do is say only these, you know, only URLs from these cds are acceptable And so you can basically control the JavaScript that gets executed You can also control what JavaScript can do right can I do an eval and can I do some more, you know, security Related things and you can also even do this with a meta tag in your html page. So that's pretty handy But spring security has a bunch of headers by default So these are the default spring security headers once you integrate it into your spring boot app So it's it turns off caching and it you know allows no sniffing of the content type And it denies the x-frame options and you know, it does a little bit there But there is no content security policy So what you can do is again extending web security configure adapter It's part of the dsl so you can say http dot headers and then content security policy And so if you just did that first part that says script source self That means that the only JavaScript that can be loaded is from the same domain that you're on And so that's obviously a good recommendation But chances are you'll have to tweak things a bit to say hey, it can come from this, you know, cdn Or it can embed, you know a twitter Tweet or if you want to embed like youtube content, you might have to do the object source And then you point it to your report uri and so I recommend that because it's pretty easy to do and then you'll know when people are trying to add third party scripts to your application And you know, you'll block them by default and then you'll have a conversation with marketing that you know You need to fix the app or add them in there and a lot of times this can actually be done on the web server layer So if you have your spring boot app running, you know behind something like nginx or apache htb server, then you know, you can configure these at that level too instead of doing it in your application and security headers.com is a great way to test your csp policy And uh, even test your site to see if you know, you've done a good job of securing things So there's a colleague of ours that wrote this blog post on how to configure bed better website security with cloud fair and netlify And you can see there the screenshot shows that he started with a d and by the end It was this slide that I showed previously He gets an a plus and so you know a lot of that was configuring on the server level rather than the application level So you can certainly do it that way But spring security offers a lot of those features as well. So you can really improve things Just by you know tweaking either your server configuration or your code itself And it's easy too. So matt, um, I I updated one of my sites Recently and I read through the blog post. It took me longer to read the blog post than it did to actually fix the problem Right and I check every you know a couple months on my site to make sure it's there But you know, I have a guy who is my hosting provider and I can just send him an email and he fixes it So that's even easier, right if you have that luxury All right, so we have another another trick for you another life hack Right. So sometimes I just can't leave my office, right? I'm busy. I have stuff going on You know, maybe I'm recording a webinar, you know So when I get hungry, I like I like my snacks to be warm So I just take two laptop chargers and I put my my snack between them and in a few minutes I have a nice nice toasty snack and I have a a laptop dock a laptop I can't talk laptop Dock that gets really warm and it's got like a kind of a grill heatsink on it So it leaves. Uh, I can make a grilled cheese right on it. It's great I've even seen something similar that's you know, this is uh, I don't know if people actually use it But have you heard of people doing road trips and heating things on their engines? I've seen old, uh military footage of this. Yes. I have friends that do it right now Like they'll take uh, like grilled cheese and I think they wrap them in tin foil or whatever But they'll stop, you know after a couple hours throw it on the engine. That's a good life hack for some lunch I even saw one recently where They'd used a what's it a french press But they filled it up with water and threw some hot dogs in it And then you know heated hot dogs. So there's all kinds of ways you can heat up the snack All right, my next road trip. I'm going to try that the car one The next tip for securing your spring boot applications is to use open id connect for authentication And a lot of the reason for that is because when I was an independent consultant I did that for about 19 years before I joined octa What I found was I worked with a lot of enterprises and they would keep their users often within the app And some of the smarter enterprises would keep their users in elt app or some central store uh for the company and That was more logical and then once I you know joined octa and learned about aloft and open id connect It was like wow, this is so much better because first of all you're storing them external to your app So you don't have to worry about authentication and authorization But second of all you can blame someone else if there's ever a breach, right? So that's it's always important to do So just to give you some background on aloft and how it came to be When back in 2005 2006 when you would sign up for a yelp account or a linkedin account You'd basically get to the end of your sign up flow and it would prompt you Do you want to add some more of your friends, you know to yelp or to linkedin? And what it would do is it would give you a dialogue That would show you your gmail username and password I think yahu was probably an option too And so people would at the time just type in their username and password because why not right? It was familiar and you trusted yelp you trusted linkedin But there was no guarantee that they didn't keep your password, right? And so maybe every you know a couple months They would go out and see if you had any new contacts and suck those in and then send them an invite to join and become your friends so That led to basically wanting to do delegated authorization where you could actually have You know someone like yelp say or give yelp access to your contacts without you know giving them your credentials so That's where open id and oauth came about it started with just oauth And so oauth basically had this flow that allowed you to get access to someone's contacts But what happened was there was no identity information And so people that were implementing oauth namely like google microsoft and facebook had a way where you could do sudo Identity where basically they had a slash me endpoint And you could use your access token and go to that endpoint and get information about the user And people basically said hey, this you know This isn't part of oauth because oauth is not an authentication framework or a protocol. It's you know mainly just for Authorization and so that's where open id came those companies got together and said let's create open id connect And open id connect is based on oauth But it's just a thin layer on top of it and it gives you the ability to get identity So to go through this oidc authorization code flow here. There's many different Flows that you can use with oauth, but this is the gold standard. This is the most secure one So that's why i'm showing you here how it works is you'll be on yelp And you'll click a button that says connect with google or log in with octa Or whatever and you'll be redirected to an authorization server And you'll tell that authorization server what the apps url is So that's the redirect ui and then you'll tell it standard scopes that open id provides So in this case i'm saying open id and profile and so that'll give me not just like an email back Or you know a user id it'll give me actually like a full name that i could use And so the authorization server if you're logged into it You'll never see a login screen if you're not it'll prompt you to log in and then it might give you a request For consent and so the resource owner that's you that's you who clicked on the button initially to connect with google And they'll say do you want yelp to give you access to your public profile and contacts you click yes If they'll come back to that redirect ui and so at one point you registered yelp with google And so they know they have a white list of redirect ui So if the redirect ui doesn't match that whole process will fail It'll come back with what's called an authorization code And then you can use that code to go and get the access token and the id token And then you'll come back and you can you know display information from that id token But you can also go to that user info endpoint. So I mentioned the slash me endpoint The slash user info endpoint is you know the new gold standard for that. So that's how oidc and oauth works And again the only difference is oidc you get an id token and the scopes are standardized with spring security They have open id Connect configuration built in so that's awful handy. You'll see here The key is kind of long spring dot security dot oauth dot client Dot registration and then we have octa here because it's one of their native supported Open id connect providers. There's also google Um, I don't think twitter's in there because they're not oauth 2.0 yet But uh, I think facebook is a good idea You need to find a client id and a client secret And then you also have a provider key with an issuer ui that points to your issuer So that's all pretty easy to do and then you can actually Have a Groovy class. So this is uh, this is an easy way to run a spring boot app That you know only 10 lines of code here actually goes and gets that so I'm gonna go ahead and share my screen and show How to actually do that and uh, you can see here that I'll just create a new Directory called demo see the end of that And I'll create an app dot groovy file So I got the code here. So I don't have to type it all out I can go ahead paste that in there And so spring cli has a tool that you can run spring run app Dot groovy And so I haven't set up anything And the reason I want to show you this is because spring security By default if it doesn't have any configuration for the issuer ui or for The the client id and the client secret what it'll actually do is give you its default login screen Which is just form-based authentication So if I open up Browser here And go to localhost 8080 It gives me username and password. So if I type in user as a username And go back to my console here where the password is All that will work. So it's smart enough to know that hey, you haven't configured anything for open id connect And uh, and therefore that works. So if we were to go back here And cancel it and then um, I have this environment file here and another directory so At no idc demo And what i've done here Is i've set up some environment variables that match Uh an app that i've already set up on octa. So you can see here's my issuer ui And my client id and my client secret And so i'm doing a no-no by showing you my client secret So i'll have to go and delete the app after this demo But uh now if I source that OIDC demo octa.env and then run spring run app.groovy It'll actually Use oidc for authentication. So i'll probably have to use a uh incognito window because You know, we don't want to uh Have my last session still be active. So I'll go new incognito window and then localhost 8080 And then if I log in My credentials It'll come back and you'll notice that in the code we had principal.getname So this is what comes back. It's just a unique identifier for the name So if we actually want more information what we can do is we can actually Go to spring initializer And we can create a new application. So I have a shortcut for that And it's called boot start Let me show you what it looks like boot start And so this is hitting start dot spring dot o and it's downloading A app that has octa and web already included So I can just run boot start And then I can unzip A demo And dash d we'll call it java boot So if I go into java boot The cool thing here is what I can do is we have an octa maven plugin that you can use not only to register and create a new account But also to register your app on octa So if I were to run mbn com dot octa And then octa maven plugin Set up This will go out to octa and it'll prompt me for some things some information about myself. So my first name my last name my email And then company is octa, of course And then I can open this up in intelligent And I'll create a home controller that similar to what we did with groovy It'll return the actual person's full name So just to show you some spring security features where they make it very easy to get more information about the user itself so This is over here. Come on intelligent That's my favorite ID Mine too, I don't think there's there are any other options are there? No, there is but you know once you get comfortable with one, it's tough to switch to another one, you know Absolutely so back to my desktop where I got some sample code here Just to make life a little easier Is my rest controller and this is also a cool feature of intelligent if you just you know, you have a java class Maybe you're looking at one of our blog posts And you just want to copy and paste that you can copy and paste that class And it will go ahead and create it for you and even adds a package, right? So Then we got to do some imports it adds those in there and you can see this authentication principle Is is a pretty nice annotation That you can use from spring security and then oidc user is one that you can get a full name from so Now if we were to run this app Then we should see, you know The person's full name instead of just their other name and that Maven plugin went ahead and added the new app that it created for us into this client Directory or into this application dot properties. So now if we were to go new incognito window do localhost 8080 We're already logged in that's a beauty a single sign on and now it shows, you know, my full name instead of Just that's up. So that's awful handy there So the java version I showed actually uses our spring boot starter So that was automatically added when we specified octa as a dependency From start dot spring dot i o and brian's a maintainer of that. So, you know, it's good code And uh, and we use many less properties. So with the uh, if you're using raw, you know, spring security You have uh, if using yaml, you got a lot of code if you're not using yaml, you only got three lines Um And ours is, you know, three lines by default or five lines if you're using yaml So we're a little more concise and uh, and that all works nicely and it works with spring webflex So I wrote a blog post about this and I've written several since That use spring webflex in fact for the last couple weeks I've been integrating a loss support for spring webflex into j hipster If you haven't heard of j hipster google that school project to combine spring boot with many front end frameworks like react and angular and view And works really nice and uh, and yeah Check it out On to you brian all right, so Many of us are still dealing with with managing user passwords So my first suggestion is stop doing that right so Matt just showed you some great ways how to do that with oadc But if you're still dealing with legacy applications, and you're still managing users and the passwords you must hash their passwords right, so the typical story is I I go to website forgot my password. I mash the I forgot my password button They send me an email that email contains my password my old password and clear text Right, so that's a very bad situation. They should have never had my password and clear text to send to send to me So what they should have done obviously is send me, you know a link or an email Um that I click on and I you know create a new password But let's talk about what hashes are Right, so a hash is a one-way cryptographic function So you have some data in and you get some unique well, some Identifier out right so that that string that I get out is unique to that what I put in and there's no way to Unhash that value so there's no way to recover My password from a hash. It's just just a hash. They're deterministic Right, so if I have put the same input in I get the same input same output So this is great because if I have you know say username and password form Matt maybe you you know fill out your username your password like you did on that that your first example I'll take that password and I'm going to hash that value And then I'm going to compare that hash With the hash I've stored in some database And if they're both the same that I'm going to let you into my application and they're not predictable You can't guess the hash, right? So here on the left we have tsd 0 tsd 1 So this secure developer and if I change one character on the input the whole entire hash changes Right, so I can't I can't guess them and all of these makes for a one-to-one mapping, right? So one password or one input equals one unique hash So that way there's no there's no collisions between passwords or you know me logging in with a super secure password Is not going to collide with matt's maybe insecure password So doing this in in spring is really easy, right? So it's just a bean spring security provides implementations for you. So in this case, I'm going to use scrypt But it's just a bean everyone knows how to create this and using it is is just as easy as any other I think any other bean you've currently using So in this example, I'm auto-wiring Don't hold it against me. Um, you can you can construct your injection too, but this fits on a slide much easier So I'm just going to call the encode method of my password encoder Put a string in get a string out. So I'll get the hash the hash value On the other side All right, so this is a life hack that I only recently learned and I've learned you can do it with Seafood as well and it works even better. So you can clean hard to reach places in your car I have an old Volkswagen van again that you know gets dirty all the time and I just take a you know warm piece of chicken out there and Go ahead and get the dust out of the door handles and off the dash and works really nicely That's great. I know my vehicle is pretty dirty right now. So I'm going to go get some chicken All right, so most of our applications contain some sort of secret All right, so Matt just showed you his secrets for his OEC application. I hope you go change those matt Right. I gotta go delete that right now. Hold on Um, but you know your application might have database passwords or api keys or some other secured data Right and you need to make sure you're storing that securely Matt, have you ever checked in a secret accidentally? I think I did it yesterday So it becomes really easy to find these things, right? So I can just search github for remove passwords Remove password and I can see Uh, you know all of these commits that literally tell me what what happened And I can go click on the diff and I can see the old password Right, so so a hacker could just troll through this really easy. I mean, this would take someone five seconds And uh and see the old password So you need to make sure that if this happens to you you revoke any old api keys And change any passwords, right? And if possible, you should probably Change your your history as well, but depending on your repository. That's that may not be possible So luckily there are some tools to help you out with this Um, so this one is get secrets from AWS labs So this runs as a post commit hook So it stops you from pushing anything that looks like a secret to your remote repository So you just install this and it runs locally If you haven't looked at post commit hooks, uh, I would recommend them for a variety of things I know matt and I work on a project Where we do some basic linting and it's prevented me from checking in some some silly looking code So that's that's definitely helped me And there's also other tools too like get rob Will will scan your repository's history and look for secrets So how do you store them? Hashtag corp has a project called vault And it's great. You can store secrets. You can set Leases and TTLs on them So your applications only have access to those secrets for a certain duration And of course spring spring vault is an abstraction layer on top of that To make it natural naturally fit into spring So you probably already know how to use spring vaults If if you've ever used an at value annotation So i'm sure you have a lot of code like this matt between various projects Maybe not called password but a lot of a lot of uh Add value annotations, right? right So this one might look a little silly to some people because i'm using character right here That's very much intentional for passwords in other secrets You want to try to use character arrays whenever possible because the alternative of a string Strings are immutable can't clear the data And another reason is passwords can accidentally uh string passwords can accidentally be printed So, you know if you're logging or emailing or hopefully, you know emailing anything with secrets in it But um any any other data that you're you're logging the string will print out obviously in clear text and the character array will print out the hash All right, and this is one of my personal Favorites is testing with zap. So zap stands for zed attack proxy It's from the olas project, which you might have heard of open web application security something Project, right? So I just guessed and I got it. Uh, so it's a it's a proxy that performs penetration against your live application at runtime So before you go out and high a higher Penetration testing team you might just want to run this on your application first and uh, it's popular On github open source. It's got over 4 000 stars and uh and works quite nicely So just to show you an example, I ran this uh, this has been a few years But I developed an application and then ran it and it's got uh, it's got two approaches So one is a spider scan. So this is probably a good idea to use if you have mostly a public site So maybe you have forms. Maybe you allow anyone that's anonymous to sign up and do things So you basically get a bit of seed of URLs and it goes and crawls all those URLs and tries to do things on those various pages Versus an active scan what that does is you will you'll set up in my case I set up firefox to proxy to zed attack proxy running on port 9 000 and recorded all the data that went through And so this is called an active scan and records a session then plays it back And it looks for unknown or for known vulnerability. So in this case You can see that I had a whole bunch and uh, there was cross site scripting. There was directory browsing So if you went to just a URL and in that, you know, the user could see It would list the files So that's that's a bad thing to have right because people might actually be able to see the file contents before they've been processed Uh parameter tampering was allowed. Um, and uh, I had cookies that didn't use htp only Cookies that didn't use a secure flag and one of the easiest ones to fix is a password autocomplete in the browser So that's autocomplete equals off It's an attribute that you can add to your password fields and html And uh, and I was able to run this and then go fix all those, you know in a matter of an hour And so you can learn more about it from its home page, which uh, isn't very uh user friendly or memorable But you know, that's the nature of I think the software they're using to host it On github. It's z a proxy slash z a proxy and I would recommend, you know Following them on twitter at least for a bit to uh to learn more about the project and you know try it out because Chances are you might have some stuff that uh that it can actually identify for you So yeah, so next up, um Coder views so you want to have your security team do a code review? Especially, you know, of the security related code you're writing Right, so code reviews are are one of my one of my favorite things I think they're a great opportunity to learn both for the the author and the person reviewing So there's a great two-way communication if you can if you can do them, right? Um, so we have a top 10 list of things to look for when you're doing a code review So first up, you want to identify and validate your inputs, right? So Your inputs could be anything. They could be some other system Maybe from a database maybe a rest api, right that data. That's not yours. You didn't control it So you can't trust it But obviously user inputs query parameters HB headers can be changed and manipulated by the client As well as any files that are uploaded So you need to make sure any files are are clean and and sanitized Um, and if you're just extracting zip files, you want to watch out So I have a quick example to show you Let me jump into my console So you have this Java goof example and I'm going to open up a zip file and show you its contents So I didn't know until until recently that Vi could open zip files And now it's my new favorite thing So you can see this zip file has two entries. So I have a good dot text if I open that Maybe Uh-oh what I do I don't know what happened Some the demo gods are cursing me So that is actually supposed to be just a regular a regular text file and hopefully this one will open Yeah, of course not. Let me uh, let me try to do this again So you're saying you got vi it open your zip file once What's that I'm saying you made it work once Yeah, it worked. So Oh, that's terrible. All right. Well, this works five minutes ago So anyway, you could see here that uh, you can see the directory listing So this one the first one is just a text file. It's a normal everyday file But this second one is has a path to reversal Right. So if I extract this file and I'm not paying attention Then I'm you know going to traverse up up the up the my directories and then back down and replace potentially this native to ascii script, which in my case is just Uh a script that says gotcha Right, but this you could be replacing, you know, maybe some Depending on the access you have to the system You could be replacing some important system files or you know, maybe the next time the the application is restarted You replace, um, you know the java executable or you're doing something All right, so you need to make sure you're not you're not doing any of these things And we see these things in java because java doesn't really provide a high level Unzip tool all we have is the the pieces, right? So it's really easy to crack open a jar or a zip file and go through it But there's no way to extract those so you have to write all that code yourself Which means that you know, there's an opportunity there for something to go wrong So let me get out of this this failed example here And go back to my screen. All right. All right, so we talked about the next couple, right? So don't store your your credentials as as configuration, especially in your repositories Um, we've showed you how to test for security vulnerabilities Matt showed you how to authenticate. So you need to make sure you're doing these types of things The the fifth one here You want to make sure that You know, you restrict your users to to whatever the minimum set of privileges they need, right? So if your user needs some read access to a resource, you don't need to give them admin access Right. So you want to narrow narrow their scope number six is another one of my favorites So use a whitelist instead of a blacklist. So a few years ago The project Jackson data bind, which I'm sure most of us know it's a very popular project and it's it's good Good project, but they were trying to use a blacklist to detect attacks So quickly that that didn't didn't scale right because there's almost an infinite possible options for that you could put on a blacklist So what you want to do instead is use a whitelist and only allow what you're expecting And the same thing with security, right? So user security if you're trying to log in a user and check if they have access You want to make you want to check if these are has access not if they don't have access So these next couple should be should be obvious too, right? So handle sensitive data with care You don't want to log people's passwords or any other, uh, maybe, you know, hippo related, uh, objects I feel terrible that we have to even have to suggest this but obviously don't write You know, don't put back doors in your code or you'll end up on the front page of hacker news And there then you want to you know, test against well-known attacks and make sure you're just regularly doing some static testing So there's some great tools for that too. I've been using, uh, spot bugs, which used to be called find bugs And then there's a a security related version of that so find security bugs is a great, um, Java project that will scan your code and find some some issues like weak ashes and In a lot of other great things So those those are the top 10 All right, so just to Go through and give you a recap of what we talked about today Use hdps in production scan your dependencies keep your dependencies up to date Uh, I think uh github now uses depend upon by default for a lot of new repositories So, uh, if you're a public repo, you should have those updates coming in enable csrf protection not enable csrf Right now use a content security policy because it's pretty easy to add Use open id connect for authentication hash your passwords store your secrets securely test with oos zap And code review with experts and so when we first created this Simon was nice enough to create a spring boot security cheat sheet So if you actually want to print all these out and put it up on your wall, you can do that There's uh, there's a link at the top. It's a little blue there Um, but uh, but you could also just probably google spring boot security cheat sheet and find it Don't allow your lack of security to be disturbing. You'll notice I'm wearing one of these shirts today. We love it because it's you know star wars theme And uh, and they're pretty fun. So if you see me or brian at a conference or on the street one day, uh, You know, let us know that you saw that we recommend these shirts because we might actually have one on us This is true. Our last life hack is uh, this is a great one Is to use a toilet seat for a tv dinner setup So, uh, you know, if you're traveling on the road and you can rip that sucker off Works kind of nice If you have any further questions, you can reach out to us on twitter My dms are wide open at m rable and I will also tweet out a link To this presentation where you can view it online in pdf form on speaker deck Actually, if you go to that link right now speaker deck dot com slash m rable It is already published there and uh, you can follow brian and I and brian actually just published a YouTube video yesterday on five java tools that he likes to use In his projects and so we post a whole lot of code on github.com octa developer for a spring boot For a spring web flux and for a lot of front end frameworks as well And so before we end this there was a number of questions that came through on the q&a and I answered a few of them and so This will likely be pushed to youtube as a video afterwards and so youtube I don't think is going to see any of the q&a, but maybe they do um But maybe brian there's a few unanswered here that I think are are kind of Added for you um about hashing and maven. So if you want to take those I'll uh Yes, so so so one of them um that that I just noticed um Is is is hash is the hashing technique using a specific algorithm? um Yes, and so so there are a few different um hashing algorithms I don't know if I mentioned this but spring security provides most of the defaults out of the box for you So that's something you don't have to worry about the actual implementation You know those are those are well tested And it's one of those things you shouldn't write yourself So there's no way to decrypt them And but the type of hash depends on what you're doing um But generally I think s-crypt and and b-crypt are are sort of um a couple favorite ones And I think just recently the sha sha one had the first official attack. I think last week maybe so um So someone was able to craft a a collision with a sha one So, you know, obviously you should be using strong strong hash algorithms Well, so so, uh, can a hash be decrypted? No I did mention that like I said md5 and sha one there are some some uh forced collision attacks that can happen to these older ones these older algorithms, but now that we're the Um, you know newer algorithms. There's no known attacks for them Oh go ahead matt no no go ahead and uh answer those other ones I believe you know now that I remember that the audience view and I think the recorded view has These questions and answers that pop up, but go ahead and uh answer those ones that you were All right, so somebody mentioned the um There's there's a couple other goals you can use for the maven version plugin I strongly suggest anyone just google google maven version plugin There's a bunch of goals to to fit a variety of needs. Um, I use that project all the time So to definitely go check that one out Uh, somebody somebody give a thumbs up for for bcrypt. They're they're using bcrypt. They'd recommend that Uh, someone asked here about my existing on-premise sso uses a header based approach Um, can I use oidc? And so you could probably use oidc? Uh, it depends on If you're able to go outside your firewall So someone like octa if you want to use octa for authentication by default You would need to give users access to you know access octa Which would be outside your network We do offer something called octa's access gateway that can make this work Without going outside your network But you can also use an oidc provider like key cloak and install that locally And then don't have to go outside your network. All right. There's another one for you matt Are there cases where we need to use uh cross site? Uh scripting when we're on different servers Well, so you won't really want to use cross site scripting ever you want to prevent cross site scripting, right? But uh, but maybe what you're referring to is cores. So cross origin resource sharing This used to be a thing that browsers didn't allow and now they do and so there's a header that can be sent from the server That says hey, you know this client can access our resources and it's okay So um, you might have to configure cores with spring boot. There's actually like it's what cross origin annotation that you can use That will allow, you know, someone using an angular app on a different port to talk to your site But as far as like a csp A content security policy will only pertain to your your particular spring boot application So you might have to have a csp for your angular app or your your react app as well If those are on separate applications and then you'll probably want to use like engine x or you know Apache to configure that rather than doing it in spring boot because you won't be using spring boot if it's on You know cdm. So I think we answered most of this you got the hashing ones, right? You just did those by voice. Yep and the maven one. So I think I think that's it Hopefully you've got answers for the other ones you asked and like we said, this will eventually be up on youtube So if you go to youtube.com slash c slash octa dev That's okay t a dev We will post this as a video up there and you can ask more questions on there if you like you can also post questions on the blog post and want some there and Feel free to hit us up on twitter if you like as well. So thank you for attending and hope you have a great day Thanks everyone