Securing RESTful services with Spring HATEOAS & Hdiv
-
Upload
hdiv-security -
Category
Software
-
view
599 -
download
4
Transcript of Securing RESTful services with Spring HATEOAS & Hdiv
![Page 1: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/1.jpg)
Securing RESTful services with Spring HATEOAS & Hdiv
Roberto Velasco@hdivroberto
![Page 2: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/2.jpg)
About me
Spring I/O 2016
Roberto Velasco
CEO at Hdiv Security
Working as Java Software Architectsince 2004
![Page 3: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/3.jpg)
About me
Spring I/O 2016
Involved in Software Securitysince 2001
Roberto Velasco
CEO at Hdiv Security
![Page 4: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/4.jpg)
About me
Spring I/O 2016
Hdiv Security Frameworkfounder in 2008
Roberto Velasco
CEO at Hdiv Security
![Page 5: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/5.jpg)
It’s not about
Spring I/O 2016
Authentication
Role BasedAccess Control
Best Practices
Security Automation
Security by Design
It’s about
About this talk
![Page 6: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/6.jpg)
Agenda
APIs security overview
Spring I/O 2016
1
2
3
4
WhyThe solution
Spring HATEOAS & Hdiv
![Page 7: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/7.jpg)
Spring I/O 2016
1APIS SECURITY OVERVIEW
![Page 8: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/8.jpg)
APIs everywhere
Spring I/O 2016
![Page 9: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/9.jpg)
Spring I/O 2016
The old new things
What about security in this new scenario?
![Page 10: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/10.jpg)
Spring I/O 2016
LET’S SEE A DEMO
Spring HATEOAS & Android
![Page 11: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/11.jpg)
Spring I/O 2016
The old new things
The most important remains the samerepresented by
OWASP Top 10
Client-side approach let us more exposed
Controller inside the client
More business logic in the client side
![Page 12: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/12.jpg)
Spring I/O 2016
Spring I/O 2016
86% of all websitestested had at least1 serious vulnerability
How big is the problem
![Page 13: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/13.jpg)
Spring I/O 2016
WHY
2
![Page 14: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/14.jpg)
Spring I/O 2016
Security issues
Design FlawsBugsSQL Injection
XSS
etc.
Forget authenticate an user.Non authorized access to a register.
Easy to find and fix
No tool to findand complex to fix
![Page 15: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/15.jpg)
Spring I/O 2016
Design FlawsIEEE Cyber Security
![Page 16: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/16.jpg)
Spring I/O 2016
Spring I/O 2016
Why
Current technology to developservices is insecure by default
![Page 17: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/17.jpg)
Spring I/O 2016
Spring I/O 2016
Why
Don’t protect from bugsand design flaws
![Page 18: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/18.jpg)
Spring I/O 2016
Spring I/O 2016
Securitydepends on people
Why
![Page 19: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/19.jpg)
Spring I/O 2016
Security solutions
Recommended for security bugs Detected issues must be solved by developers
ASTApplication Security Testing
![Page 20: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/20.jpg)
Spring I/O 2016
WAFWeb Application Firewall
Security solutions
Try to protect from bugs and security design flaws
but…
![Page 21: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/21.jpg)
Spring I/O 2016
WAFWeb Application Firewall
Security solutions
False positivesCostly implementation
![Page 22: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/22.jpg)
Spring I/O 2016
Summary
Foundational software providersDon’t protect from bugs neither security design flaws
Security providersBugs are well detected by ASTRepresents a significant fixing work from developers
Design flaws not properly covered by WAFs
![Page 23: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/23.jpg)
Spring I/O 2016
THE SOLUTION
3
![Page 24: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/24.jpg)
The solution
Different problems require different solutions
Spring I/O 2016
![Page 25: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/25.jpg)
The solution for…Design flaws
Spring I/O 2016
Current approachEverything open, close manually
![Page 26: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/26.jpg)
Spring I/O 2016
Proposed approachSecurity By Default
The solution for…Design flaws
Everything closed by default, open manually
![Page 27: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/27.jpg)
Spring I/O 2016
The server defines what is allowed
The solution for…Design flaws
![Page 28: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/28.jpg)
Spring I/O 2016
The server defines what is allowed
The solution for…Design flaws
Hypermedia
![Page 29: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/29.jpg)
Spring I/O 2016
The solution for…Design flaws
The server rejects all the request that don’t respect the original contract
![Page 30: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/30.jpg)
Spring I/O 2016
The solution for…Design flaws
B O R N S E C U R E
The server rejects all the request that don’t respect the original contract
![Page 31: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/31.jpg)
Spring I/O 2016
Integrity validation for read-only data
The solution for…Design flaws
B O R N S E C U R E
White & Black list validation for editable data (text fields)
![Page 32: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/32.jpg)
Spring I/O 2016
We need a detection mechanism
The solution for…Bugs
![Page 33: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/33.jpg)
Spring I/O 2016
We need a detection mechanism
The solution for…Bugs
AST tools
![Page 34: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/34.jpg)
Spring I/O 2016
We need to automate the protection of the detected issues
The solution for…Bugs
![Page 35: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/35.jpg)
Spring I/O 2016
We need to automate the protection of the detected issues
The solution for…Bugs
B O R N S E C U R E
![Page 36: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/36.jpg)
Spring I/O 2016
Don’t do anything for read-only data
The solution for…Bugs
B O R N S E C U R E
Strict white-list validation from vulnerable text fieldsShows the error in the text field
![Page 37: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/37.jpg)
Spring I/O 2016
SPRING HATEOAS & Hdiv
4
![Page 38: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/38.jpg)
Spring HATEOAS
Spring I/O 2016
The most important HATEOAS implementation in Java
Includes a format for links
Form complete definition not covered
Based on HAL
![Page 39: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/39.jpg)
Form support Pull Request
Spring I/O 2016
Mike Amundsen
Participants & Collaborators
https://github.com/spring-projects/spring-hateoas/pull/447
B O R N S E C U R E
Dietrich Schulten
OliverGierke
Supported hypermedia formats
Forms: HAL-FORMS, Siren, HTMLLinks: HAL
![Page 40: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/40.jpg)
Spring I/O 2016
Form Support in Action
@RequestMapping(method = RequestMethod.GET)public ResourceSupport charge() {
ResourceSupport resourceSupport = new ResourceSupport();resourceSupport.add(linkTo(methodOn(TransferController.class).charge(new Charge())).build());// code omitted here
return resourceSupport;}
public class Charge {private String fromAccount;private double amount;
public Charge(@Select(options = CashAccountOptions.class) String fromAccount,@Input(editable = true, required = true) double amount) {// code omitted here
}}
Form definition example
![Page 41: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/41.jpg)
Spring I/O 2016
{"_links": {"self": {"href": "http://localhost:9000/hdiv-‐ee-‐bank-‐services/api/transfer?rel=halforms:make-‐transfer"},"curies": [{"href":"{href}{?rel}", "name" : "halforms", "templated": true}
]},"_templates": {"default": {"method": "POST","properties": [{"name": "fromAccount", "readOnly": true, "suggest": [{"value":"00948343154448310446", "prompt":"Checking Account"}, {"value":"91123204989505683033", "prompt":"Individual Retirement Accounts (IRAs)"}
]},{"name":"toAccount", "readOnly":false, required": true},{"name":"description", "readOnly": false, "required": true},{"name":"amount", "readOnly": false, "value": "0.0", "required": true},{"name":"fee", "readOnly": true, "value": "5.0"},]}
}}
Several form formats are supportedHAL-FORMS example
![Page 42: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/42.jpg)
Spring I/O 2016
Spring I/O 2016
Try it!hdivsecurity.com/try-it-springio
B O R N S E C U R E
![Page 43: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/43.jpg)
Summary
Spring I/O 2016
Hypermedia offers an excelentfoundation to cover security design
![Page 44: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/44.jpg)
Summary
Spring I/O 2016
Hypermedia helps to automate the protection
against detected security bugs
![Page 45: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/45.jpg)
Summary
Spring I/O 2016
It is necessary hypermedia formatsto cover 100% of interactions
![Page 46: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/46.jpg)
Summary
Spring I/O 2016
Spring HATEOAS and Hdivmake it possible to automate
many security tasks
![Page 47: Securing RESTful services with Spring HATEOAS & Hdiv](https://reader034.fdocuments.in/reader034/viewer/2022042619/58f264d21a28aba3378b45bd/html5/thumbnails/47.jpg)
Spring I/O 2016
Questions&
Answers