Secure Coding in Spring Framework
Learn about security vulnerabilities in Spring applications and how to mitigate them effectively, making your applications resilient against potential threats.
What you'll learn
Learning how to securely code in Spring will not only enhance your own development skills, but it will drastically reduce potential security incidents within your application. In this course, Securing Coding in the Spring Framework, you'll address the critical concern of security in Spring-based applications, learning how to fortify them against various common threats. First, you’ll explore the OWASP top 10 security threats, in the specific context of Spring application development. Next, you’ll analyze and identify multiple examples of these threats, such as mis-implemented access control, weak cryptography, injection vulnerabilities, and more. Finally, you’ll learn how to refactor your Spring application to mitigate these threats by leveraging the framework to its full potential. By the end of this course, you’ll have the skills and knowledge needed to ensure the security of your Spring applications, making them resilient against common security threats.
Table of contents
- Introduction 2m
- Spring Security Overview 1m
- Course Testing Overview 1m
- OWASP Top 10 Overview 0m
- A01 - Broken Access Control 3m
- Force Browsing and Deny by Default 4m
- Access Control with Spring Security Authorization Filter 7m
- Demo: Adopting Deny by Default 9m
- Force Browsing and Direct Object References 3m
- Indirect Object References in Spring 1m
- Demo: Indirect Object References 7m
- Outro 0m
- Introduction 1m
- What Is Defence-in-depth? 2m
- Post Method Invocation Authorization Checks 4m
- Demo: Using the @PostAuthorize and @PostFilter Annotations 7m
- Pre Method Invocation Authorization Checks 2m
- Demo: Using the @PreAuthorize Annotation 8m
- Adopting a Centralized Permissions Service 3m
- Demo: Centralized Permissions Service 9m
- Importance of Access Control Reviews 2m
- Introduction 1m
- Overview of OWASP A02 1m
- MITM Attack Overview 1m
- HTTPS Overview 1m
- TLS Certificate Overview 2m
- Java Keytool Quickstart 1m
- Demo: Creating a Self-signed Certificate 3m
- HTTPS in Spring with SSL Bundles 3m
- Demo: HTTPS in Spring with SSL Bundles 9m
- Don't Use HTTP 2m
- Mutual TLS in Spring 2m
- Demo: Mutual TLS in Spring 3m
- Summary 2m
- Introduction 1m
- Plaintext vs. Hashing 2m
- Insecurely Hashed Password Attack Vectors 1m
- Demo: Exploring Insecurely Hashed Password Attack Vectors 6m
- Spring Security Password Encoder Abstraction Overview 1m
- Spring Security BCrypt Password Encoder Overview 1m
- Demo: Spring Security BCrypt Password Encoder 5m
- Spring Security Delegating Password Encoder Overview 1m
- Demo: Spring Security Delegating Password Encoder Overview 4m
- BCrypt Work Factor Overview 1m
- Demo: Configuring Work Factor in Spring Password Encoders 3m
- Further Learning 0m
- Introduction 1m
- What Is Insecure Design? 1m
- Secure Design Principles 2m
- Integrating Secure Design into the Software Development Lifecycle 1m
- Identifying Security Requirements 1m
- Choosing a Security Framework 2m
- Threat Modeling Introduction 1m
- Threat Modeling Process 1m
- Applying Threat Modeling 2m
- STRIDE Methodology Overview 3m
- Defining Security User Stories 1m
- Secure Releasing and Operations 1m
- Introduction 1m
- What Is Security Misconfiguration? 2m
- Accidentally Deploying Insecure Configuration 3m
- Spring Profiles Overview 1m
- Demo: Enabling Spring Configurations with Profiles 5m
- Configuring Property Sources with Profiles 2m
- Demo: Configuring Error Pages Using Profiles and Property Files 8m
- CSRF Protection Overview 2m
- Demo: CSRF Protection With SameSite Cookie Attribute 5m
- CSRF Protection Token Pattern 2m
- Demo: CSRF Protection Token Pattern 4m
- Introduction 1m
- A07 Overview 0m
- NIST Password Guidelines Overview 3m
- Demo: Updating Outdated Password Policies 6m
- Have I Been Pwned Overview 1m
- Spring Security Have I Been Pwned Integration 1m
- Demo: Using HIBP on Account Registration 4m
- When to Use HIBP 1m
- Demo: Using HIBP on Login 4m
- NIST Account Locking Recommendations 3m
- Demo: Temporary Account Locking 14m
- Introduction 0m
- Why Multi-factor Authentication? 2m
- Multi-factor Authentication Overview 2m
- Multi-factor Authentication in Spring Demo Overview 1m
- Demo: MFA Part 1: Redirecting to the OTP Page on Login 2m
- Demo: MFA Part 2: Setting a Partially Authenticated Role and Redirect Filter 5m
- Demo: MFA Part 3: Ensuring the OTP Page Is Only Accessible by Partially Authenticated Users 2m
- Demo: MFA Part 4: Generating and Sending a Secure OTP 7m
- Demo: MFA Part 5: Validating a Secure OTP and Completing Login 9m
- Demo: MFA Part 6: Limiting OTP Input Attempts and Account Locking 6m
- Demo: MFA Part 7: Browser Demo and Run-through 1m
- Password Reset Feature Overview 1m
- Demo: Password Reset 6m
- Summary and Best Practice 1m
- Introduction 1m
- Overview of OWASP A09 2m
- The Importance of Logging Security Events 1m
- Demo: Logging Security Events in Spring 2m
- The Importance of Enriching Logs with Context Metadata 1m
- Leveraging MDC in Spring to Log Additional Context Metadata 2m
- Demo: Adding User and Request Data to the MDC 6m
- Avoiding Sensitive Data Logging with Masking 1m
- Demo: Masking Sensitive Data 3m
- Why Log Data as JSON - ELK Stack Use Case 2m
- Demo: Structured JSON Logging with Elk Stack 3m
- Using Spring Actuator to Monitor Security Metrics 2m
- Demo: Security Metric Monitoring with Spring Actuator and ELK Stack 4m
- Security Incident Alerting Best Practice and Summary 1m
- Introduction 1m
- Server-side Request Forgery Overview 2m
- Allow List Protection 1m
- Leveraging a Hoverfly Proxy for Testing 1m
- Demo: Allow List Protection 4m
- Bypassing Allow Lists With Redirects 1m
- Demo: Protecting Against Redirects 4m
- Exploiting Unsanitized Input 1m
- Demo: Exploiting Unsanitized Input 3m
- Best Practice and Summary 1m
About the author
Andrew is an independent consultant with cross-functional expertise in the design, development, and deployment of enterprise level software systems. Working with various clients, Andrew has been exposed to many different technology stacks, most recently specializing in Java microservices and continuous delivery. Andrew is actively involved in the wider community, presenting at international conferences, delivering training courses, contributing to open source, and writing for InfoQ.