uncle sam's guide to grails security
DESCRIPTION
Speaker: Joe Rinehart Grails makes it easy to dive right in and build an application, but that's the tip of a very large iceberg. Joe Rinehart's spent years working in highly secured environments and been the subject of many top-to-bottom, OS-to-Web audits. Join him as he introduces publicly available security guidelines for Java/Grails applications made available by some of the strictest clients in the world, showing how Grails can often make life much easier. "STIGing." It's a phrase that makes even seasoned secured application developers wince. What's a STIG? It's a "Security Technical Implementation Guide" - a grammar fail only the U.S. Government could manage. It's usually a product-specific, hundred-plus page PDF or XML document describing applicable security controls. These are not thrilling reads. Their content, however, is fantastic: from obvious XSS issues to nuances of running Tomcat within an application security manager, they present a holistic approach to technical application security. Join Joe as he walks through the essential security topics for Grails (and Java) Web applications, showing how Grails can often lighten your load and the pitfalls of attempting to secure highly dynamic code.TRANSCRIPT
![Page 1: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/1.jpg)
UNCLE SAM’S GUIDE TO GRAILS SECURITY JOE RINEHART
BOOZ | ALLEN | HAMILTON
Photo: AJ Cann
![Page 2: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/2.jpg)
WHAT ARE WE TALKING ABOUT? Photo: milos milosevic
![Page 3: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/3.jpg)
WHO AM I?
![Page 4: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/4.jpg)
WHO AM I?
![Page 5: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/5.jpg)
Photo: eli duke
AND?
![Page 6: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/6.jpg)
STIGS.
Photo: lemonrad Photo: Automotiveart.nl
![Page 7: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/7.jpg)
STIGS.
Photo: lemonrad
![Page 8: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/8.jpg)
IN A NUTSHELL A STIG is a list of security/assurance controls for a given technology. There are many available: operating system, database, and application development.
We’ll concern ourselves with the Application Development STIG.
![Page 9: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/9.jpg)
PROPER PLANNING AND PREPARATION PREVENTS PISS POOR PERFORMACE
![Page 10: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/10.jpg)
MEA CULPA These are things I’ve rarely done, or seen done, in the commercial space. They’re not fun.
They’re good ideas.
Left to my own, I’d take a common sense, “good-enough” documentation approach.
![Page 11: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/11.jpg)
SYSTEM SECURITY PLAN Who can get to what. What you think can go wrong.
What to do about it.
![Page 12: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/12.jpg)
CONFIGURATION GUIDE Hosting requirements Deployment instructions
![Page 13: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/13.jpg)
CLASSIFICATION GUIDE How critical is data you’re collecting? Is it PII?
Are there legal ramifications if data is leaked?
![Page 14: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/14.jpg)
3RD PARTY USE What are you using that you didn’t invent? Where did it come from?
What support does it have?
![Page 15: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/15.jpg)
KNOW THYSELF Who’s responsible for management? Design? Testing? What are their strengths?
What are their weaknesses?
![Page 16: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/16.jpg)
WHEN THINGS GO WRONG What do you do when a vulnerability is identified? Exploited?
When a natural disaster occurs?
![Page 17: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/17.jpg)
SYSTEM DESIGN AN OUNCE OF PREVENTION
![Page 18: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/18.jpg)
I’M NOT TALKING “RATIONAL”
Please don’t confuse encouraging some degree of system design with a push for anti-agile bits like RUP
![Page 19: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/19.jpg)
KNOWING WHAT YOU DON’T KNOW YOU DON’T KNOW
Develop a threat model • Assumptions • Interactions • Entries • Risk • Mitigations
![Page 20: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/20.jpg)
BROAD GUIDANCE How should an exception be handled, and what should end users see? What kinds of encryption should be used? Avoided?
What should never be stored?
Basically, document choices developers don’t like to have to make.
![Page 21: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/21.jpg)
SIGH.
THIS COULD BE A LOT OF WORK.
![Page 22: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/22.jpg)
DEVELOPMENT == GREAT TRAIL.
Photo: lemonrad
![Page 23: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/23.jpg)
SECURITY == RICHARD SIMMONS
Photo: lemonrad Photo: heraldpost
![Page 24: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/24.jpg)
THIS
![Page 25: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/25.jpg)
STUFF
![Page 26: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/26.jpg)
IS
![Page 27: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/27.jpg)
BORING
![Page 28: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/28.jpg)
IT MAKES ME GRUMPY.
Photo: Joint Base Lewis McChord
![Page 29: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/29.jpg)
SECURITY, AGILE, AND YOU. IT’S NOT THE END OF THE WORLD.
![Page 30: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/30.jpg)
INEFFECTIVE SECURITY Most of the time I’ve seen STIGing, it’s a tacked-on waterfall …a sidecar.
…a box to check to get on with life.
I don’t deal well with getting my ticket punched.
![Page 31: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/31.jpg)
A JOB WORTH DOING What’s worse than security work? Doing it poorly.
![Page 32: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/32.jpg)
PROBLEMS?
1. Copied / pasted paperwork, designs, and plans
2. Documentation for documentation’s sake
3. Ineffective process
![Page 33: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/33.jpg)
BE ORIGINAL Write from scratch. You need to think about these things. If nothing else, it makes auditors do their job.
![Page 34: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/34.jpg)
SERVE YOURSELF Too often, people do these things just to get accredited. Instead, cover your …
Make it known that these things are important and should take place.
Word processors are evil: use a wiki-style solution!
![Page 35: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/35.jpg)
PART OF EVERYDAY LIFE Don’t STIG and walk off. It’s a task like any other: prioritize, backlog, and attack.
Ingrain security into your normal workflow.
![Page 36: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/36.jpg)
GRAILS, FINALLY. HOW WE’VE STIG’D IN RECORD TIME
![Page 37: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/37.jpg)
TWO WEEKS. Largely thanks to Grails and its community, we took a very basic JEE application and reached a secured state in two weeks.
![Page 38: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/38.jpg)
MANY BIRDS, ONE STONE. HUGE THANKS TO BURT BECKWITH
![Page 39: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/39.jpg)
SPRING-SECURITY Half of you have probably used it. The other half will tell you why they haven’t.
We have, and we like it, and here’s why.
![Page 40: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/40.jpg)
WHY SPRING-SECURITY?
1. Open source and well examined 2. Out-of-the-box good practices 3. Native x509 integration 4. LDAP, AD, and many other
authentication providers are supported
5. Simple API!
![Page 41: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/41.jpg)
SPRING-SECURITY: CONTROLS SATISFIED • Role-based security • Passwords must be stored in an encrypted format • Passwords cannot be displayed in clear text
• Many PKI controls
• Session logout
• Token rotation
• Logon limitations
![Page 42: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/42.jpg)
MANY BIRDS, MANY PEBBLES. A BRIEF TOUR OF SOLVING SOME CONTROLS WITH GRAILS
![Page 43: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/43.jpg)
CSRF VULNERABILITIES
<g:form useToken=“true” action=“save” />
![Page 44: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/44.jpg)
CODE COVERAGE
> grails test-app -coverage
We’ve used the code-coverage plugin. Big thanks to Mike Hugo and Jeff Beck.
![Page 45: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/45.jpg)
TRANSACTIONS
> grails create-service com.acme.Book
Does data change? Does a controller perform two data access operations? Service time.
![Page 46: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/46.jpg)
DATABASE CREDENTIALS
environments {
production{
dataSource {
username = "sa"
password = "password"
}
}
}
Please don’t let anyone find this. Externalize!
![Page 47: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/47.jpg)
LAST TIME/DATE OF CHANGE package com.acme
class Book {
Date dateCreated
Date lastUpdated
}
![Page 48: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/48.jpg)
LAST TIME/DATE OF CHANGE – EXTRA CREDIT class DataAccessAuditingListener implements ApplicationListener {
void onApplicationEvent( ApplicationEvent e ) {
if ( e instanceof AbstractPersistenceEvent ) {
// do stuff
}
}
}
![Page 49: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/49.jpg)
XSS 1. Filter posts to check referers! 2. grails.views.default.codec = ‘html’
![Page 50: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/50.jpg)
SQL INJECTION It’s hard to really screw this up with Grails/GORM, but if you’re using straight SQL, please: 1. Use bound parameters instead of GStrings
2. Understand the ramifications of toString()’ing a GString and then using it as a statement!
![Page 51: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/51.jpg)
ACCOUNT LOCKOUT class UserLoginAuditingListener implements ApplicationListener {
void onApplicationEvent( ApplicationEvent e ) {
if ( e instanceof AbstractAuthenticationEvent ) {
// do stuff
}
}
}
![Page 52: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/52.jpg)
VALIDATION This one’s hard to enforce programatically, but we try to cover it by: 1. Using commands
2. Testing domain validation
![Page 53: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/53.jpg)
CONCLUSIONS?
![Page 54: Uncle Sam's Guide to Grails Security](https://reader034.vdocuments.site/reader034/viewer/2022050817/554f8044b4c9052a518b4cb1/html5/thumbnails/54.jpg)
THE STIG IS YOUR FRIEND.
Photo: lemonrad Photo: Automotiveart.nl