How secure is Spring Security? Is it good enough to use Spring Security in web application for banking system or something equivalent?
Spring Security in itself is very good. It is widely used and any problems are sorted out with high priority. However, as with most technologies, if you use it improperly, your application will not be secure.
If I use it in "most secure way", will be enough secure? - Yes
Earlier versions of Spring security (known as acegi back in the day) required quite a large amount of configuration and it was therefore possible to miss something and leave a hole in your security. Recent versions have significantly reduced the complexity and now use sensible defaults.
However Spring still remains extremely flexible and extensible which gives developers great power, but as always power comes with responsibility. As far as Spring security is concerned a little knowledge is a dangerous thing, I'd strongly recommend that you get a good understanding of the framework before undertaking any customization. It's also a good idea to get involved on the forums and ask the communityto peer review high risk areas of code/customization.
We've implemented Spring security for many banks and other financial institutions both in the US and Europe so in that sense it's definitely "fit for purpose"
Spring security is one of the best things that the Spring frameworks offers, it highly capable of taking care of both authentication and authorization.
The challenge is to model it correctly with right key elements of the framework being put in the right place. I have tried to illustrate its capabilities on one of my blog posts, refer http://www.nimblegeek.com/2012/08/role-base-application-modelling-using.html
Be careful applying Spring Security to applications require high level of security such as banking security system. First of all put your attention securing your application with strong cryptographic methods and securing data channel. then you can integrate it to some framework such Spring Security.
Related
First and foremost, this post doesn't have any intention to strike down any parties as mentioned in my question.
In fact, I'm not sure whether i should ask this question to this forum or not, but after some thoughtful considerations i decided to just post it here due to my curiosity.
Shortly speaking, I'm working on IAM platform for one of my customer. I've prepared it using keycloak within a day which also cover custom provider to connect with their legacy user internal database.
But I got a pretty shock statement from my customer that they don't trust keycloak since it's free and open source. They only trust commercial products, and they suggested me to go with either forgerock or okta.
I have my own way to answer that statement, but I would also like to hear some feedbacks from the experts here with regards to that matter. Thanks in advance.
Maybe the customer concern is that there is no commercial support with Keycloak. It's a very practical concern, eg if you are not available at some future time and all apps are broken when something strange happens after upgrading the Authorization Server.
Of course on the technical side of things, keep code portable by implementing standards based solutions, so that you can switch providers. Avoid stuff like Keycloak Adapters if they are vendor specific.
DEPLOYMENT
As a containerized solution, Keycloak's deployment model supports multi cloud and means you can run in any cloud provider.
Then again, the Platform as a Service model of some providers is often attractive - no infra to manage and the hope of high availability. With some PAAS providers the trade off may be that there is less control over behavior.
WHAT ARE THE REAL REQUIREMENTS?
Commercial support
Guidance on app scenarios
High Availability
Ease of management
Extensibility
Portability
Different customers have different viewpoints and there is no right answer. The usual thing that software architects do is understand their audience, make recommendations, but let the customer decide - they are the boss after all.
What are the best front-end and back-end languages and database setups for a youtube-type site that manages user accounts, security, streaming, database manipulation, etc. I am looking to start a project incorporating multiple developers and I need to understand the pros and cons of different options including things such as scalability, security, efficiency, easy-to-learn, etc. to decide on a standard for the project. Please try to keep opinions out of the comparisons unless they represent a general consensus
After looking further into it I have found a few different frameworks, especially backend.
For security reasons, I have decide on Laravel, a very robust PHP framework. It handles templating, routing (pretty URLs), security checks, database management, and tons of other cool features.
Frontend will simply be jQuery because Laravel achieves most of the tasks Javascript frameworks are created for,
And finally Bootstrap 4 with SASS to expedite CSS writing.
Hopefully this helps someone!
I am preparing a report on SAML and OAUTH for a comparative study on these two technologies.
I have got a few pages ready describing what SAML and OAUTH can do.
The next thing I need is the hardware and software requirements to implement SSO using SAML and OAUTH.
This would help analyis the costs involved and come to a decision on choosing any of the two technologies.
If you are aware of the H/W and S/W requirements please enumerate them.
Thanks,
david
On the software side, the cost will really depend on what solution you're using. Both technologies have good opensource and commercial implementations (and often, the same product supports both). So, I don't think that the software costs will make a difference.
On the hardware part, SAML is probably a little more power-consuming, because it implies XML parsing, XML digital signature (which needs more resources than a simple digital signature).
But if you have a reasonable number of concurrent users, the raw-power of the most basic servers will be able to absorb the load without problems in each case.
To give some figures, our SAML 2.0 solution (which admittely is performance and not features-oriented) is able to generate ~100 SAML responses per second on my workstation (a low-end sandy bridge pentium). The main factor determining performance is CPU. I/O and memory are somewhat negligeable.
How many authentications per second do you plan to have in production ?
I'm working on a web application and we are getting ready to launch it. Because it will hold sensitive data for users, I want this to be as secure as possible. Here is a list of what we are currently doing...
Running the app on Heroku (Ruby on Rails)
Site is encrypted with 256 SSL (with forced SSL turned on)
Cookies are encrypted and we pass the Firesheep test
Their password and everything in the database is one way encrypted.. so even if someone got access to the database it would be useless.
We do not store any keys or passwords openly in the source code but rather use Config Vars
Other than that what else should/could we be doing. We are considering McAfee's site scan but they quoted us $2,500 a year. I'm not sure it's worth it.
Does anyone have any suggestions at all?
Make sure to read the OWASP Top 10. Also $2,500 is a rip off, Sitewatch is free. You should also consider running a Web Application Firewall like mod_security, but keep in mind this will cause problems for testing tools like McAfee or Sitewatch. You should configure mod_security to allow specific ip addresses. Or test your application before enabling the WAF.
After ruling out the usual suspects (XSS, SQL injection, mass assignment, etc), client side is where most problems come from, and this is often overlooked. I don't know what your site is about, but things like telling your users that they shouldn't follow links on emails they did not explicitly request usually delivers highest bang-for-the-buck.
Best regards,
-- J. Fernandes
I'd recommend checking out the OWASP Top 10: http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf
The OWASP Top Ten provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
To verify your SSL configuration, you can try https://www.ssllabs.com/ssldb/index.html.
If you're curious about the sheer variety of attacks, check out Jeremiah Grossman's post titled Top Ten Web Hacking Techniques of 2010 and scroll down until you see "The Complete List".
If you want to fire off a few web app vulnerability scans tools to catch the low hanging fruit you can try:
skipfish: http://code.google.com/p/skipfish/ (free)
netsparker community: http://www.mavitunasecurity.com/communityedition/ (free)
look here for more https://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application/
If you're really concerned about security then adopting a secure development plan and working with someone trained in app security would obviously boost your confidence things are being done right.
Regarding development, you may like the ideas presented in Microsoft's simplified SDL:
"The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development."
"The process outlined in this paper sets a minimum threshold for SDL compliance. That said, organizations aren’t uniform – development teams should apply the SDL in a way that is suitable to the human talent and resources available, but doesn’t compromise organizational security goals."
Also it is important to note automated vulnerability scan tools fail to identify most logical vulnerabilities so don't rely solely on automated tools. For example (taken from OWASP):
"Setting the quantity of a product on an e-commerce site as a negative number may result in funds being credited to the attacker. The countermeasure to this problem is to implement stronger data validation, as the application permits negative numbers to be entered in the quantity field of the shopping cart."
Human intelligence is key to spot logical issues.
Security is also all about maintenance. Assigning someone or a team the responsibility to astutely play continuous defense is important.
Note: Encrypting the passwords doesn't imply infallible security. Dictionary/password lists/brute force attacks work all the time to reveal weak passwords. A very common attack is to use SQL injection to dump the user table (with password hashes) then use a password cracker to discover legitimate user/password pairs.
You can find information about common Ruby on Rails application vulnerabilities and their countermeasures at the Zen Rails Security Checklist, including most of the OWASP Top 10 items.
How reliable is Heroku for a sensitive app?
Can they be trusted for a very important app?
Have you used it for a long time? What's your opinion?
Thanks
Heroku provides information about security policy in its legal section. According to the security documents, it seems to have a really reliable infrastructure and I have been using it for 1 year without any issues. I also haven't heard about noticeable security flaws in its system.
Some technical restrictions, such as the read-only file-system, can be a hassle at first glance but increase the security of the platform.
It is indeed much more secure than many other VPS providers and, unless you have the benefit of a team of sysadmins and security experts, you can probably trust them more than how you can trust your infrastructure.
A good infrastructure doesn't mean bullet-proof software. Your first priority should be to make sure your software won't include any security flaws. Stress test your software, use unit and integration tests to make sure your software is stable and you are not reintroducing any issues that have already been fixed.