secure by default web applications with apache sling

http://robert.muntea.nu @rombert

Secure by Default Web Applications With Apache Sling

Secure by Default Web Applications With Apache Sling

Robert Munteanu, Adobe SystemsBucharest Technology Week 2016

http://robert.muntea.nu/


Who I am

$DAYJOB Adobe Experience

Manager Apache Sling Apache Jackrabbit Apache Felix

Open Source Apache Sling MantisBT Mylyn Connector for

MantisBT Mylyn Connector for Review

Board



Purpose of the talk

Scope

Cost Schedule



Agenda

● Apache Sling● Demo application review● Threat model● Security with Apache Sling● Demo● Conclusion● Q&A



Apache Sling – Brief History

2007Incubation

2009TLP

2015Version 8

200xPre-Apache



Apache Sling – Code Statistics



Apache Sling – Contributor activity



Apache Sling – Value proposition

● Content-oriented ● RESTful● Lightweight● Integrated authentication and authorization● OSGi-powered● Scripting inside● Easily deployable



Apache Sling – Content-Oriented

Blog posts

Images

Users and Groups



Apache Sling – Content-Oriented

Server-side templates and scripts

Configurations



Apache Sling – RESTful

$ http localhost:8080/content/↵ blog/posts/hello_world.html

jsonxmltxtpdfphp3



Apache Sling – RESTful



Apache Sling – Persistence via JCR



Apache Sling – Topologies

Standalone High Availability



Agenda




Demo App – main page



Demo App – Article Page



Demo App – Submitting comments



Agenda




Threat modelling

“Threat modeling is an engineering technique you can use to help you identify threats, attacks, vulnerabilities, and countermeasures that could affect your application”

Threat Modeling Web Applications on MSDN



Threat Modelling - Assets



Threat Modelling - Assets

● Availability● Content● User Credentials● Ability to execute code on server● Ability to execute code in the browser context



Threat Modelling - Trust Levels



Threat Modelling - Trust Levels

1. Anonymous

2. Author

3. Administrator



Threat Modelling - Threats

OWASP



Threat Modelling - Threats

1. Denial of Service

2. Defacement / Deletion

3. Leaking credentials

4. SQL/Shell Injection

5. Stored/Reflected XSS



Threat Modelling - Mitigation



Agenda




Apache Sling Security – Natural layering of ACEs



Apache Sling Security – Security applied at the lowest level

$ http --auth bob:bob localhost:8080/content/blog/posts/new_blog_post 'jcr\:title=New post'



Apache Sling Security – Context-aware templating language

<div class="comment clearfix">

<img class="avatar img-rounded pull-left" src="${resource.valueMap['authorAvatar']}"/>

<h3>${resource.valueMap['jcr:title']}</h3>

<p>${resource.valueMap['jcr:description']}</p>

</div>



Apache Sling Security – Injection-safe APIs

Children of/content/blog/posts



Apache Sling Security – Injection-safe APIs

Children of/content/blog/comments/hello_world



Agenda




Demo Application – Actual demo!!!!1oneone



Conclusions – Security

● Aim to be “Secure by Default”● Build a threat model for your application● Look for components that eliminate problems altogether



Conclusions – Apache Sling

● Simple to be “Secure by Default”● Eventing, Thread Pooling, Job Management, Caching● Scripting: Groovy, Scala, JSP, Sightly, Java, Ruby, Thymeleaf● Flexible resource rendering with resource types● Very extensible due to being internally powered by OSGi – most extension points available to clients



Resources

● Apache Sling – https://sling.apache.org ● Apache Jackrabbit

● https://jackrabbit.apache.org● http://jackrabbit.apache.org/oak/

● OWASP - https://www.owasp.org ● https://www.owasp.org/index.php/OWASP_Top_Ten

_Cheat_Sheet● https://www.owasp.org/index.php/Application_Thre

at_Modeling


https://sling.apache.org/

https://jackrabbit.apache.org/

http://jackrabbit.apache.org/oak/

https://www.owasp.org/

https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

https://www.owasp.org/index.php/Application_Threat_Modeling

https://www.owasp.org/index.php/Application_Threat_Modeling