Coding Practices and Recommendations of Spring Security for Enterprise Applications

Spring security is tremendously popular among practitioners for its ease of use to secure enterprise applications. In this paper, we study the application framework misconfiguration vulnerabilities in the light of Spring security, which is relatively understudied in the existing literature. Towards that goal, we identify 6 types of security anti-patterns and 4 insecure vulnerable defaults by conducting a measurement-based approach on 28 Spring applications. Our analysis shows that security risks associated with the identified security anti-patterns and insecure defaults can leave the enterprise application vulnerable to a wide range of high-risk attacks. To prevent these high-risk attacks, we also provide recommendations for practitioners. Consequently, our study has contributed one update to the official Spring security documentation while other security issues identified in this study are being considered for future major releases by Spring security community.

[1]  Phil Hunt,et al.  OAuth 2.0 Threat Model and Security Considerations , 2013, RFC.

[2]  Meiyappan Nagappan,et al.  Curating GitHub for engineered software projects , 2017, Empirical Software Engineering.

[3]  Michelle L. Mazurek,et al.  Developers Need Support, Too: A Survey of Security Advice for Software Developers , 2017, 2017 IEEE Cybersecurity Development (SecDev).

[4]  Christopher Krügel,et al.  Broken Fingers: On the Usage of the Fingerprint API in Android , 2018, NDSS.

[5]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[6]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[7]  Felix A. Fischer,et al.  How Reliable is the Crowdsourced Knowledge of Security Implementation? , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[8]  Douglas C. Schmidt,et al.  Patterns, frameworks, and middleware: their synergistic relationships , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[9]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[10]  Mira Mezini,et al.  CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs , 2018, IEEE Transactions on Software Engineering.

[11]  David Lo,et al.  Why and how developers fork what from whom in GitHub , 2017, Empirical Software Engineering.

[12]  Akond Rahman,et al.  Anti-Patterns in Infrastructure as Code , 2018, 2018 IEEE 11th International Conference on Software Testing, Verification and Validation (ICST).

[13]  Petar Tsankov,et al.  Inferring crypto API rules from code changes , 2018, PLDI.

[14]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[15]  Katsuro Inoue,et al.  Do developers update their library dependencies? , 2017, Empirical Software Engineering.

[16]  Chris Parnin,et al.  The Seven Sins: Security Smells in Infrastructure as Code Scripts , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[17]  David Mazières,et al.  A future-adaptive password scheme , 1999 .

[18]  Na Meng,et al.  Secure Coding Practices in Java: Challenges and Vulnerabilities , 2017, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[19]  Yaron Sheffer,et al.  JSON Web Token Best Current Practices , 2020, RFC.

[20]  Sebastian Abeck,et al.  Identification and Implementation of Authentication and Authorization Patterns in the Spring Security Framework , 2012, SECURWARE 2012.

[21]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[22]  Simson L. Garfinkel,et al.  Comparing the Usability of Cryptographic APIs , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[23]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[24]  Michael B. Jones,et al.  JSON Web Signature (JWS) , 2015, RFC.

[25]  Alessandro Armando,et al.  Attribute based access control for APIs in spring security , 2014, SACMAT '14.

[26]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[27]  Michael Backes,et al.  Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[28]  Rafael Valencia-García,et al.  Analyzing best practices on Web development frameworks: The lift approach , 2015, Sci. Comput. Program..

[29]  Marco Tulio Valente,et al.  Understanding the Factors That Impact the Popularity of GitHub Repositories , 2016, 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[30]  Adam T. Sampson,et al.  Vulnerability anti-patterns: a timeless way to capture poor software practices (Vulnerabilities) , 2018 .

[31]  Murat Kantarcioglu,et al.  CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects , 2018, CCS.

[32]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[33]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.