SlideShare a Scribd company logo

OWASP AppSecEu 2016 Rome - Building secure cloud native apps

Andreas Falk, profile picture
Andreas Falk

The document discusses building secure cloud-native applications with Spring Boot and Spring Security. It introduces Spring Security which provides "secure by default" configurations and password encoding. It also discusses secure microservice architectures using OAuth2 for authentication and authorization between services. Runtime application self-protection with AppSensor is presented as another method for securing cloud applications.

Technology
1 of 34
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Andreas Falk Building secure cloud-native apps with spring boot & security
About me Building secure cloud-native apps with spring boot & security 2 Andreas Falk / Germany NovaTec Consulting GmbH andreas.falk@novatec-gmbh.de @Agile_Security Agile Threat Modeling Cloud Spring Security Scrum Kanban TDD Code Review CleanCode Static Analysis Architecture OWASP Java EE Microservices IoT BDD DevOps Web Java SSO OAuth2 SAML
Developers vs. Security Building secure cloud-native apps with spring boot & security 3 Java
Developers vs. Security Building secure cloud-native apps with spring boot & security 4 Cloud IoT Microservices BigDataSingle Page Apps Testing NoSQL DevOps Agile Cross-Functional Security? Java8
Secure Web Application in 5 minutes Building secure cloud-native apps with spring boot & security 5 Live Coding Demo
Cloud Native Building secure cloud-native apps with spring boot & security 6
Cloud Native Building secure cloud-native apps with spring boot & security 7 DevOps Continuous Delivery Microservices Containers Culture Process Architecture Technology
JP Morgan Chase‘s Cloud Native MM Building secure cloud-native apps with spring boot & security 8 Cloud NativeLevel 3 Cloud ResilientLevel 2 Cloud FriendlyLevel 1 Cloud ReadyLevel 0
JP Morgan Chase‘s Cloud Native MM Building secure cloud-native apps with spring boot & security 9 Cloud NativeLevel 3 Cloud ResilientLevel 2 Cloud FriendlyLevel 1 Cloud ReadyLevel 0 12 Factor App One Code Base Externalize Configuration … http://12factor.net
Process ProcessProcess From Monolith To Microservices Building secure cloud-native apps with spring boot & security 10 Process Process Java Process C# Process Python Process Java
Microservice = Spring Boot Standalone Spring Apps Auto Configuration Embedded Servlet Container „Make JAR Not WAR“ Production-Ready Features Building secure cloud-native apps with spring boot & security 11
Cloud Native Building secure cloud-native apps with spring boot & security 12 Secure
Secure Continuous Delivery ? Building secure cloud-native apps with spring boot & security 13 Time Attacks (24x7) Deployments Penetration Test Sprint Sprint Sprint Sprint Sprint Sprint
Agile Security / SecDevOps Building secure cloud-native apps with spring boot & security Sprint Releasable Increment Ops / SupportProduct Backlog Continuous Delivery Vision + Security 14 Today‘s Session !!!
Secure Cloud-Native Applications Secure + Cloud-Native Building secure cloud-native apps with spring boot & security 15 Spring Security + Spring Boot =
Spring Security „Secure By Default“ Configuration Authentication / Authorization Secure Password Encoding Testing Support Building secure cloud-native apps with spring boot & security 16
„Secure By Default“ Configuration Require Authentication for all URLs: On Session Fixation Protection: On Session Cookie (HttpOnly, Secure): On CSRF Attack Protection: On Security Response Headers: On Building secure cloud-native apps with spring boot & security 17 Java
Security Response Headers Building secure cloud-native apps with spring boot & security 18 Cache Control X-Content-Type-Options X-Frame-Options X-XSS-Protection HTTP Strict Transport Security (SSL)
Secure Password Encoding public interface PasswordEncoder { String encode(CharSequence rawPassword); boolean matches( CharSequence rawPassword, String encodedPassword); } Building secure cloud-native apps with spring boot & security 19 Java
Secure Password Encoding public interface PasswordEncoder { String encode(CharSequence rawPassword); boolean matches( CharSequence rawPassword, String encodedPassword); } Building secure cloud-native apps with spring boot & security 20 Java Encoder Implementations BCryptPasswordEncoder SCryptPasswordEncoder Pbkdf2PasswordEncoder BytesEncryptor (implementation for BouncyCastle)
„Secure By Default“ Conventions Building secure cloud-native apps with spring boot & security 21 Live Coding Demo
Secure Cloud Architectures Building secure cloud-native apps with spring boot & security 22 Microservice API-Gateway Microservice Microservice UI
Secure Cloud with OAuth2 Building secure cloud-native apps with spring boot & security 23 Microservice API-Gateway Microservice Microservice UI OAuth2 Token Token Token Token Token OAuth2 Client Authorization Server Resource Server
Secure Cloud with OAuth2 Building secure cloud-native apps with spring boot & security 24 Microservice API-Gateway Microservice Microservice UI OAuth2 Token Token Token Token Token OAuth2 Client Authorization Server Resource Server More Details on OAuth2: Session on OpenId Connect earlier today @AppSecEU
Tweetable OAuth2 Application Building secure cloud-native apps with spring boot & security 25 Java
Secure Microservices With OAuth2 Building secure cloud-native apps with spring boot & security 26 Live Coding Demo
Runtime Application Self-Protection Building secure cloud-native apps with spring boot & security 27
RASP With AppSensor Building secure cloud-native apps with spring boot & security 28 http://appsensor.org https://github.com/jtmelton/appsensor Cloud Native App AppSensor Integration 1: Event 3: Response 2: Attack AppSensor UI Analytics Policy Detection Points
AppSensor UI Building secure cloud-native apps with spring boot & security 30
AppSensor UI Building secure cloud-native apps with spring boot & security 31
AppSensor UI Building secure cloud-native apps with spring boot & security 32
Wrap Up: Secure Cloud-Native Apps Building secure cloud-native apps with spring boot & security 33 WebCloud Spring Security Spring Boot Spring IO Platform Spring Security OAuth2 Spring Cloud R A S P
Wrap Up: Secure Cloud-Native Apps Building secure cloud-native apps with spring boot & security 34 „Secure By Default“ Conventions !! „Secure By Default“ Developer API‘s !! Java
Questions? Building secure cloud-native apps with spring boot & security 35 Andreas Falk NovaTec Consulting GmbH andreas.falk@novatec-gmbh.de @Agile_Security https://github.com/andifalk/appseceu2016 http://projects.spring.io/spring-security http://projects.spring.io/spring-security-oauth

More Related Content

PPTX
DevSecOps reference architectures 2018
Sonatype
 
PDF
Spring Security 5.5 From Taxi to Takeoff
VMware Tanzu
 
PDF
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
PPTX
Secure your applications with Azure AD and Key Vault
Davide Benvegnù
 
PDF
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
PDF
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
PDF
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
Wouter Bloeyaert
 
PDF
DevSecOps Implementation Journey
DevOps Indonesia
 
DevSecOps reference architectures 2018
Sonatype
 
Spring Security 5.5 From Taxi to Takeoff
VMware Tanzu
 
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
Secure your applications with Azure AD and Key Vault
Davide Benvegnù
 
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Richard Bullington-McGuire
 
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
Wouter Bloeyaert
 
DevSecOps Implementation Journey
DevOps Indonesia
 

What's hot (20)

PDF
Introduction to DevSecOps
Setu Parimi
 
PDF
Serverless Security: Doing Security in 100 milliseconds
James Wickett
 
PDF
Secure your Application with Google cloud armor
DevOps Indonesia
 
PDF
Secure Your Code Implement DevSecOps in Azure
kloia
 
PPTX
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days
 
PDF
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
PDF
As an Attacker, I Want Your Data: Anticipating Security Threats
VMware Tanzu
 
PDF
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia
 
PDF
Building security into the pipelines
Vandana Verma
 
PDF
Dev secops. Real experience.
Vitaly Balashov
 
PDF
DevSecOps | DevOps Sec
Rubal Jain
 
PPTX
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Cloud Native Day Tel Aviv
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
PDF
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
PDF
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
PPTX
Third Party Performance (Velocity, 2014)
Guy Podjarny
 
PDF
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
PDF
Enterprise DevOps Series: Using VS Code & Zowe
DevOps.com
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
Introduction to DevSecOps
Setu Parimi
 
Serverless Security: Doing Security in 100 milliseconds
James Wickett
 
Secure your Application with Google cloud armor
DevOps Indonesia
 
Secure Your Code Implement DevSecOps in Azure
kloia
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days
 
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
As an Attacker, I Want Your Data: Anticipating Security Threats
VMware Tanzu
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia
 
Building security into the pipelines
Vandana Verma
 
Dev secops. Real experience.
Vitaly Balashov
 
DevSecOps | DevOps Sec
Rubal Jain
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Cloud Native Day Tel Aviv
 
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
Third Party Performance (Velocity, 2014)
Guy Podjarny
 
DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...
DevSecCon
 
Enterprise DevOps Series: Using VS Code & Zowe
DevOps.com
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
Ad

Similar to OWASP AppSecEu 2016 Rome - Building secure cloud native apps (20)

PDF
Securing Cloud Applications Meap V03 Chapters 1 To 6 Of 23 Adib Saikali
asalyajosiph
 
PDF
Cloud Native Java Designing Resilient Systems With Spring Boot Spring Cloud A...
yiogomboya
 
PDF
Cloud Native Java Designing Resilient Systems with Spring Boot Spring Cloud a...
pjuelbj7772
 
PDF
Cloud Native Java Designing Resilient Systems with Spring Boot Spring Cloud a...
zubinrlondoit
 
PDF
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
PDF
spring-security-reference.pdf
horica9300
 
PDF
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
PDF
Cloud Native Spring In Action With Spring Boot And Kubernetes 1st Edition Tho...
larrentehna
 
PDF
Cloud-Native Security
VMware Tanzu
 
PDF
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
PDF
Spring Boot Intro
Alberto Flores
 
PPTX
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
CA API Management
 
PPTX
How iOS and Android Handle Security Webinar
Denim Group
 
PDF
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CloudIDSummit
 
PDF
Cloud Native Spring in Action 1st Edition Thomas Vitale
kannorarcus
 
PPTX
Building microservices sample application
Anil Allewar
 
PDF
How to develop your first cloud-native Applications with Java
Niklas Heidloff
 
PPTX
Microservices security - jpmc tech fest 2018
MOnCloud
 
PDF
BitSensor Webwinkel Vakdagen
webwinkelvakdag
 
PDF
CredHub and Secure Credential Management
VMware Tanzu
 
Securing Cloud Applications Meap V03 Chapters 1 To 6 Of 23 Adib Saikali
asalyajosiph
 
Cloud Native Java Designing Resilient Systems With Spring Boot Spring Cloud A...
yiogomboya
 
Cloud Native Java Designing Resilient Systems with Spring Boot Spring Cloud a...
pjuelbj7772
 
Cloud Native Java Designing Resilient Systems with Spring Boot Spring Cloud a...
zubinrlondoit
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
spring-security-reference.pdf
horica9300
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
Cloud Native Spring In Action With Spring Boot And Kubernetes 1st Edition Tho...
larrentehna
 
Cloud-Native Security
VMware Tanzu
 
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
Spring Boot Intro
Alberto Flores
 
5 Reasons Why APIs Must be Part of Your Mobile Strategy - Scott Morrison, Dis...
CA API Management
 
How iOS and Android Handle Security Webinar
Denim Group
 
CIS13: Mobile Single Sign-On: Extending SSO Out to the Client
CloudIDSummit
 
Cloud Native Spring in Action 1st Edition Thomas Vitale
kannorarcus
 
Building microservices sample application
Anil Allewar
 
How to develop your first cloud-native Applications with Java
Niklas Heidloff
 
Microservices security - jpmc tech fest 2018
MOnCloud
 
BitSensor Webwinkel Vakdagen
webwinkelvakdag
 
CredHub and Secure Credential Management
VMware Tanzu
 
Ad

More from Andreas Falk (6)

PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
PDF
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Andreas Falk
 
PDF
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Andreas Falk
 
PDF
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
Andreas Falk
 
PDF
OWASP German Day 2016 - Sicher in die Cloud mit Angular 2 und Spring Boot
Andreas Falk
 
PDF
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
Andreas Falk
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
Sicher in die Cloud mit Angular und Spring Boot (Karlsruher Entwicklertag 2017)
Andreas Falk
 
Manage distributed configuration and secrets with spring cloud and vault (Spr...
Andreas Falk
 
JAX 2017 - Sicher in die Cloud mit Angular und Spring Boot
Andreas Falk
 
OWASP German Day 2016 - Sicher in die Cloud mit Angular 2 und Spring Boot
Andreas Falk
 
Cloud Foundry Meetup Stuttgart 2017 - Spring Cloud Development
Andreas Falk
 

Recently uploaded (20)

PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Cloud computing and distributed systems.
kkkkkhan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

OWASP AppSecEu 2016 Rome - Building secure cloud native apps

  • 1. Andreas Falk Building secure cloud-native apps with spring boot & security
  • 2. About me Building secure cloud-native apps with spring boot & security 2 Andreas Falk / Germany NovaTec Consulting GmbH andreas.falk@novatec-gmbh.de @Agile_Security Agile Threat Modeling Cloud Spring Security Scrum Kanban TDD Code Review CleanCode Static Analysis Architecture OWASP Java EE Microservices IoT BDD DevOps Web Java SSO OAuth2 SAML
  • 3. Developers vs. Security Building secure cloud-native apps with spring boot & security 3 Java
  • 4. Developers vs. Security Building secure cloud-native apps with spring boot & security 4 Cloud IoT Microservices BigDataSingle Page Apps Testing NoSQL DevOps Agile Cross-Functional Security? Java8
  • 5. Secure Web Application in 5 minutes Building secure cloud-native apps with spring boot & security 5 Live Coding Demo
  • 6. Cloud Native Building secure cloud-native apps with spring boot & security 6
  • 7. Cloud Native Building secure cloud-native apps with spring boot & security 7 DevOps Continuous Delivery Microservices Containers Culture Process Architecture Technology
  • 8. JP Morgan Chase‘s Cloud Native MM Building secure cloud-native apps with spring boot & security 8 Cloud NativeLevel 3 Cloud ResilientLevel 2 Cloud FriendlyLevel 1 Cloud ReadyLevel 0
  • 9. JP Morgan Chase‘s Cloud Native MM Building secure cloud-native apps with spring boot & security 9 Cloud NativeLevel 3 Cloud ResilientLevel 2 Cloud FriendlyLevel 1 Cloud ReadyLevel 0 12 Factor App One Code Base Externalize Configuration … http://12factor.net
  • 10. Process ProcessProcess From Monolith To Microservices Building secure cloud-native apps with spring boot & security 10 Process Process Java Process C# Process Python Process Java
  • 11. Microservice = Spring Boot Standalone Spring Apps Auto Configuration Embedded Servlet Container „Make JAR Not WAR“ Production-Ready Features Building secure cloud-native apps with spring boot & security 11
  • 12. Cloud Native Building secure cloud-native apps with spring boot & security 12 Secure
  • 13. Secure Continuous Delivery ? Building secure cloud-native apps with spring boot & security 13 Time Attacks (24x7) Deployments Penetration Test Sprint Sprint Sprint Sprint Sprint Sprint
  • 14. Agile Security / SecDevOps Building secure cloud-native apps with spring boot & security Sprint Releasable Increment Ops / SupportProduct Backlog Continuous Delivery Vision + Security 14 Today‘s Session !!!
  • 15. Secure Cloud-Native Applications Secure + Cloud-Native Building secure cloud-native apps with spring boot & security 15 Spring Security + Spring Boot =
  • 16. Spring Security „Secure By Default“ Configuration Authentication / Authorization Secure Password Encoding Testing Support Building secure cloud-native apps with spring boot & security 16
  • 17. „Secure By Default“ Configuration Require Authentication for all URLs: On Session Fixation Protection: On Session Cookie (HttpOnly, Secure): On CSRF Attack Protection: On Security Response Headers: On Building secure cloud-native apps with spring boot & security 17 Java
  • 18. Security Response Headers Building secure cloud-native apps with spring boot & security 18 Cache Control X-Content-Type-Options X-Frame-Options X-XSS-Protection HTTP Strict Transport Security (SSL)
  • 19. Secure Password Encoding public interface PasswordEncoder { String encode(CharSequence rawPassword); boolean matches( CharSequence rawPassword, String encodedPassword); } Building secure cloud-native apps with spring boot & security 19 Java
  • 20. Secure Password Encoding public interface PasswordEncoder { String encode(CharSequence rawPassword); boolean matches( CharSequence rawPassword, String encodedPassword); } Building secure cloud-native apps with spring boot & security 20 Java Encoder Implementations BCryptPasswordEncoder SCryptPasswordEncoder Pbkdf2PasswordEncoder BytesEncryptor (implementation for BouncyCastle)
  • 21. „Secure By Default“ Conventions Building secure cloud-native apps with spring boot & security 21 Live Coding Demo
  • 22. Secure Cloud Architectures Building secure cloud-native apps with spring boot & security 22 Microservice API-Gateway Microservice Microservice UI
  • 23. Secure Cloud with OAuth2 Building secure cloud-native apps with spring boot & security 23 Microservice API-Gateway Microservice Microservice UI OAuth2 Token Token Token Token Token OAuth2 Client Authorization Server Resource Server
  • 24. Secure Cloud with OAuth2 Building secure cloud-native apps with spring boot & security 24 Microservice API-Gateway Microservice Microservice UI OAuth2 Token Token Token Token Token OAuth2 Client Authorization Server Resource Server More Details on OAuth2: Session on OpenId Connect earlier today @AppSecEU
  • 25. Tweetable OAuth2 Application Building secure cloud-native apps with spring boot & security 25 Java
  • 26. Secure Microservices With OAuth2 Building secure cloud-native apps with spring boot & security 26 Live Coding Demo
  • 27. Runtime Application Self-Protection Building secure cloud-native apps with spring boot & security 27
  • 28. RASP With AppSensor Building secure cloud-native apps with spring boot & security 28 http://appsensor.org https://github.com/jtmelton/appsensor Cloud Native App AppSensor Integration 1: Event 3: Response 2: Attack AppSensor UI Analytics Policy Detection Points
  • 29. AppSensor UI Building secure cloud-native apps with spring boot & security 30
  • 30. AppSensor UI Building secure cloud-native apps with spring boot & security 31
  • 31. AppSensor UI Building secure cloud-native apps with spring boot & security 32
  • 32. Wrap Up: Secure Cloud-Native Apps Building secure cloud-native apps with spring boot & security 33 WebCloud Spring Security Spring Boot Spring IO Platform Spring Security OAuth2 Spring Cloud R A S P
  • 33. Wrap Up: Secure Cloud-Native Apps Building secure cloud-native apps with spring boot & security 34 „Secure By Default“ Conventions !! „Secure By Default“ Developer API‘s !! Java
  • 34. Questions? Building secure cloud-native apps with spring boot & security 35 Andreas Falk NovaTec Consulting GmbH andreas.falk@novatec-gmbh.de @Agile_Security https://github.com/andifalk/appseceu2016 http://projects.spring.io/spring-security http://projects.spring.io/spring-security-oauth