Coding Practices and Recommendations of Spring Security for Enterprise Applications

Mazharul Islam; Sazzadur Rahaman; Na Meng; Behnaz Hassanshahi; Padmanabhan Krishnan; Danfeng Daphne Yao

doi:10.1109/SecDev45635.2020.00024

Coding Practices and Recommendations of Spring Security for Enterprise Applications

Mazharul Islam, Sazzadur Rahaman, Na Meng, Behnaz Hassanshahi, Padmanabhan Krishnan, Danfeng Daphne Yao

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

11 Scopus citations

Abstract

Spring security is tremendously popular among practitioners for its ease of use to secure enterprise applications. In this paper, we study the application framework misconfiguration vulnerabilities in the light of Spring security, which is relatively understudied in the existing literature. Towards that goal, we identify 6 types of security anti-patterns and 4 insecure vulnerable defaults by conducting a measurement-based approach on 28 Spring applications. Our analysis shows that security risks associated with the identified security anti-patterns and insecure defaults can leave the enterprise application vulnerable to a wide range of high-risk attacks. To prevent these high-risk attacks, we also provide recommendations for practitioners. Consequently, our study has contributed one update to the official Spring security documentation while other security issues identified in this study are being considered for future major releases by Spring security community.

Original language	English (US)
Title of host publication	Proceedings - 2020 IEEE Secure Development, SecDev 2020
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	49-57
Number of pages	9
ISBN (Electronic)	9781728183886
DOIs	https://doi.org/10.1109/SecDev45635.2020.00024
State	Published - Sep 2020
Externally published	Yes
Event	2020 IEEE Secure Development, SecDev 2020 - Virtual, Atlanta, United States Duration: Sep 28 2020 → Sep 30 2020

Publication series

Name	Proceedings - 2020 IEEE Secure Development, SecDev 2020

Conference

Conference	2020 IEEE Secure Development, SecDev 2020
Country/Territory	United States
City	Virtual, Atlanta
Period	9/28/20 → 9/30/20

Keywords

Spring security
insecure coding practices
security anti patterns

ASJC Scopus subject areas

Computer Networks and Communications
Hardware and Architecture
Software
Information Systems and Management
Safety, Risk, Reliability and Quality

Access to Document

10.1109/SecDev45635.2020.00024

Cite this

Islam, M., Rahaman, S., Meng, N., Hassanshahi, B., Krishnan, P., & Yao, D. D. (2020). Coding Practices and Recommendations of Spring Security for Enterprise Applications. In Proceedings - 2020 IEEE Secure Development, SecDev 2020 (pp. 49-57). Article 9230007 (Proceedings - 2020 IEEE Secure Development, SecDev 2020). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SecDev45635.2020.00024

Coding Practices and Recommendations of Spring Security for Enterprise Applications. / Islam, Mazharul; Rahaman, Sazzadur; Meng, Na et al.
Proceedings - 2020 IEEE Secure Development, SecDev 2020. Institute of Electrical and Electronics Engineers Inc., 2020. p. 49-57 9230007 (Proceedings - 2020 IEEE Secure Development, SecDev 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Islam, M, Rahaman, S, Meng, N, Hassanshahi, B, Krishnan, P & Yao, DD 2020, Coding Practices and Recommendations of Spring Security for Enterprise Applications. in Proceedings - 2020 IEEE Secure Development, SecDev 2020., 9230007, Proceedings - 2020 IEEE Secure Development, SecDev 2020, Institute of Electrical and Electronics Engineers Inc., pp. 49-57, 2020 IEEE Secure Development, SecDev 2020, Virtual, Atlanta, United States, 9/28/20. https://doi.org/10.1109/SecDev45635.2020.00024

Islam M, Rahaman S, Meng N, Hassanshahi B, Krishnan P, Yao DD. Coding Practices and Recommendations of Spring Security for Enterprise Applications. In Proceedings - 2020 IEEE Secure Development, SecDev 2020. Institute of Electrical and Electronics Engineers Inc. 2020. p. 49-57. 9230007. (Proceedings - 2020 IEEE Secure Development, SecDev 2020). doi: 10.1109/SecDev45635.2020.00024

@inproceedings{5284d1333aba4534acb266c0ccb8eac3,

title = "Coding Practices and Recommendations of Spring Security for Enterprise Applications",

abstract = "Spring security is tremendously popular among practitioners for its ease of use to secure enterprise applications. In this paper, we study the application framework misconfiguration vulnerabilities in the light of Spring security, which is relatively understudied in the existing literature. Towards that goal, we identify 6 types of security anti-patterns and 4 insecure vulnerable defaults by conducting a measurement-based approach on 28 Spring applications. Our analysis shows that security risks associated with the identified security anti-patterns and insecure defaults can leave the enterprise application vulnerable to a wide range of high-risk attacks. To prevent these high-risk attacks, we also provide recommendations for practitioners. Consequently, our study has contributed one update to the official Spring security documentation while other security issues identified in this study are being considered for future major releases by Spring security community.",

keywords = "Spring security, insecure coding practices, security anti patterns",

author = "Mazharul Islam and Sazzadur Rahaman and Na Meng and Behnaz Hassanshahi and Padmanabhan Krishnan and Yao, {Danfeng Daphne}",

note = "Publisher Copyright: {\textcopyright} 2020 IEEE.; 2020 IEEE Secure Development, SecDev 2020 ; Conference date: 28-09-2020 Through 30-09-2020",

year = "2020",

month = sep,

doi = "10.1109/SecDev45635.2020.00024",

language = "English (US)",

series = "Proceedings - 2020 IEEE Secure Development, SecDev 2020",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "49--57",

booktitle = "Proceedings - 2020 IEEE Secure Development, SecDev 2020",

}

TY - GEN

T1 - Coding Practices and Recommendations of Spring Security for Enterprise Applications

AU - Islam, Mazharul

AU - Rahaman, Sazzadur

AU - Meng, Na

AU - Hassanshahi, Behnaz

AU - Krishnan, Padmanabhan

AU - Yao, Danfeng Daphne

PY - 2020/9

Y1 - 2020/9

N2 - Spring security is tremendously popular among practitioners for its ease of use to secure enterprise applications. In this paper, we study the application framework misconfiguration vulnerabilities in the light of Spring security, which is relatively understudied in the existing literature. Towards that goal, we identify 6 types of security anti-patterns and 4 insecure vulnerable defaults by conducting a measurement-based approach on 28 Spring applications. Our analysis shows that security risks associated with the identified security anti-patterns and insecure defaults can leave the enterprise application vulnerable to a wide range of high-risk attacks. To prevent these high-risk attacks, we also provide recommendations for practitioners. Consequently, our study has contributed one update to the official Spring security documentation while other security issues identified in this study are being considered for future major releases by Spring security community.

AB - Spring security is tremendously popular among practitioners for its ease of use to secure enterprise applications. In this paper, we study the application framework misconfiguration vulnerabilities in the light of Spring security, which is relatively understudied in the existing literature. Towards that goal, we identify 6 types of security anti-patterns and 4 insecure vulnerable defaults by conducting a measurement-based approach on 28 Spring applications. Our analysis shows that security risks associated with the identified security anti-patterns and insecure defaults can leave the enterprise application vulnerable to a wide range of high-risk attacks. To prevent these high-risk attacks, we also provide recommendations for practitioners. Consequently, our study has contributed one update to the official Spring security documentation while other security issues identified in this study are being considered for future major releases by Spring security community.

KW - Spring security

KW - insecure coding practices

KW - security anti patterns

UR - http://www.scopus.com/inward/record.url?scp=85096646142&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85096646142&partnerID=8YFLogxK

U2 - 10.1109/SecDev45635.2020.00024

DO - 10.1109/SecDev45635.2020.00024

M3 - Conference contribution

AN - SCOPUS:85096646142

T3 - Proceedings - 2020 IEEE Secure Development, SecDev 2020

SP - 49

EP - 57

BT - Proceedings - 2020 IEEE Secure Development, SecDev 2020

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2020 IEEE Secure Development, SecDev 2020

Y2 - 28 September 2020 through 30 September 2020

ER -

Coding Practices and Recommendations of Spring Security for Enterprise Applications

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this