Visible to the public Coding Practices and Recommendations of Spring Security for Enterprise Applications

TitleCoding Practices and Recommendations of Spring Security for Enterprise Applications
Publication TypeConference Paper
Year of Publication2020
AuthorsIslam, M., Rahaman, S., Meng, N., Hassanshahi, B., Krishnan, P., Yao, D. D.
Conference Name2020 IEEE Secure Development (SecDev)
Date PublishedSept. 2020
ISBN Number978-1-7281-8388-6
Keywordsauthentication, Authorization, encoding, insecure coding practices, password, pubcrawl, resilience, Resiliency, Scalability, security, security anti patterns, Security by Default, Spring security, Springs, Uniform resource locators
AbstractSpring security is tremendously popular among practitioners for its ease of use to secure enterprise applications. In this paper, we study the application framework misconfiguration vulnerabilities in the light of Spring security, which is relatively understudied in the existing literature. Towards that goal, we identify 6 types of security anti-patterns and 4 insecure vulnerable defaults by conducting a measurement-based approach on 28 Spring applications. Our analysis shows that security risks associated with the identified security anti-patterns and insecure defaults can leave the enterprise application vulnerable to a wide range of high-risk attacks. To prevent these high-risk attacks, we also provide recommendations for practitioners. Consequently, our study has contributed one update to the official Spring security documentation while other security issues identified in this study are being considered for future major releases by Spring security community.
Citation Keyislam_coding_2020