1 Security today

This chapter covers

  • What Spring Security is and what you can solve by using it

  • What security is for a software application

  • Why software security is essential and why you should care

  • Common vulnerabilities that you’ll encounter at the application level

Today, more and more developers are becoming aware of security. It’s not, unfortunately, a common practice to take responsibility for security from the beginning of the development of a software application. This attitude should change, and everyone involved in developing a software system must learn to consider security from the start!

Generally, as developers, we begin by learning that the purpose of an application is to solve business issues. This purpose refers to something where data could be processed somehow, persisted, and eventually displayed to the user in a specific way as specified by some requirements. This overview of software development, which is somehow imposed from the early stages of learning these techniques, has the unfortunate disadvantage of hiding practices that are also part of the process. While the application works correctly from the user’s perspective and, in the end, it does what the user expects in terms of functionality, there are lots of aspects hidden in the final result.

1.1 Spring Security: The what and the why

1.2 What is software security?

1.3 Why is security important?

1.4 Common security vulnerabilities in web applications

1.4.1 Vulnerabilities in authentication and authorization

1.4.2 What is session fixation?

1.4.3 What is cross-site scripting (XSS)?

1.4.4 What is cross-site request forgery (CSRF)?

1.4.5 Understanding injection vulnerabilities in web applications

1.4.6 Dealing with the exposure of sensitive data

1.4.7 What is the lack of method access control?

1.4.8 Using dependencies with known vulnerabilities

1.5 Security applied in various architectures

1.5.1 Designing a one-piece web application

1.5.2 Designing security for a backend/frontend separation

1.5.3 Understanding the OAuth 2 flow