javaone2017: A repository from luukbuit

Web application security for developers: tooling and best practices

Presentation by Luuk Buit JavaOne 2017.

Tooling

Firefox

Settings > Advanced > Network > Connection settings > Manual proxy:

localhost:9876 for all protocols
remove localhost/127.0.0.1 from "No Proxy for:"

OWASP Zap Proxy

Options > Local Proxy > localhost:9876

Background

OWASP ASVS
OWASP TOP 10
Web Security Fundamentals
WAHH

Demos

The BodgeIt Store

$ docker pull psiinon/bodgeit
$ docker run --rm -p 8080:8080 -i -t psiinon/bodgeit

http://localhost:8080/bodgeit

Spring Boot Sample Web Secure

$ git clone https://github.com/spring-projects/spring-boot.git
$ cd spring-boot/spring-boot-samples/spring-boot-sample-web-secure
$ mvn spring-boot:run

http://localhost:8080/

OWASP Dependency Check

$ brew install dependency-check
$ cd struts2
$ mvn package
$ dependency-check --scan . --project struts
$ open dependency-check-report.html

luukbuit/javaone2017

Web application security for developers: tooling and best practices

Tooling

Background

Demos