Coding Practices and Recommendations of Spring Security for Enterprise Applications
This addresses security risks for enterprise application developers using Spring Security, but it is incremental as it builds on existing vulnerability research.
The paper studied misconfiguration vulnerabilities in Spring Security for enterprise applications, identifying 6 security anti-patterns and 4 insecure defaults through analysis of 28 applications, which can lead to high-risk attacks, and contributed to an update in official documentation.
Spring security is tremendously popular among practitioners for its ease of use to secure enterprise applications. In this paper, we study the application framework misconfiguration vulnerabilities in the light of Spring security, which is relatively understudied in the existing literature. Towards that goal, we identify 6 types of security anti-patterns and 4 insecure vulnerable defaults by conducting a measurement-based approach on 28 Spring applications. Our analysis shows that security risks associated with the identified security anti-patterns and insecure defaults can leave the enterprise application vulnerable to a wide range of high-risk attacks. To prevent these high-risk attacks, we also provide recommendations for practitioners. Consequently, our study has contributed one update to the official Spring security documentation while other security issues identified in this study are being considered for future major releases by Spring security community.