Developers write code that works but often they are unaware of how the vulnerabilities in their code are exploited. Security remains an after-thought or is actively avoided because time-to-market remains the top priority for the Business.
DevSecOps demands Shift Security Left to implement security measures as part of CI/CD process during the entire development lifecycle. One of them is to add automated tests in CI/CD pipeline to verify the security capabilities of the application.
Spring Security is a framework that provides the necessary tools to implement and verify authentication and authorization in addition to protection against common attacks and helps to address some of the OWASP TOP10 issues.
Like any framework you need to know how to use it properly, as writing secure code requires awareness and best practices more than tools and frameworks.
Spring Security recommends to address below four security concerns for any enterprise applications. We will follow a pragmatic approach to apply these four concepts on a pre-cooked real-time application.
We will address the above security concerns by implementing the most widely used features of Spring Security with actual code. We will build the access restrictions step-by-step gradually on every layer to control who can do what on which resource.
With the increasingly popular microservice style architecure we will scope our discussions only on API security rather than MVC application security.
Reading will be nice, but nothing replaces actual experience by practising it. You can practice each lesson by one of the following ways: