Difference between revisions of "Scala Frameworks"

From OWASP
Jump to: navigation, search
(Encryption Keystore Password)
Line 26: Line 26:
 
|}
 
|}
  
==Play Framework==
+
==Secure Coding - Scala Frameworks==
=== Sensitive information in Configuration Files===
 
Every Scala project will contain configuration files that can contain sensitive information such as:
 
* Passwords in clear text
 
* Path to Keystores
 
* Passwords from Keystores
 
  
Programers should avoid configuring clear text passwords  in Application.conf files, for that purpose, encryption is necessary
+
The following is a series of documents regarding the security configurations for the above mentioned frameworks
 
 
===Configuration Keystore  ===
 
At some point, especially for projects requiring secure communications (HTTPS), the implementation and use of Keystore is required.
 
The Playframework provides some examples of implementing [https://www.playframework.com/documentation/2.6.x/ConfiguringHttps#SSL-Certificates-from-a-keystore this]
 
unfortunately, there is no further information on how to create this information securely. The developer must also keep in mind that the default configuration is quite insecure and certificates generated are self-signed, becoming unsuitable for real applications.
 
 
 
Developers should revise the following configuration information:
 
 
 
'''play.server.https.keyStore.path''' - The path to the keystore containing the private key and certificate, if not provided generates a keystore for you
 
 
 
''Security issue'': Keys must be secure guarded, allowing the 'generated' one, can allow an attacker obtain such information if code is compromised
 
 
 
More information refer to: [[Cryptographic Storage Cheat Sheet|Cryptographic Storage Cheat Sheet#Rule - Protect keys in a key vault]]
 
 
 
'''play.server.https.keyStore.password''' - The password, defaults to a blank password
 
 
 
''Security issue'': Blank passwords are a 'no-go', therefore, it is essential to change this information. Again, do not create a 'clear-text' passwords, but make sure you use an environment variable for this purpose, or encrypt properly if you place one in the configuration file
 
 
 
'''play.server.https.keyStore.algorithm''' - The key store algorithm, defaults to the platforms default algorithm
 
 
 
''Security issue'': Developer should check what is the 'defaults' being used and make sure the algorithm in question is secure as recommended by NIST guidelines
 
 
 
====Encryption Keystore Password====
 
Using Environment  in configuration files instead of clear text passwords, example
 
<code>password=${?MAIL_PASSWD}</code>
 
Following best practices, if you need to store a password, make sure that
 
* It's hashed
 
* Use salt
 
* Implement a slow algorithm against brute force such as Bcrypt The following example uses Bcrypt library for this purpose
 
def PasswordHash( name:String, pwd:String, version:Int = 1 ) : String = {
 
    if( version == 2 && false )
 
    {
 
      // ANY CHANGES SHOULD BE MADE AS A NEW VERSION AND ADDED HERE
 
      ""
 
    }
 
    else
 
    {
 
      import org.mindrot.jbcrypt.BCrypt      // jbcrypt-0.3m.jar
 
      // Salt will be incorporated in the password hash
 
      val salt = BCrypt.gensalt(12) // Default is 10, or 2**10 rounds.  More rounds is slower.
 
      BCrypt.hashpw( (name + pwd), salt )
 
    }
 
  }
 
  def VerifyPassword( name:String, pwd:String, hash:String, version:Int = 1 ) : Boolean = {
 
    if( version == 1 )
 
    {
 
      import org.mindrot.jbcrypt.BCrypt      // jbcrypt-0.3m.jar
 
      BCrypt.checkpw( (name + pwd), hash )
 
    }
 
    else
 
      false
 
  }
 
 
 
=== Enabling SSL in Production ===
 
[https://www.playframework.com/documentation/2.3.x/ConfiguringHttps Play recommends] to use JDK 1.8 which provides a number of new features that make JSSE feasible as a TLS termination layer
 
  
 
==Vulnerable Framework Components==
 
==Vulnerable Framework Components==

Revision as of 07:01, 7 November 2017

Scala language , just as JAVA , offers different types of Security Frameworks you can work with. Depending on the task, here we offer some general guidelines regarding the proper use of them The following table contains the most popular ones and their security in terms of modules and implementation

Security Frameworks

The following Scala frameworks contain modules that help developers implement secure features such as Authentenciation, Authorization, CRSF or SQLInjection

Framework Authentication Authorization CSRF XSS SQLInjection
Play - - -
Deadbolt 2 - - -
Play-pac4j - - - -
Scala-oauth2-provider - - - -
SecureSocial - - - -
Silhouette - Play Framework Library - - - -
Lift
Akka (Akka-http) - - -
Spray - - -

Secure Coding - Scala Frameworks

The following is a series of documents regarding the security configurations for the above mentioned frameworks

Vulnerable Framework Components

It is essential that developers implement regular dependency checks of their components, since must Scala projects will make use of the above mentioned frameworks

Reference

https://www.47deg.com/blog/security-frameworks-for-scala/