Spring Boot provides the tools, features, and dependencies needed to build Spring-based apps quickly and easily. For this reason, it has become a popular choice for creating Java web applications and microservices. As with other server-side technologies, it is critical to protect Spring Boot apps against security vulnerabilities that could be exploited in production. The Kiuwan platform helps us to identify and fix issues early in our development lifecycle, well before its time to release to production, and this support corner blog will show you how.
Kiuwan is initiated by running the Kiuwan Local Analyzer (KLA) in your development environment, build server, or CI/CD pipeline. When pointed at a source directory or repository, the KLA scans for and analyzes all source code and configuration files within. A Spring Boot project will contain predominantly Java source files, but there could also be HTML, JavaScript, or other file types. All in all, Kiuwan scans over 30 languages for security vulnerabilities.
After scanning with the KLA, results are organized and displayed in the Kiuwan portal, along with all the details needed to fix each vulnerability. In this Spring Boot application, Kiuwan uncovered a Server-Side Request Forgery (SSRF), Cross-site Request Forgery (CSRF), and several other security vulnerabilities:
While Kiuwan SAST focuses on vulnerabilities within our app’s source code, Kiuwan’s Software Composition Analysis (SCA) identifies threats from third-party dependencies. Third-party dependencies could introduce license risk, known security CVEs and CWEs, or obsolescence issues from running out-of-date packages:
After uncovering these vulnerabilities in our Spring Boot application, Kiuwan’s Action Plans help us organize this work within our existing development lifecycle. For example, if there are just five hours within a sprint to devote to app security, Kiuwan will identify the highest priority issues we can remediate within that time frame:
Overall, Kiuwan enables us to identify, prioritize, and fix security issues before releasing our Spring Boot application into production. By shifting security left, we save time, effort, and energy, and continually improve the security of our app as part of any existing development process.
Contact us to get started with code security scanning today!
