OWASP top ten attacks and Spring Security

Question

I am evaluating security for my web application. As I am using Spring in my web application I would like to leverage the Spring Security framework. I searched for more info about web security and come across OWASP community and it's top 10 attacks list. So my question is; would it be suffice to configure Spring Security to secure my application? What all security threats out of OWASP top 10 (2013) are handled by Spring Security Framework?

Answer 1

Building secure applications is a challenging task and there is no "silver bullet" product which would make the application automatically secure for you. Therefore the simple usage of Spring Security certainly does not automatically mean that your application is secure! Spring Security is a great tool which helps with many aspects of building of secure applications, but like with any tool you need to know how to use it properly.

Spring Security can help you address at least the following OWASP TOP10 issues:

• A2-Broken Authentication and Session Management - by providing mechanisms for efficient and secure authentication and session management
• A4-Insecure Direct Object References - by providing mechanisms for authorization within application
• A6-Sensitive Data Exposure - Spring Security's crypto module provides necessary cryptography capabilities
• A7-Missing Function Level Access Control - by providing means for authorization in UI and server side
• A8-Cross-Site Request Forgery (CSRF) - by providing support for generation and validation of tokens mitigating CSRF attacks