Notes (alphabetical)
Search to quickly find notes, articles, guides, and resources across the site.
Search to quickly find notes, articles, guides, and resources across the site.
Related pages Sovereign AI
Understanding the Spring Framework Evolution, Risks, and Audit Considerations** History & Evolution Released in 2003 by Rod Johnson as a lightweight alternative to Java EE. (Wikipedia - link) Evolved into a full ecosystem, including Spring Boot (2014) for simplified deployment, Spring Security, and Spring Cloud for microservices. Originally developed by Interface21, later acquired by SpringSource, then VMware. Widely used in enterprise applications, cloud services, and microservices. Audit Questions to Ask What versions of Spring and Spring Boot are in use? Are legacy Spring applications still maintained and patched? Is the team using official support channels, or relying on outdated third-party dependencies? Key Risks for In-House Development Dependency risks – Third-party libraries (e.g., Log4j) can introduce vulnerabilities. Security misconfigurations – Weak Spring Security settings may expose authentication flaws. Excessive complexity – Over-engineered architectures can hinder maintainability. Inconsistent coding practices – Lack of standardisation can create operational risks. Questions to Ask How does the team track and update dependencies? Are security configurations reviewed regularly? Are developers following a consistent architecture and coding standard? Audit & Governance Best Practices Use Software Composition Analysis (SCA) tools to monitor third-party dependencies. Implement secure CI/CD pipelines to enforce security checks before deployment, and maintain audit trail / ability to roll-back. Ensure strong access controls – Proper OAuth2 configurations, API gateways, and authentication reviews. Monitor Spring security advisories and enforce timely patching. Questions to Ask Does the organization use tools like Snyk or OWASP Dependency-Check for vulnerability scanning? Are secure coding practices enforced in CI/CD pipelines? How often are Spring applications tested for security weaknesses?
sqlmap is an open-source tool that is designed to detect SQL injection flaws in web applications. Further reading Top 8 penetration testing tools (Snyk Blog) SQLmap Tutorial (Hacker Target)
SS2/21 Outsourcing and Third Party Risk Management outlines the PRA’s expectations for managing risks associated with outsourcing and third-party arrangements, ensuring compliance, operational resilience, and the identification of key risks that may impact the organization’s internal control environment. (Published on 29 March 2021) Further reading Link to PRA website
The Standard of Good Practice for Information Security (SOGP), developed by the Information Security Forum (ISF), is a comprehensive information security framework that provides best practices and guidance for managing information security risks and ensuring resilient organisations. SOGP has been developed to be in line with similar industry frameworks. Further reading SOGP - ISF SOGP - Wikipedia