$30 off During Our Annual Pro Sale. View Details »

Auth*: Dispelling the Myths

Chris Cornutt
November 09, 2013
Technology
0
82

Auth*: Dispelling the Myths

There's a lot of bad practices and myths floating around about authentication and authorization these days. Using passwords just isn't good enough anymore. Come with me as I explore and dispel some of these common misconceptions and myths about these two important and often misunderstood topics. I'll talk about some of the most common techniques and look forward to tools and options that can help make your applications even more secure.

@ True North PHP 2013

Chris Cornutt

November 09, 2013
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
90
Pentesting for Developers
ccornutt
0
98
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
280
Securing Legacy Applications
ccornutt
0
310
Build Security In
ccornutt
0
160
Introduction to Slim 3
ccornutt
0
140
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
230

Other Decks in Technology

See All in Technology
プライベートプロダクト戦略 - フロントエンドカンファレンス沖縄 / private_product_frontend
rdlabo
3
2.3k
Kaggle Tokyo Meetup2023 CommonLit Solutionの紹介と考え方 - Fulltrain戦略と(Seed/Model)Ensembleの可視化 -
chumajin
2
580
DMMプラットフォームにおける GKE を利用した プラットフォームエンジニアリングへの 取り組み
pospome
1
150
APIテスト導入から2年。アジャイルな組織で見えてきたmabl活用の道
bengo4com
0
1.9k
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
5.1k
FRONTEND CONFERENCE OKINAWA 2023 スポンサーセッション発表スライド/frontend-okinawa
nikkei_engineer_recruiting
1
2.1k
分散型SNS最新状況
kojira
0
180
機械学習システム構築実践ガイド
shibuiwilliam
0
240
走馬灯のIaCは考えておいて
nwiizo
6
3.2k
第21回Ques シフトレフトにおけるシナリオテストの適用事例
moritamasami
1
380
論文紹介: Improving Implicit Feedback-Based Recommendation through Multi-Behavior Alignment(Xin Xin et al., 2023)
hakubishin3
0
160
LINEでのコミュニケーションにマスコットキーホルダーを使ってみる / LINEを使ったLT大会 #5
you
PRO
0
100

Featured

See All Featured
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
17
1.4k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.3k
The Cult of Friendly URLs
andyhume
71
5.4k
Git: the NoSQL Database
bkeepers
PRO
420
62k
Adopting Sorbet at Scale
ufuk
66
8.2k
The Brand Is Dead. Long Live the Brand.
mthomps
48
6.1k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
1k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
740
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
880
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k

Transcript

  1. AUTH*
    DISPELLING THE MYTHS
    @enygma - True North PHP 2013
    Saturday, November 9, 2013

    View Slide

  2. Saturday, November 9, 2013

    View Slide

  3. AUTHENTICATION
    Saturday, November 9, 2013

    View Slide

  4. ...the act of confirming
    the truth of an attribute
    of a datum or entity
    [and] often involves
    verifying the validity of at
    least one form of
    identification.
    AUTHENTICATION
    source: wikipedia
    Saturday, November 9, 2013

    View Slide

  5. Confirming identity
    A satisfactory “yes” or “no”
    Impossible...in theory
    What about anonymous?
    no, not *that* Anonymous...
    AND...
    Saturday, November 9, 2013

    View Slide

  6. TYPES
    Username/password
    Two-factor
    OpenID Connect
    Biometrics
    Security Question
    Saturday, November 9, 2013

    View Slide

  7. AUTHORIZATION
    Saturday, November 9, 2013

    View Slide

  8. ...is the function of
    specifying access rights to
    resources, which is related
    to information security and
    computer security in general
    and access control in
    particular.
    AUTHORIZATION
    source: wikipedia
    Saturday, November 9, 2013

    View Slide

  9. Principle of Least Privilege
    Coarse vs fine-grained
    Think “rule” not “role”
    AND...
    Saturday, November 9, 2013

    View Slide

  10. TYPES
    Access control lists (ACL)
    Role-based access control (RBAC)
    Attribute-based control
    Policy enforcement
    Discretionary controls
    Mandatory controls
    Saturday, November 9, 2013

    View Slide

  11. MYTH #1
    Multi-factor will keep us safe
    Saturday, November 9, 2013

    View Slide

  12. SILVER BULLETS
    Not a “cure all”
    Yet another hoop
    Different implementations
    Hardware versus Software
    Saturday, November 9, 2013

    View Slide

  13. IT’S GOOD AT...
    Being a backup method,
    not a replacement
    Increasing confidence in users
    Helps with compliance
    Saturday, November 9, 2013

    View Slide

  14. IT’S NOT
    GOOD AT...
    Being the only method
    Preventing out-of-band attacks
    Stopping other attacks
    (ex. SQLi on login)
    Preventing provider (IdP) issues
    Saturday, November 9, 2013

    View Slide

  15. MYTH #2
    It’s just a password, right?
    Saturday, November 9, 2013

    View Slide

  16. PASSWORD
    BALL & CHAIN
    Ancient origins
    Just feels ancient today
    New app? Use a password!
    Password policies
    Saturday, November 9, 2013

    View Slide

  17. WHY
    PASSWORDS SUCK
    Shared across services
    Restrictive policies
    Too much work on “getting it right”
    Users are no good at them
    Cracking hardware is cheap
    Saturday, November 9, 2013

    View Slide

  18. Saturday, November 9, 2013

    View Slide

  19. PASSWORD
    CRACKING
    Offline attack
    Dictionary/guessing
    Brute force
    Key casting
    Cloud services
    ....and password policies
    Saturday, November 9, 2013

    View Slide

  20. Saturday, November 9, 2013

    View Slide

  21. Saturday, November 9, 2013

    View Slide

  22. PASSWORD
    POLICIES
    Number/Lower/Upper/Special
    Reduce repeated characters
    Length > Complexity
    Use slow algorithm
    Salt and hash (at the least)
    Saturday, November 9, 2013

    View Slide

  23. source: xkcd.com/936
    Saturday, November 9, 2013

    View Slide

  24. MYTH #3
    Internal vs Cloud - Epic Battle
    Saturday, November 9, 2013

    View Slide

  25. INTERNAL
    More control
    More traditional options
    Easier to customize
    Hardware costs/infrastructure
    Too many tools
    Less stringent on encryption
    Saturday, November 9, 2013

    View Slide

  26. EXTERNAL
    Standardized auth methods
    Agility & flexibility
    Cost savings
    High encryption/protection
    Less “control”
    Limited to provider options
    Saturday, November 9, 2013

    View Slide

  27. CONNECTING
    SAML (Markup)
    “Vaulted” POST request
    Multi-factor integration
    Federated identity
    Custom API
    Saturday, November 9, 2013

    View Slide

  28. CRITERIA
    Easy integration
    Scalability
    Provisioning integration
    User authentication methods
    Monitoring & management
    Saturday, November 9, 2013

    View Slide

  29. MYTH #4
    The Auth that Wasn’t
    Saturday, November 9, 2013

    View Slide

  30. OWASP Top 10
    A2: Broken Auth/Session
    Management
    A4: Insecure Object References
    A6: Sensitive Data Exposure
    Saturday, November 9, 2013

    View Slide

  31. Bad Practices
    Sending plain-text passwords
    Sensitive data in the URL
    Informative error messages
    No throttling on resets
    or registrations
    or password failures
    Saturday, November 9, 2013

    View Slide

  32. DON’T...
    Obscurity !== Security
    Share logins
    Use default credentials
    Plain-text
    Saturday, November 9, 2013

    View Slide

  33. MYTH #5
    But we have...
    Saturday, November 9, 2013

    View Slide

  34. Integrated systems
    Firewalls
    WAF
    Encryption
    HARD &
    SOFTWARE
    Saturday, November 9, 2013

    View Slide

  35. HAVING
    USING
    and
    are not the same
    Saturday, November 9, 2013

    View Slide

  36. Defense in Depth
    Logging & auditing
    Fail securely
    Least privilege
    PRINCIPLES
    Saturday, November 9, 2013

    View Slide

  37. FIXING AUTH
    Planning for Security
    Saturday, November 9, 2013

    View Slide

  38. Audit of current components
    Gather usage data
    Plan, plan then plan some more
    Easier in hindsight
    REALIGNMENT
    Saturday, November 9, 2013

    View Slide

  39. Think “Subject” not “User”
    Narrowing the options
    Pick the right fit,
    not the shiny one
    Plan for delegation
    LOOK AHEAD
    Saturday, November 9, 2013

    View Slide

  40. More than one level?
    What to protect?
    Is it the same everywhere?
    Policies/procedures
    Reduce the overhead
    IN DEPTH
    Saturday, November 9, 2013

    View Slide

  41. IDENTITY IS
    HARD
    Saturday, November 9, 2013

    View Slide

  42. Questions or comments?
    @enygma
    http://websec.io
    https://joind.in/9986
    THANKS
    Saturday, November 9, 2013

    View Slide