Pieces of Auth

Pieces of Auth

There’s a lot to consider when it comes to the authentication and authorization methods your site uses. Let me guide you through some of the major (and minor) decisions you’ll need to make and how to find the right fit for your needs. Topics covered will include both traditional and advanced authentication methods, access control systems, credential storage and effective logging practices to help identify threats as they happen.

224dac66704579d941e927965a6220a2?s=128

Chris Cornutt

May 25, 2017
Tweet

Transcript

  1. Pieces of Auth Chris Cornutt - @enygma

  2. Thanks to our Sponsors! PHP[TEK] 2017 Thanks to our Sponsors!

  3. Current State

  4. Current State Evaluation Risk assessment What controls are in place

    now? Are they working? Are they even used? Define the users of your system
  5. Current State Evaluation Modeling (application and services) Compliance requirements (home

    and abroad) Data storage locations Policies and procedures
  6. Authentication

  7. Authentication Defined The act of confirming the truth of an

    attribute of a single piece of data (a datum) claimed true by an entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's identity, authentication is the process of actually confirming that identity. -Wikipedia
  8. Authentication Methods Credential based (username/password, etc) One-time use codes Third-party

    services Federated identity (OAuth) Certificate based
  9. Authentication questions What is the minimum you need? Should you

    implement multi-factor? (protip: yes) HTTPS all the things Am I preventing brute force attacks? What is your password policy?
  10. Passwords bringing the pain Why won’t you die… People are

    terrible at passwords Password policies Single point of failure Password reuse
  11. Authorization

  12. Authorization Defined The function of specifying access rights to resources

    related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define an access policy. For example, human resources staff is normally authorized to access employee records and this policy is usually formalized as access control rules in a computer system. -Wikipedia
  13. Authorization Methods Permissions Roles Access Control List Role Based Access

    Control Properties/Policies
  14. Authorization in detail On the OWASP Top 10 Quickly becomes

    complex Multiple layers Multiple types
  15. Authorization in detail Resource access allowed? Data access allowed? Action

    access allowed? Does environment matter?
  16. Authorization questions What is the minimum you need? Where are

    the highest risk areas? Is it user controllable? (admin=true) Does it rely on “hidden” functionality?
  17. Session Management

  18. Session Management in detail Information about the current user Session

    ID entropy/hash (php.ini setting) Cookie protection (HTTPOnly, Secure flag, etc) Recycle on permission change
  19. Session Management questions What information is safe to store? Should

    I encrypt the contents? When should it timeout? Am I protecting from session fixation? Should it be one user at a time or allow multiple?
  20. Log All The Things

  21. Log All The Things in detail Flying blind without it

    Fine balance between too much and not enough Let alerting help (thresholds) Graphs never hurt NEVER log sensitive data
  22. Log All The Things questions What’s important to log in

    our system? What data should be included? Should I use a third-party service? How can I protect my logs? How long should I keep my logs? (compliance)
  23. A Comprehensive Strategy The worst thing you can do for

    your application is create a fragmented authentication and authorization solution. Define your needs, lay out a plan and stick with it. Auth flaws can be some of the most dangerous and difficult to find.
  24. Thanks! Chris Cornutt @enygma https://websec.io