Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pieces of Auth

Chris Cornutt
May 25, 2017
Programming
0
280

Pieces of Auth

There’s a lot to consider when it comes to the authentication and authorization methods your site uses. Let me guide you through some of the major (and minor) decisions you’ll need to make and how to find the right fit for your needs. Topics covered will include both traditional and advanced authentication methods, access control systems, credential storage and effective logging practices to help identify threats as they happen.

Chris Cornutt

May 25, 2017
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
87
Pentesting for Developers
ccornutt
0
95
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Securing Legacy Applications
ccornutt
0
290
Build Security In
ccornutt
0
150
Introduction to Slim 3
ccornutt
0
140
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
230
PHP Security Bootcamp
ccornutt
2
200

Other Decks in Programming

See All in Programming
Flutterにおけるアプリ内課金実装 -Android/iOS完全なる統一 -
nacatl
1
850
第6回 AWSとGitHub勉強会 - AWS ECS Fargate環境の構築 -
ogiwarat
0
140
ドメインを中心にしたプロダクト開発/domain-driven-product
hirodragon112
1
200
EbitengineでGUIツール作ってみた
aethiopicuschan
0
270
Push通知許諾率向上へのアプローチ
miyabigouji
0
1k
マイクロサービスの効率的な監視〜不安定な依存先との闘い〜
taowata
6
1.1k
GDSC NYCU 2023 茶會
rabbitmagician1
1
270
実践!Swift API Design Guidelinesに基づいた簡潔明瞭なAPIの作り方
jrsaruo
1
220
Dagger Hilt로 의존성 주입부터 멀티모듈화까지
fornewid
0
250
ZennにみるCloudRunとBigQueryによるアプリケーション構築 / zenn-cloudrun-bigquery-serverless
wadayusuke
13
3.5k
KustoクエリのChatGPT Plugin!
tomokusaba
0
300
Jetpack Compose の Side-effect を使いこなす / DroidKaigi 2023
star_zero
1
770

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
Embracing the Ebb and Flow
colly
77
3.8k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Design by the Numbers
sachag
272
18k
Optimising Largest Contentful Paint
csswizardry
6
1.8k
GitHub's CSS Performance
jonrohan
1021
440k
How to Ace a Technical Interview
jacobian
272
22k
Typedesign – Prime Four
hannesfritz
35
1.8k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
GraphQLとの向き合い方2022年版
quramy
25
11k
Practical Orchestrator
shlominoach
179
9.3k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.1k

Transcript

  1. Pieces of Auth
    Chris Cornutt - @enygma

    View Slide

  2. Thanks to our
    Sponsors!
    PHP[TEK] 2017
    Thanks to our
    Sponsors!

    View Slide

  3. Current State

    View Slide

  4. Current State
    Evaluation
    Risk assessment
    What controls are in place now?
    Are they working?
    Are they even used?
    Define the users of your system

    View Slide

  5. Current State
    Evaluation
    Modeling (application and services)
    Compliance requirements (home and abroad)
    Data storage locations
    Policies and procedures

    View Slide

  6. Authentication

    View Slide

  7. Authentication
    Defined
    The act of confirming the truth of an attribute of a single
    piece of data (a datum) claimed true by an entity. In
    contrast with identification, which refers to the act of
    stating or otherwise indicating a claim purportedly
    attesting to a person or thing's identity, authentication is
    the process of actually confirming that identity.
    -Wikipedia

    View Slide

  8. Authentication
    Methods
    Credential based (username/password, etc)
    One-time use codes
    Third-party services
    Federated identity (OAuth)
    Certificate based

    View Slide

  9. Authentication
    questions
    What is the minimum you need?
    Should you implement multi-factor? (protip: yes)
    HTTPS all the things
    Am I preventing brute force attacks?
    What is your password policy?

    View Slide

  10. Passwords
    bringing the pain
    Why won’t you die…
    People are terrible at passwords
    Password policies
    Single point of failure
    Password reuse

    View Slide

  11. Authorization

    View Slide

  12. Authorization
    Defined
    The function of specifying access rights to resources
    related to information security and computer security in
    general and to access control in particular. More formally,
    "to authorize" is to define an access policy. For example,
    human resources staff is normally authorized to access
    employee records and this policy is usually formalized as
    access control rules in a computer system.
    -Wikipedia

    View Slide

  13. Authorization
    Methods
    Permissions
    Roles
    Access Control List
    Role Based Access Control
    Properties/Policies

    View Slide

  14. Authorization
    in detail
    On the OWASP Top 10
    Quickly becomes complex
    Multiple layers
    Multiple types

    View Slide

  15. Authorization
    in detail
    Resource access allowed?
    Data access allowed?
    Action access allowed?
    Does environment matter?

    View Slide

  16. Authorization
    questions
    What is the minimum you need?
    Where are the highest risk areas?
    Is it user controllable? (admin=true)
    Does it rely on “hidden” functionality?

    View Slide

  17. Session
    Management

    View Slide

  18. Session Management
    in detail
    Information about the current user
    Session ID entropy/hash (php.ini setting)
    Cookie protection (HTTPOnly, Secure flag, etc)
    Recycle on permission change

    View Slide

  19. Session Management
    questions
    What information is safe to store?
    Should I encrypt the contents?
    When should it timeout?
    Am I protecting from session fixation?
    Should it be one user at a time or allow multiple?

    View Slide

  20. Log All The Things

    View Slide

  21. Log All The Things
    in detail
    Flying blind without it
    Fine balance between too much and not enough
    Let alerting help (thresholds)
    Graphs never hurt
    NEVER log sensitive data

    View Slide

  22. Log All The Things
    questions
    What’s important to log in our system?
    What data should be included?
    Should I use a third-party service?
    How can I protect my logs?
    How long should I keep my logs? (compliance)

    View Slide

  23. A Comprehensive Strategy
    The worst thing you can do for your application is
    create a fragmented authentication and
    authorization solution.
    Define your needs, lay out a plan and stick with
    it. Auth flaws can be some of the most
    dangerous and difficult to find.

    View Slide

  24. Thanks!
    Chris Cornutt
    @enygma
    https://websec.io

    View Slide