Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pieces of Auth

Pieces of Auth

There’s a lot to consider when it comes to the authentication and authorization methods your site uses. Let me guide you through some of the major (and minor) decisions you’ll need to make and how to find the right fit for your needs. Topics covered will include both traditional and advanced authentication methods, access control systems, credential storage and effective logging practices to help identify threats as they happen.

Chris Cornutt

May 25, 2017

More Decks by Chris Cornutt

Other Decks in Programming


  1. Current State Evaluation Risk assessment What controls are in place

    now? Are they working? Are they even used? Define the users of your system
  2. Current State Evaluation Modeling (application and services) Compliance requirements (home

    and abroad) Data storage locations Policies and procedures
  3. Authentication Defined The act of confirming the truth of an

    attribute of a single piece of data (a datum) claimed true by an entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's identity, authentication is the process of actually confirming that identity. -Wikipedia
  4. Authentication questions What is the minimum you need? Should you

    implement multi-factor? (protip: yes) HTTPS all the things Am I preventing brute force attacks? What is your password policy?
  5. Passwords bringing the pain Why won’t you die… People are

    terrible at passwords Password policies Single point of failure Password reuse
  6. Authorization Defined The function of specifying access rights to resources

    related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define an access policy. For example, human resources staff is normally authorized to access employee records and this policy is usually formalized as access control rules in a computer system. -Wikipedia
  7. Authorization in detail On the OWASP Top 10 Quickly becomes

    complex Multiple layers Multiple types
  8. Authorization questions What is the minimum you need? Where are

    the highest risk areas? Is it user controllable? (admin=true) Does it rely on “hidden” functionality?
  9. Session Management in detail Information about the current user Session

    ID entropy/hash (php.ini setting) Cookie protection (HTTPOnly, Secure flag, etc) Recycle on permission change
  10. Session Management questions What information is safe to store? Should

    I encrypt the contents? When should it timeout? Am I protecting from session fixation? Should it be one user at a time or allow multiple?
  11. Log All The Things in detail Flying blind without it

    Fine balance between too much and not enough Let alerting help (thresholds) Graphs never hurt NEVER log sensitive data
  12. Log All The Things questions What’s important to log in

    our system? What data should be included? Should I use a third-party service? How can I protect my logs? How long should I keep my logs? (compliance)
  13. A Comprehensive Strategy The worst thing you can do for

    your application is create a fragmented authentication and authorization solution. Define your needs, lay out a plan and stick with it. Auth flaws can be some of the most dangerous and difficult to find.