• Team: Ninja Unicorns • Community admin (Slack & Forum) • I maintain the StripeSlackBot (It’s on BitBucket, FOSS) • That’s Python , SilverStripe 4 & Solr • Author of MFA modules for SilverStripe 3 & 4 • Cat owner • Hans the cow is my mascotte • I have a zoo on my desk • Scarily obsessed with security • Also Solr and search in general • LEGO! • Born Dutch (expect cursing) • Originator and former organizer of StripeCon EU • I wonder how much I can fit on a single slide • Yes, this is on purpose • Bribable with Whisk(e)y, beer or LEGO That’s me ➡ Although, I’m standing right over here, if you hadn’t noticed. That’s my cat, Marika ⬇ That’s Hans ➡ The zoo ⬇ ⬅ Apollo 13 Saturn V LEGO rocket!
works, don’t change it • Not always is a full rewrite of things necessary • There are bits and bobs that can be reused • But, refactoring to improve things is a good thing Simon `Firesphere` Erkelens | 2018
change it • Not modular • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Rigid flow • Tightly coupled between Member and Authentication • It was part of the main track, not a side track Simon `Firesphere` Erkelens | 2018
is important • Not modular • A single flow through Security • A “God controller” that does everything • Single point of failure • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Rigid flow • Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018
paste should not be a “best solution” • Not modular • Hooking in to the process required a lot of copy-pasting • Ever tried to register your own login controller? • Or extended Security with so much of duplicate code it made you sick? • Yeah, “God class” • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Rigid flow • Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018
party integrations were painful • Not modular • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Have a look at the ActiveDirectory module • I rest my case • Don’t even get me started on MFA implementation • Rigid flow • Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018
a hacky copy-paste • Not modular • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Copy paste all the things! • Register even more things! • It literally requires intercepting the construction of the Form • Best practices are for wussies, right? • Rigid flow • Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018
should not be rigid • Not modular • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Rigid flow • The start point and endpoint and everything in between was the same Controller • The API was not designed for flexible implementations • Low maintenance at high cost • Unsafe to extend means a security breach is imminent • Tightly coupled between Member and Authentication Simon `Firesphere` Erkelens | 2018
like being chained down • Not modular • Hooking in to the process required a lot of copy-pasting • 3rd party login was a PITA • Don’t even get me started on MFA implementation • Rigid flow • Tightly coupled between Member and Authentication • Member logged itself in • Ever heard of someone going to a secure building and shout “I BELONG HERE” and be accepted? • No actual authenticator that operated independently • No separation of concerns, Security and Member did everything Simon `Firesphere` Erkelens | 2018
be a lot easier to ask what didn’t change • Member doesn’t have the ability to log in anymore • Security does, but it’s for the current request only • Abstracts and Interfaces supply the necessary methods to implement • Handlers are sub-controllers to handle the request • Authenticators handle the authentication • IdentityStore is where the user is “stored” after authentication • Security only provides the controller wrapper around the forms • Each step has extension points to hook in your own flow • These are of limited scope, to prevent security breaches* Simon `Firesphere` Erkelens | 2018
You will be breached. If not today, it’ll be tomorrow • Preparing for the worst is better than hoping for the best • We do our best to provide a safe authentication flow • Most breaches are due to bad practices by (in no particular order): • SysOps • DevOps • Software Engineers • Clients • End users • CMS Users • Bad password practices • Not using a password manager Simon `Firesphere` Erkelens | 2018
social engineering Social engineering is still very easy. Even if your target knows it’ll happen, even inviting people to try it, and this is a security expert!
need it But my site is low profile Why would/should I care • One size does fit all • Just a in a more modular way than it used to be • Your site’s profile does not mean security should be less • You have a lock on your door, right? • Never ever treat security as a side product of your work • The safety and security of your end user’s life may depend on it • I’m not joking • Really, it matters. Have you seen the Facebook breach? • Your effort into securing your site should be “a lot”, not “I want quick and easy” Simon `Firesphere` Erkelens | 2018
is low profile Why would/should I care • Your site may be low profile • But what if the CMS user reuses it’s password everywhere? • One hack elsewhere may lead to CMS access • Have fun removing that shitty bitcoin JS miner from your site! • Or even domain hijacking • Use a password manager (I’ll get to that later) • BitWarden • 1Password • LastPass • Also, https! (I’ll get to that later too) Simon `Firesphere` Erkelens | 2018
to use authentication 101 • Log in with a local account • Injector::inst()->get(IdentityStore::class)->logIn($member) • So many words, can it be shorter? • IdentityStore::singleton()->logIn($member) • Even shorter please? I liked Member::logIn()! • No. Separation of concerns • Okay, maybe you could alias it, if you really want to Simon `Firesphere` Erkelens | 2018
checks if user is indeed who it claims it is • Hands off to IdentityStore • IdentityStore handles the setting of cookies/sessions etc. • For example, SessionAuthenticationHandler • The user is now logged in • Return the user to the authenticator Simon `Firesphere` Erkelens | 2018
public function authenticateRequest (HTTPRequest $request) { // If ID is a bad ID it will be treated as if the user is not logged in, // rather than throwing a ValidationException $id = $request->getSession()->get($this->getSessionVariable ()); if (!$id) { return null; } /** @var Member $member */ $member = Member::get()->byID($id); return $member; } Simon `Firesphere` Erkelens | 2018
implement What has changed • Your IdentityStore can login based on • Database/LDAP/SAML/GitHub/Google/Microsoft/Whatever • Preferably via a Provider, that is • A Store handles the storage of authenticated users • An Authenticator handles the authentication of users • A Provider handles the external communication of userdata • Middleware handles the internal communication of userdata Simon `Firesphere` Erkelens | 2018
logins It can be done without hacky stuff! • User logs in with a third party • Third party supplies the necessary details • A custom IdentityStore is required for storing the details • Possibly in Session, or by re-requesting from the third party • Injector::inst()->get(IdentityStore::class)->logIn($userData) • The user is now logged in Simon `Firesphere` Erkelens | 2018 Tesla approves ➡
(theoretical) howto • IdentityStore is the storage of the login • Session token • 3rd party token • User information • It is not an authority however • Controller => RequestHandler => Authenticator {=> Provider} => Store => Handler • The Handler sets everything up for the Controller Simon `Firesphere` Erkelens | 2018
a provider • Provider provides the link between SilverStripe and GitHub • Providing the link • Not authorising anything, just giving the link • Gives the 3rd party response back to the authenticator • Is not an authenticator or authority Simon `Firesphere` Erkelens | 2018
Authenticator • Authenticator does the checks • Is the response from GitHub genuine • Is the response from GitHub valid • Validate the user has the correct access permissions • If it all comes together correctly, execute the login procedure Simon `Firesphere` Erkelens | 2018
IdentityStore • IdentityStore holds the login state • Contains the information of the user for each request • Has the lifetime of the login • Does not persist beyond session or cookie • Logs the user in and returns the resulting shadow copy* Simon `Firesphere` Erkelens | 2018
copy, okay? • * You said no shadow copy! • I did, but this shadow copy is non-persistence • No data stored on SilverStripe side • A Member object should be returned for ease of use Simon `Firesphere` Erkelens | 2018
all • Controller inner workings now that the user exists • Allow access to closed data • Let the user possibly edit local profiles • Hook in to the provider to get more details • Know the user exists • FOR A SINGLE REQUEST Simon `Firesphere` Erkelens | 2018
MiddleWare is what does the actual validation for each request • MiddleWare checks if the user is valid with the Authenticator • Not the controller • MiddleWare logs the user in for the current request • Okay, not really, IdentityStore does that, but I guess you understand Simon `Firesphere` Erkelens | 2018
a token which can be used as a replacement for ID’s • You do need to write your own relational pointers though • Downside is, without a persistent shadow copy, public information is anonymous Simon `Firesphere` Erkelens | 2018
good, it’s not that hard • Store local data indefinitely without confirming it’s still valid • Use given permissions or data to spam • Ask for excessive permissions • Why do you need write access to the twitter feed? • Or DM’s, you really need that? • Abuse given rights to the 3rd party application • E.g. make unwanted pushes to GitHub • Share secret keys • Just generally, be good Simon `Firesphere` Erkelens | 2018
approach • See the code difference for the following repositories: • firesphere/silverstripe-bootstrapmfa • firesphere/silverstripe-bootstrap3mfa • The amount of effort that goes into adding a second step is massive for SS3 • The amount of effort for SS4 is more about streamlining the process Simon `Firesphere` Erkelens | 2018
A modular approach • We care, a lot actually • But the framework doesn’t care about where the authentication happens • Simply put, if the Authenticator returns a valid member, all is good • If it’s null, we are not logged in • If you don’t take the token… you’re doing it wrong I guess • But seriously, the token is what you need Simon `Firesphere` Erkelens | 2018
gives credentials (passport, username/password, etc.) Simon `Firesphere` Erkelens | 2018 Middleware (Security guard) • Thanks, let’s check Authenticator (Frontdesk employee) • I’ll ask our security provider for the data (Or I check the database) Provider (Computer which talks to the backend system) • Here’s the data Authenticator • Yeah, all good, the data matches the person OR • Yeah, nah, not gonna happen mate!
can do Other security measures Passwords, HTTPS, etc. • OWASP • Password managers • HTTPS • Password rules • Multi Factor Authentication Simon `Firesphere` Erkelens | 2018
Project • Their Top 10 of vulnerability risks is a good place to start • Juice Shop project • Zed Attack Proxy • And a lot more! Simon `Firesphere` Erkelens | 2018
• Explain to your client why • Explain the benefits • DO NOT EVER disable pasting of passwords in password fields • Suggest them to your client, here are a few: • BitWarden (My favourite, I’m not being paid to say this) • 1Password • LastPass Simon `Firesphere` Erkelens | 2018
for “Secure Connection” • Try visiting an http site on hotel wifi and compare it to https • See screenshots on next slide • Let’s Encrypt • CertBot, ACME2, Secure updates… Let’s Encrypt • Don’t go EV, never go EV • Seriously, it’s a waste of money nowadays • Keep your certificates up to date • CertBot does that for you • Register as HSTS • Force HTTPS across your entire site • Show your clients Troy Hunt’s demo if they are not sure Simon `Firesphere` Erkelens | 2018
little bit • Check new passwords against known breaches • firesphere/silverstripe-haveibeenpwnd • Block known breached passwords • Doesn’t matter if it wasn’t a breach from your site • Don’t reuse your passwords • Don’t expire passwords Simon `Firesphere` Erkelens | 2018
it • Users will hate you for it • Until they see how their CMS account credentials are suddenly used on their banking without them knowing • The process of SilverStripe supported modules has been started • Give it a little bit of time, okay? Simon `Firesphere` Erkelens | 2018
firesphere
morinota
opelab
wakatsuki
gidajun
lmi
huffon
ar_tama
mixi_engineers
saichan11
tomoki10
hacket
jonrohan
jonyablonski
panda_program
tammyeverts
revolveconf
notwaldorf
jeffersonlam
mclloyd
colly
aki_iinuma
quramy
iamctodd
![Thank you! @Firesphere https://github.com/Firesphere [email protected] https://speakerdeck.com/firesphere https://casa-laguna.net](https://files.speakerdeck.com/presentations/fd1d0aa2b5474948bb4855b83dd4c911/slide_63.jpg){kind=link}
