OWASP Application Gateway - Abstract

Transcript

1. OWASP Application Gateway Abstract (Not presentation slides) GitHub: gianlucafrei/Application-Gateway

2. OWASP Application Gateway is an HTTP reverse proxy that sits

   between your web application and the client and handles Oauth2 login and session management. For you, as a developer, OAG removes the hassle to implement complicated login logic in the backend and frontend so you can focus totally on your application's logic.

3. Main Features • Session Management with absolute or rolling session

   timeouts • Downstream authentication with JWT token • CSRF protection per default • Request tracing with W3C header • Login with OIDC and GitHub (easy to add more)

4. Design Principles Secure by default The default settings help to

   build secure architectures with a zero-trust approach. The out-of-the-box features are designed to be hard to misuse. Stateless Architecture A stateless architecture facilitates seamless horizontal scaling for performance or redundancy. Inter-node communication is reduced to a minimum, for this support for fast in-memory databases is planned. Configuration Based All behaviour is configured as code in a central configuration file, allowing central management of the configuration in a code repository and automatic deployments via CI/CD.

5. Stateless Session Management OAG stores the user session in an

   encrypted session cookie and replaces it with a stateless JWT token. All of this is cached for better performance. Note: There is a local/distributed blacklist of invalidated token for server side logout.

6. Internal Architecture Event Driven Networking Enables high performance with many

   concurrent requests and backpressure with processing delay Built to be extended It's effortless to add your additional functionality. The Java Spring stack makes it very easy to add your own functionality, which can be picked up via Spring beans.

7. Internal Architecture

8. Current State • OWASP Application Gateway is still work-in-progress •

   First productive version is expected to be released around summer/fall 2021 • Latest version v0.4 contains all features presented in this abstract except downstream authentication

9. Project Team Project Co-Leaders: Patrick Steger Co-Lead of the OWASP

   Switzerland Chapter Experienced security architect [email protected] Gian-Luca Frei Security engineer and security tester with experience in large scale online banking systems and health applications [email protected] Call for Contributors: We are always looking for new input to the project. If you are interessted please don’t hesitate to contact one of the leaders

10. See More: GitHub: https://github.com/gianlucafrei/Application- Gateway OWASP Website: https://owasp.org/www-project- application-gateway/