Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP Application Gateway - Abstract

OWASP Application Gateway - Abstract

OWASP Application Gateway is an HTTP reverse proxy that sits between your web application and the client and handles Oauth2 login and session management. For you, as a developer, OAG removes the hassle to implement complicated login logic in the backend and frontend so you can focus totally on your application's logic.

54e91419971e3976a3d818d13239006a?s=128

gianlucafrei

April 06, 2021
Tweet

Transcript

  1. OWASP Application Gateway Abstract (Not presentation slides) GitHub: gianlucafrei/Application-Gateway

  2. OWASP Application Gateway is an HTTP reverse proxy that sits

    between your web application and the client and handles Oauth2 login and session management. For you, as a developer, OAG removes the hassle to implement complicated login logic in the backend and frontend so you can focus totally on your application's logic.
  3. Main Features • Session Management with absolute or rolling session

    timeouts • Downstream authentication with JWT token • CSRF protection per default • Request tracing with W3C header • Login with OIDC and GitHub (easy to add more)
  4. Design Principles Secure by default The default settings help to

    build secure architectures with a zero-trust approach. The out-of-the-box features are designed to be hard to misuse. Stateless Architecture A stateless architecture facilitates seamless horizontal scaling for performance or redundancy. Inter-node communication is reduced to a minimum, for this support for fast in-memory databases is planned. Configuration Based All behaviour is configured as code in a central configuration file, allowing central management of the configuration in a code repository and automatic deployments via CI/CD.
  5. Stateless Session Management OAG stores the user session in an

    encrypted session cookie and replaces it with a stateless JWT token. All of this is cached for better performance. Note: There is a local/distributed blacklist of invalidated token for server side logout.
  6. Internal Architecture Event Driven Networking Enables high performance with many

    concurrent requests and backpressure with processing delay Built to be extended It's effortless to add your additional functionality. The Java Spring stack makes it very easy to add your own functionality, which can be picked up via Spring beans.
  7. Internal Architecture

  8. Current State • OWASP Application Gateway is still work-in-progress •

    First productive version is expected to be released around summer/fall 2021 • Latest version v0.4 contains all features presented in this abstract except downstream authentication
  9. Project Team Project Co-Leaders: Patrick Steger Co-Lead of the OWASP

    Switzerland Chapter Experienced security architect padi.steger@owasp.org Gian-Luca Frei Security engineer and security tester with experience in large scale online banking systems and health applications gian-luca.frei@owasp.org Call for Contributors: We are always looking for new input to the project. If you are interessted please don’t hesitate to contact one of the leaders
  10. See More: GitHub: https://github.com/gianlucafrei/Application- Gateway OWASP Website: https://owasp.org/www-project- application-gateway/