Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022

Transcript

1. Lock That Sh*t Down! Auth Security Patterns for Apps, APIs,

   and Infra Brian Demers and Matt Raible @briandemers / @mraible April 13, 2022

2. @briandemers / @mraible Who are we? Brian Demers Open Source

   Developer and Java Champion Fun facts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun facts: likes to ski; into classic VWs ✌ @mraible

3. @briandemers / @mraible Today's Agenda What is Auth? AuthN vs

   AuthZ 01 App Auth Security Patterns Web, SPA, Mobile 02 API Auth Security Patterns Tokens, OAuth, Secrets 03 Infra Auth Security Patterns Linux, SSH, Docker, Kubernetes 04 Action! How to implement these patterns 05 @briandemers / @mraible

4. @briandemers / @mraible 01 What is Auth? @briandemers / @mraible

5. @briandemers / @mraible Soooo ... Why should you care? @briandemers

   / @mraible

6. A brief history of Auth @briandemers / @mraible 60s: First

   Password 1977: RSA 1994: SSL 2006: SAML 2.0 2012: OAuth 2.0 2014: OIDC 2017: PKCE

7. @briandemers / @mraible Developer Personas App Developer Frontend Developer Mobile

   App Developer Web Developer API Developer Java Developer Backend Developer Probably likes tests DevOps System Administrator Deployer Operations Monitoring Security Concerned Consultant Paranoid Geek Security over performance @briandemers / @mraible

8. @briandemers / @mraible 02 App Auth Security Patterns @briandemers /

   @mraible

9. @briandemers / @mraible Web vs SPA vs Mobile App @briandemers

   / @mraible

10. @briandemers / @mraible HTTP Basic Authentication @briandemers / @mraible

11. @briandemers / @mraible Form-based Authentication @briandemers / @mraible

12. CHALLENGE SOLUTION @briandemers / @mraible SAML @briandemers / @mraible SAML

    is to OIDC as SOAP is to REST. -Joël Franusic (@jf)

13. @briandemers / @mraible JWT Authentication @briandemers / @mraible

14. @briandemers / @mraible @briandemers / @mraible Why JWTs Suck as

    Session Tokens - @rdegges on developer.okta.com, 2017 What do we do about JWT? - Security. Cryptography. Whatever. podcast, 2021

15. @briandemers / @mraible OpenID Connect (OIDC) for Auth @briandemers /

    @mraible Identity Provider 🔒Verify

16. @briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible

17. @briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible

18. Passwordless password Password1 Password1! We like to think we know

    what we are talking about, at least Okta hasn't fired us yet… @briandemers / @mraible

19. @briandemers / @mraible SAML ⭐ ⭐ App Auth Security Patterns

    HTTP Basic ⭐ Embedded Auth ⭐ OpenID Connect ⭐ ⭐ ⭐ ⭐ MFA ⭐ ⭐ ⭐ ⭐ ⭐ Passwordless ⭐ ⭐ ⭐ ⭐ ⭐ JWT Auth ⭐ ⭐ @briandemers / @mraible

20. @briandemers / @mraible App Auth Security Patterns Tired Wired Apps

    handling passwords Stateless to scale OAuth Implicit Flow Sensitive data in URL Let someone else worry about it Sessions are tried and true OAuth Auth Code with PKCE Use headers or the body @briandemers / @mraible

21. @briandemers / @mraible 03 API Auth Security Patterns @briandemers /

    @mraible

22. @briandemers / @mraible HTTP Basic @briandemers / @mraible spring: cloud:

    config: fail-fast: true retry: initial-interval: 1000 max-interval: 2000 max-attempts: 100 uri: http://admin:${jhipster.registry.password}@localhost:8761/config # name of the config server's property source (file.yml) that we want to use name: store profile: prod # profile(s) of the property source label: main # toggle to switch to a different version stored in git jhipster: registry: password: admin

23. @briandemers / @mraible Tokens @briandemers / @mraible $20

24. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

25. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible

26. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible

27. @briandemers / @mraible OAuth 2.1 @briandemers / @mraible https://oauth.net/2.1 Authorization

    Code + PKCE Client Credentials Device Grant

28. @briandemers / @mraible OAuth Client Credentials @briandemers / @mraible

29. @briandemers / @mraible API Gateway API Gateway App App App

    /dogs /cats /fish @briandemers / @mraible { Rest } Client

30. @briandemers / @mraible Use API SDKs @briandemers / @mraible

31. @briandemers / @mraible Encrypt and Rotate Secrets @briandemers / @mraible

32. @briandemers / @mraible RBAC and ACLs @briandemers / @mraible Groups

    Admin User Help Desk Privilege Record : Read Record : Create Record : Update Record : Delete Users

33. @briandemers / @mraible OAuth 2.1 ⭐ ⭐ ⭐ ⭐ ⭐

    API Auth Security Patterns HTTP Basic ⭐ ⭐ Tokens ⭐ ⭐ ⭐ API SDKs ⭐ ⭐ ⭐ ⭐ Encrypt Secrets ⭐ ⭐ ⭐ ⭐ ⭐ RBAC and ACLs ⭐ ⭐ ⭐ ⭐ ⭐ API Gateway ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible

34. @briandemers / @mraible API Auth Security Patterns Tired Wired Build

    it yourself Static API Tokens CORS wildcard Use existing libraries Short lived access tokens Restrict access with CORS @briandemers / @mraible

35. @briandemers / @mraible 04 Infra Auth Security Patterns @briandemers /

    @mraible

36. CHALLENGE SOLUTION @briandemers / @mraible Linux @briandemers / @mraible Software

    is Automation and Automation is less toil. - Mark Shuttleworth Canonical CEO Larry Ewing

37. @briandemers / @mraible SSH with Keys @briandemers / @mraible https://www.ssh.com/academy/ssh/protocol

38. Certificates CC BY 3.0: EFF.org @briandemers / @mraible

39. @briandemers / @mraible @briandemers / @mraible SSO for Servers https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam

    Active Directory Pluggable Authentication Modules (PAM) for Linux Okta's Advanced Server Access https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam

40. Scan Docker Images @briandemers / @mraible

41. @briandemers / @mraible Know Your Cloud and Cluster Security @briandemers

    / @mraible https://twitter.com/acloudguru/status/1344724013122260993

42. @briandemers / @mraible The 4C's of Cloud Native Security https://kubernetes.io/docs/concepts/security/overview/

    @briandemers / @mraible

43. @briandemers / @mraible Kubernetes Tips Kubernetes Tips Only expose what

    needs to be public Scan and update Kubernetes YAML Check out Kubescape https://www.infoq.com/podcasts/continuous-delivery-with-kubernetes @briandemers / @mraible

44. @briandemers / @mraible Encrypt Kubernetes Secrets @briandemers / @mraible apiVersion:

    v1 kind: Secret metadata: name: registry-secret namespace: demo type: Opaque data: registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64 encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"

45. @briandemers / @mraible Automation is Key @briandemers / @mraible WSJ

46. @briandemers / @mraible @briandemers / @mraible

47. @briandemers / @mraible Certificates ⭐ ⭐ ⭐ ⭐ Infra Auth

    Security Patterns Linux ⭐ ⭐ ⭐ ⭐ ⭐ SSH with Keys ⭐ ⭐ ⭐ Scan Docker Images ⭐ ⭐ ⭐ ⭐ ⭐ Encrypt K8s Secrets ⭐ ⭐ ⭐ ⭐ ⭐ Automate Your Infra ⭐ ⭐ ⭐ ⭐ ⭐ SSO for Servers ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible

48. @briandemers / @mraible Infra Auth Security Patterns Tired Wired FROM:

    some-large-image:1.2.3 Secrets in Images Shared Credentials Use minimal images HashiCorp Vault Limit Access @briandemers / @mraible

49. @briandemers / @mraible 05 Action! @briandemers / @mraible

50. @briandemers / @mraible Action How to codify these patterns? @briandemers

    / @mraible spring security

51. @briandemers / @mraible Action How to test for lack of

    patterns? @briandemers / @mraible https://implicitdetector.io Audit Server Access

52. @briandemers / @mraible Action How to test for vulnerabilities? @briandemers

    / @mraible

53. @briandemers / @mraible What about ? @briandemers / @mraible

54. The OWASP Top 10 really hasn’t changed all that much

    in the last ten years. -Johnny Xmas (@J0hnnyXm4s) @briandemers / @mraible

55. @briandemers / @mraible developer.okta.com/blog @oktadev @briandemers / @mraible

56. @briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers [email protected]

    Matt Raible @mraible @mraible @mraible [email protected] https://speakerdeck.com/mraible

57. developer.okta.com