Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022

Matt Raible
PRO
April 13, 2022
Programming
0
300

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022

In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.

The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open-source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?

If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!

Matt Raible
PRO

April 13, 2022
Tweet

More Decks by Matt Raible

See All by Matt Raible
Comparing Native Java REST API Frameworks - Chicago JUG 2023
mraible
PRO
3
970
Micro Frontends for Java Microservices - Denver Microservices 2023
mraible
PRO
2
220
OAuth for Java Developers - JCON 2023
mraible
PRO
1
250
Comparing Native Java REST API Frameworks - JCON 2023
mraible
PRO
0
680
Reactive Java Microservices with Spring Boot and JHipster - Kansas City JUG 2023
mraible
PRO
1
100
Reactive Microservices with Spring Boot and JHipster - Omaha JUG 2023
mraible
PRO
0
360
Micro Frontends for Java Developers - Devoxx UK 2023
mraible
PRO
1
270
OAuth for Java Developers - Codemotion Madrid 2023
mraible
PRO
0
360
OAuth for Java Developers - IntelliJ IDEA Live Stream 2023
mraible
PRO
0
480

Other Decks in Programming

See All in Programming
組織のコード品質を向上させる “レビューシステム”の取り組み
pospome
7
4.1k
脆弱性診断の内製化と外注
tsukushi
7
2.6k
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
130
PicoRuby から始めるたのしい電子工作
ogom
0
530
Static Hermes (React Native EU 2023 Announcement)
tmikov2023
0
2.8k
タイミーiOSアプリへの Swift Concurrency 導入までの軌跡
_tanako
4
680
第2回 AWSとGitHub勉強会 - CodespacesとHelidonの利用 -
ogiwarat
0
120
第6回 AWSとGitHub勉強会 - AWS ECS Fargate環境の構築 -
ogiwarat
0
130
Exploring Code Smells - ElixirConf US 2023
elainenaomi
1
240
GO TechTalk #22 Reactで描くタクシーアプリ『GO』の世界
mot_techtalk
0
160
外部APIとズブズブな開発どうしてますか?
kin29
0
300
個人開発のiOSアプリでUI/UXを標準に寄せてみた / 20230919_orochi
uhooi
0
320

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
112
17k
Designing the Hi-DPI Web
ddemaree
274
33k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
18k
Making Projects Easy
brettharned
104
5.1k
Typedesign – Prime Four
hannesfritz
35
1.7k
Visualization
eitanlees
131
13k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.5k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.9k
Raft: Consensus for Rubyists
vanstee
130
5.9k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
239
1.2M
Debugging Ruby Performance
tmm1
68
11k

Transcript

  1. Lock That Sh*t
    Down!
    Auth Security Patterns for
    Apps, APIs, and Infra
    Brian Demers and Matt Raible
    @briandemers / @mraible
    April 13, 2022

    View Slide

  2. @briandemers / @mraible
    Who are we?
    Brian Demers
    Open Source Developer and Java Champion
    Fun facts: likes to snowboard; into 🐝
    @bdemers
    Matt Raible
    Open Source Developer and Java Champion
    Fun facts: likes to ski; into classic VWs ✌
    @mraible

    View Slide

  3. @briandemers / @mraible
    Today's Agenda
    What is Auth?
    AuthN vs AuthZ
    01
    App Auth Security Patterns
    Web, SPA, Mobile
    02
    API Auth Security Patterns
    Tokens, OAuth, Secrets
    03
    Infra Auth Security Patterns
    Linux, SSH, Docker, Kubernetes
    04
    Action!
    How to implement these patterns
    05
    @briandemers / @mraible

    View Slide

  4. @briandemers / @mraible
    01
    What is Auth?
    @briandemers / @mraible

    View Slide

  5. @briandemers / @mraible
    Soooo ...
    Why should you care?
    @briandemers / @mraible

    View Slide

  6. A brief history of Auth
    @briandemers / @mraible
    60s: First
    Password
    1977:
    RSA
    1994:
    SSL
    2006:
    SAML 2.0
    2012:
    OAuth 2.0
    2014:
    OIDC
    2017:
    PKCE

    View Slide

  7. @briandemers / @mraible
    Developer Personas
    App Developer
    Frontend Developer
    Mobile App Developer
    Web Developer
    API Developer
    Java Developer
    Backend Developer
    Probably likes tests
    DevOps
    System Administrator
    Deployer
    Operations
    Monitoring
    Security
    Concerned Consultant
    Paranoid Geek
    Security over
    performance
    @briandemers / @mraible

    View Slide

  8. @briandemers / @mraible
    02
    App Auth
    Security
    Patterns
    @briandemers / @mraible

    View Slide

  9. @briandemers / @mraible
    Web vs SPA vs
    Mobile App
    @briandemers / @mraible

    View Slide

  10. @briandemers / @mraible
    HTTP Basic Authentication
    @briandemers / @mraible

    View Slide

  11. @briandemers / @mraible
    Form-based Authentication
    @briandemers / @mraible

    View Slide

  12. CHALLENGE SOLUTION
    @briandemers / @mraible
    SAML
    @briandemers / @mraible
    SAML is to OIDC as
    SOAP is to REST.
    -Joël Franusic (@jf)

    View Slide

  13. @briandemers / @mraible
    JWT Authentication
    @briandemers / @mraible

    View Slide

  14. @briandemers / @mraible
    @briandemers / @mraible
    Why JWTs Suck as Session Tokens
    - @rdegges on developer.okta.com, 2017
    What do we do about JWT?
    - Security. Cryptography. Whatever. podcast, 2021

    View Slide

  15. @briandemers / @mraible
    OpenID Connect (OIDC) for Auth
    @briandemers / @mraible
    Identity
    Provider
    🔒Verify

    View Slide

  16. @briandemers / @mraible
    Multi-Factor Authentication (MFA)
    @briandemers / @mraible

    View Slide

  17. @briandemers / @mraible
    Multi-Factor Authentication (MFA)
    @briandemers / @mraible

    View Slide

  18. Passwordless
    password
    Password1
    Password1!
    We like to think we know what we are talking
    about, at least Okta hasn't fired us yet…
    @briandemers / @mraible

    View Slide

  19. @briandemers / @mraible
    SAML
    ⭐ ⭐
    App Auth
    Security
    Patterns
    HTTP Basic

    Embedded Auth

    OpenID Connect
    ⭐ ⭐ ⭐ ⭐
    MFA
    ⭐ ⭐ ⭐ ⭐ ⭐
    Passwordless
    ⭐ ⭐ ⭐ ⭐ ⭐
    JWT Auth
    ⭐ ⭐
    @briandemers / @mraible

    View Slide

  20. @briandemers / @mraible
    App Auth Security Patterns
    Tired Wired
    Apps handling passwords
    Stateless to scale
    OAuth Implicit Flow
    Sensitive data in URL
    Let someone else worry about it
    Sessions are tried and true
    OAuth Auth Code with PKCE
    Use headers or the body
    @briandemers / @mraible

    View Slide

  21. @briandemers / @mraible
    03
    API Auth
    Security
    Patterns
    @briandemers / @mraible

    View Slide

  22. @briandemers / @mraible
    HTTP Basic
    @briandemers / @mraible
    spring:
    cloud:
    config:
    fail-fast: true
    retry:
    initial-interval: 1000
    max-interval: 2000
    max-attempts: 100
    uri: http://admin:${jhipster.registry.password}@localhost:8761/config
    # name of the config server's property source (file.yml) that we want to use
    name: store
    profile: prod # profile(s) of the property source
    label: main # toggle to switch to a different version stored in git
    jhipster:
    registry:
    password: admin

    View Slide

  23. @briandemers / @mraible
    Tokens
    @briandemers / @mraible
    $20

    View Slide

  24. @briandemers / @mraible
    OAuth 2.0
    @briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

    View Slide

  25. @briandemers / @mraible
    OAuth 2.0
    @briandemers / @mraible

    View Slide

  26. @briandemers / @mraible
    OAuth 2.0
    @briandemers / @mraible

    View Slide

  27. @briandemers / @mraible
    OAuth 2.1
    @briandemers / @mraible
    https://oauth.net/2.1
    Authorization Code + PKCE
    Client Credentials
    Device Grant

    View Slide

  28. @briandemers / @mraible
    OAuth Client Credentials
    @briandemers / @mraible

    View Slide

  29. @briandemers / @mraible
    API Gateway
    API
    Gateway
    App
    App
    App
    /dogs
    /cats
    /fish
    @briandemers / @mraible
    { Rest }
    Client

    View Slide

  30. @briandemers / @mraible
    Use API SDKs
    @briandemers / @mraible

    View Slide

  31. @briandemers / @mraible
    Encrypt and Rotate Secrets
    @briandemers / @mraible

    View Slide

  32. @briandemers / @mraible
    RBAC and ACLs
    @briandemers / @mraible
    Groups
    Admin
    User
    Help Desk
    Privilege
    Record : Read
    Record : Create
    Record : Update
    Record : Delete
    Users

    View Slide

  33. @briandemers / @mraible
    OAuth 2.1
    ⭐ ⭐ ⭐ ⭐ ⭐
    API Auth
    Security
    Patterns
    HTTP Basic
    ⭐ ⭐
    Tokens
    ⭐ ⭐ ⭐
    API SDKs
    ⭐ ⭐ ⭐ ⭐
    Encrypt Secrets
    ⭐ ⭐ ⭐ ⭐ ⭐
    RBAC and ACLs
    ⭐ ⭐ ⭐ ⭐ ⭐
    API Gateway
    ⭐ ⭐ ⭐ ⭐ ⭐
    @briandemers / @mraible

    View Slide

  34. @briandemers / @mraible
    API Auth Security Patterns
    Tired Wired
    Build it yourself
    Static API Tokens
    CORS wildcard
    Use existing libraries
    Short lived access tokens
    Restrict access with CORS
    @briandemers / @mraible

    View Slide

  35. @briandemers / @mraible
    04
    Infra Auth
    Security
    Patterns
    @briandemers / @mraible

    View Slide

  36. CHALLENGE SOLUTION
    @briandemers / @mraible
    Linux
    @briandemers / @mraible
    Software is Automation
    and Automation is
    less toil.
    - Mark Shuttleworth
    Canonical CEO
    Larry Ewing

    View Slide

  37. @briandemers / @mraible
    SSH with Keys
    @briandemers / @mraible
    https://www.ssh.com/academy/ssh/protocol

    View Slide

  38. Certificates
    CC BY 3.0: EFF.org
    @briandemers / @mraible

    View Slide

  39. @briandemers / @mraible
    @briandemers / @mraible
    SSO for Servers
    https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
    Active Directory
    Pluggable Authentication Modules (PAM) for Linux
    Okta's Advanced Server Access
    https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam

    View Slide

  40. Scan Docker Images
    @briandemers / @mraible

    View Slide

  41. @briandemers / @mraible
    Know Your Cloud and Cluster Security
    @briandemers / @mraible https://twitter.com/acloudguru/status/1344724013122260993

    View Slide

  42. @briandemers / @mraible
    The 4C's of Cloud Native Security
    https://kubernetes.io/docs/concepts/security/overview/
    @briandemers / @mraible

    View Slide

  43. @briandemers / @mraible
    Kubernetes Tips
    Kubernetes Tips
    Only expose what needs to be public
    Scan and update Kubernetes YAML
    Check out Kubescape
    https://www.infoq.com/podcasts/continuous-delivery-with-kubernetes
    @briandemers / @mraible

    View Slide

  44. @briandemers / @mraible
    Encrypt Kubernetes Secrets
    @briandemers / @mraible
    apiVersion: v1
    kind: Secret
    metadata:
    name: registry-secret
    namespace: demo
    type: Opaque
    data:
    registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64
    encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"

    View Slide

  45. @briandemers / @mraible
    Automation is Key
    @briandemers / @mraible
    WSJ

    View Slide

  46. @briandemers / @mraible
    @briandemers / @mraible

    View Slide

  47. @briandemers / @mraible
    Certificates
    ⭐ ⭐ ⭐ ⭐
    Infra Auth
    Security
    Patterns
    Linux
    ⭐ ⭐ ⭐ ⭐ ⭐
    SSH with Keys
    ⭐ ⭐ ⭐
    Scan Docker Images
    ⭐ ⭐ ⭐ ⭐ ⭐
    Encrypt K8s Secrets
    ⭐ ⭐ ⭐ ⭐ ⭐
    Automate Your Infra
    ⭐ ⭐ ⭐ ⭐ ⭐
    SSO for Servers
    ⭐ ⭐ ⭐ ⭐ ⭐
    @briandemers / @mraible

    View Slide

  48. @briandemers / @mraible
    Infra Auth Security Patterns
    Tired Wired
    FROM: some-large-image:1.2.3
    Secrets in Images
    Shared Credentials
    Use minimal images
    HashiCorp Vault
    Limit Access
    @briandemers / @mraible

    View Slide

  49. @briandemers / @mraible
    05
    Action!
    @briandemers / @mraible

    View Slide

  50. @briandemers / @mraible
    Action
    How to codify these patterns?
    @briandemers / @mraible
    spring
    security

    View Slide

  51. @briandemers / @mraible
    Action
    How to test for lack of
    patterns?
    @briandemers / @mraible
    https://implicitdetector.io
    Audit Server Access

    View Slide

  52. @briandemers / @mraible
    Action
    How to test for vulnerabilities?
    @briandemers / @mraible

    View Slide

  53. @briandemers / @mraible
    What about ?
    @briandemers / @mraible

    View Slide

  54. The OWASP Top 10 really
    hasn’t changed all that
    much in the last ten years.
    -Johnny Xmas (@J0hnnyXm4s)
    @briandemers / @mraible

    View Slide

  55. @briandemers / @mraible
    developer.okta.com/blog
    @oktadev
    @briandemers / @mraible

    View Slide

  56. @briandemers / @mraible
    Thanks!
    Brian Demers
    @briandemers @bdemers
    @bdemers
    [email protected]
    Matt Raible
    @mraible @mraible
    @mraible
    [email protected]
    https://speakerdeck.com/mraible

    View Slide

  57. developer.okta.com

    View Slide