Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022

In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.

The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open-source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?

If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!

72a2082c6a4dd79ad68befb3db911616?s=128

Matt Raible
PRO

April 13, 2022
Tweet

More Decks by Matt Raible

Other Decks in Programming

Transcript

  1. Lock That Sh*t Down! Auth Security Patterns for Apps, APIs,

    and Infra Brian Demers and Matt Raible @briandemers / @mraible April 13, 2022
  2. @briandemers / @mraible Who are we? Brian Demers Open Source

    Developer and Java Champion Fun facts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun facts: likes to ski; into classic VWs ✌ @mraible
  3. @briandemers / @mraible Today's Agenda What is Auth? AuthN vs

    AuthZ 01 App Auth Security Patterns Web, SPA, Mobile 02 API Auth Security Patterns Tokens, OAuth, Secrets 03 Infra Auth Security Patterns Linux, SSH, Docker, Kubernetes 04 Action! How to implement these patterns 05 @briandemers / @mraible
  4. @briandemers / @mraible 01 What is Auth? @briandemers / @mraible

  5. @briandemers / @mraible Soooo ... Why should you care? @briandemers

    / @mraible
  6. A brief history of Auth @briandemers / @mraible 60s: First

    Password 1977: RSA 1994: SSL 2006: SAML 2.0 2012: OAuth 2.0 2014: OIDC 2017: PKCE
  7. @briandemers / @mraible Developer Personas App Developer Frontend Developer Mobile

    App Developer Web Developer API Developer Java Developer Backend Developer Probably likes tests DevOps System Administrator Deployer Operations Monitoring Security Concerned Consultant Paranoid Geek Security over performance @briandemers / @mraible
  8. @briandemers / @mraible 02 App Auth Security Patterns @briandemers /

    @mraible
  9. @briandemers / @mraible Web vs SPA vs Mobile App @briandemers

    / @mraible
  10. @briandemers / @mraible HTTP Basic Authentication @briandemers / @mraible

  11. @briandemers / @mraible Form-based Authentication @briandemers / @mraible

  12. CHALLENGE SOLUTION @briandemers / @mraible SAML @briandemers / @mraible SAML

    is to OIDC as SOAP is to REST. -Joël Franusic (@jf)
  13. @briandemers / @mraible JWT Authentication @briandemers / @mraible

  14. @briandemers / @mraible @briandemers / @mraible Why JWTs Suck as

    Session Tokens - @rdegges on developer.okta.com, 2017 What do we do about JWT? - Security. Cryptography. Whatever. podcast, 2021
  15. @briandemers / @mraible OpenID Connect (OIDC) for Auth @briandemers /

    @mraible Identity Provider 🔒Verify
  16. @briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible

  17. @briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible

  18. Passwordless password Password1 Password1! We like to think we know

    what we are talking about, at least Okta hasn't fired us yet… @briandemers / @mraible
  19. @briandemers / @mraible SAML ⭐ ⭐ App Auth Security Patterns

    HTTP Basic ⭐ Embedded Auth ⭐ OpenID Connect ⭐ ⭐ ⭐ ⭐ MFA ⭐ ⭐ ⭐ ⭐ ⭐ Passwordless ⭐ ⭐ ⭐ ⭐ ⭐ JWT Auth ⭐ ⭐ @briandemers / @mraible
  20. @briandemers / @mraible App Auth Security Patterns Tired Wired Apps

    handling passwords Stateless to scale OAuth Implicit Flow Sensitive data in URL Let someone else worry about it Sessions are tried and true OAuth Auth Code with PKCE Use headers or the body @briandemers / @mraible
  21. @briandemers / @mraible 03 API Auth Security Patterns @briandemers /

    @mraible
  22. @briandemers / @mraible HTTP Basic @briandemers / @mraible spring: cloud:

    config: fail-fast: true retry: initial-interval: 1000 max-interval: 2000 max-attempts: 100 uri: http://admin:${jhipster.registry.password}@localhost:8761/config # name of the config server's property source (file.yml) that we want to use name: store profile: prod # profile(s) of the property source label: main # toggle to switch to a different version stored in git jhipster: registry: password: admin
  23. @briandemers / @mraible Tokens @briandemers / @mraible $20

  24. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

  25. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible

  26. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible

  27. @briandemers / @mraible OAuth 2.1 @briandemers / @mraible https://oauth.net/2.1 Authorization

    Code + PKCE Client Credentials Device Grant
  28. @briandemers / @mraible OAuth Client Credentials @briandemers / @mraible

  29. @briandemers / @mraible API Gateway API Gateway App App App

    /dogs /cats /fish @briandemers / @mraible { Rest } Client
  30. @briandemers / @mraible Use API SDKs @briandemers / @mraible

  31. @briandemers / @mraible Encrypt and Rotate Secrets @briandemers / @mraible

  32. @briandemers / @mraible RBAC and ACLs @briandemers / @mraible Groups

    Admin User Help Desk Privilege Record : Read Record : Create Record : Update Record : Delete Users
  33. @briandemers / @mraible OAuth 2.1 ⭐ ⭐ ⭐ ⭐ ⭐

    API Auth Security Patterns HTTP Basic ⭐ ⭐ Tokens ⭐ ⭐ ⭐ API SDKs ⭐ ⭐ ⭐ ⭐ Encrypt Secrets ⭐ ⭐ ⭐ ⭐ ⭐ RBAC and ACLs ⭐ ⭐ ⭐ ⭐ ⭐ API Gateway ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
  34. @briandemers / @mraible API Auth Security Patterns Tired Wired Build

    it yourself Static API Tokens CORS wildcard Use existing libraries Short lived access tokens Restrict access with CORS @briandemers / @mraible
  35. @briandemers / @mraible 04 Infra Auth Security Patterns @briandemers /

    @mraible
  36. CHALLENGE SOLUTION @briandemers / @mraible Linux @briandemers / @mraible Software

    is Automation and Automation is less toil. - Mark Shuttleworth Canonical CEO Larry Ewing
  37. @briandemers / @mraible SSH with Keys @briandemers / @mraible https://www.ssh.com/academy/ssh/protocol

  38. Certificates CC BY 3.0: EFF.org @briandemers / @mraible

  39. @briandemers / @mraible @briandemers / @mraible SSO for Servers https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam

    Active Directory Pluggable Authentication Modules (PAM) for Linux Okta's Advanced Server Access https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
  40. Scan Docker Images @briandemers / @mraible

  41. @briandemers / @mraible Know Your Cloud and Cluster Security @briandemers

    / @mraible https://twitter.com/acloudguru/status/1344724013122260993
  42. @briandemers / @mraible The 4C's of Cloud Native Security https://kubernetes.io/docs/concepts/security/overview/

    @briandemers / @mraible
  43. @briandemers / @mraible Kubernetes Tips Kubernetes Tips Only expose what

    needs to be public Scan and update Kubernetes YAML Check out Kubescape https://www.infoq.com/podcasts/continuous-delivery-with-kubernetes @briandemers / @mraible
  44. @briandemers / @mraible Encrypt Kubernetes Secrets @briandemers / @mraible apiVersion:

    v1 kind: Secret metadata: name: registry-secret namespace: demo type: Opaque data: registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64 encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"
  45. @briandemers / @mraible Automation is Key @briandemers / @mraible WSJ

  46. @briandemers / @mraible @briandemers / @mraible

  47. @briandemers / @mraible Certificates ⭐ ⭐ ⭐ ⭐ Infra Auth

    Security Patterns Linux ⭐ ⭐ ⭐ ⭐ ⭐ SSH with Keys ⭐ ⭐ ⭐ Scan Docker Images ⭐ ⭐ ⭐ ⭐ ⭐ Encrypt K8s Secrets ⭐ ⭐ ⭐ ⭐ ⭐ Automate Your Infra ⭐ ⭐ ⭐ ⭐ ⭐ SSO for Servers ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
  48. @briandemers / @mraible Infra Auth Security Patterns Tired Wired FROM:

    some-large-image:1.2.3 Secrets in Images Shared Credentials Use minimal images HashiCorp Vault Limit Access @briandemers / @mraible
  49. @briandemers / @mraible 05 Action! @briandemers / @mraible

  50. @briandemers / @mraible Action How to codify these patterns? @briandemers

    / @mraible spring security
  51. @briandemers / @mraible Action How to test for lack of

    patterns? @briandemers / @mraible https://implicitdetector.io Audit Server Access
  52. @briandemers / @mraible Action How to test for vulnerabilities? @briandemers

    / @mraible
  53. @briandemers / @mraible What about ? @briandemers / @mraible

  54. The OWASP Top 10 really hasn’t changed all that much

    in the last ten years. -Johnny Xmas (@J0hnnyXm4s) @briandemers / @mraible
  55. @briandemers / @mraible developer.okta.com/blog @oktadev @briandemers / @mraible

  56. @briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers brian.demers@okta.com

    Matt Raible @mraible @mraible @mraible matt.raible@okta.com https://speakerdeck.com/mraible
  57. developer.okta.com