Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - SpringOne 2021

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - SpringOne 2021

In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.

The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?

If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!

YouTube: https://youtu.be/CebTJ7Nq1Hs

72a2082c6a4dd79ad68befb3db911616?s=128

Matt Raible
PRO

September 02, 2021
Tweet

Transcript

  1. Lock That Sh*t Down! Auth Security Patterns or Apps, APIs,

    and In ra Brian Demers and Matt Raible @briandemers / @mraible September 2, 2021
  2. @briandemers / @mraible Who are we? Brian Demers Open Source

    Developer and Java Champion Fun acts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun acts: likes to ski; into classic VWs ✌ @mraible
  3. @briandemers / @mraible Today's A enda What is Auth? AuthN

    vs AuthZ 01 App Auth Security Patterns Web, SPA, Mobile 02 API Auth Security Patterns Tokens, OAuth, Secrets 03 In ra Auth Security Patterns Linux, SSH, Docker, Kubernetes 04 Action! How to implement these patterns 05 @briandemers / @mraible
  4. @briandemers / @mraible 01 What is Auth? @briandemers / @mraible

  5. @briandemers / @mraible Soooo ... Why should you care? @briandemers

    / @mraible
  6. A brie history o Auth @briandemers / @mraible 60s: First

    Password 1977: RSA 1994: SSL 2006: SAML 2.0 2012: OAuth 2.0 2014: OIDC 2017: PKCE
  7. @briandemers / @mraible Developer Personas App Developer Frontend Developer Mobile

    App Developer Web Developer API Developer Java Developer Backend Developer Probably likes tests DevOps System Administrator Deployer Operations Monitorin Security Concerned Consultant Paranoid Geek Security over per ormance @briandemers / @mraible
  8. @briandemers / @mraible 02 App Auth Security Patterns @briandemers /

    @mraible
  9. @briandemers / @mraible Web vs SPA vs Mobile App @briandemers

    / @mraible
  10. @briandemers / @mraible HTTP Basic @briandemers / @mraible

  11. @briandemers / @mraible Form-based Authentication @briandemers / @mraible

  12. CHALLENGE SOLUTION @briandemers / @mraible SAML @briandemers / @mraible SAML

    is to OIDC as SOAP is to REST. -Joël Franusic (@j )
  13. @briandemers / @mraible JWT Authentication @briandemers / @mraible

  14. @briandemers / @mraible @briandemers / @mraible Why JWTs Suck as

    Session Tokens - @rde es on developer.okta.com, 2017 What do we do about JWT? - Security. Crypto raphy. Whatever. podcast, 2021
  15. @briandemers / @mraible OpenID Connect (OIDC) or Auth @briandemers /

    @mraible Identity Provider 🔒Veri y
  16. @briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible

  17. Passwordless password Password1 Password1! We like to think we know

    what we are talking about, at least Okta hasn't fired us yet… @briandemers / @mraible
  18. @briandemers / @mraible SAML ⭐ ⭐ App Auth Security Patterns

    HTTP Basic ⭐ Embedded Auth ⭐ OpenID Connect ⭐ ⭐ ⭐ ⭐ MFA ⭐ ⭐ ⭐ ⭐ ⭐ Passwordless ⭐ ⭐ ⭐ ⭐ ⭐ JWT Auth ⭐ ⭐ @briandemers / @mraible
  19. @briandemers / @mraible App Auth Security Patterns Tired Wired Apps

    handlin passwords Stateless to scale OAuth Implicit Flow Sensitive data in URL Let someone else worry about it Sessions are tried and true OAuth Auth Code w/ PKCE Use headers or the body @briandemers / @mraible
  20. @briandemers / @mraible 03 API Auth Security Patterns @briandemers /

    @mraible
  21. @briandemers / @mraible HTTP Basic @briandemers / @mraible spring: cloud:

    config: fail-fast: true retry: initial-interval: 1000 max-interval: 2000 max-attempts: 100 uri: http://admin:${jhipster.registry.password}@localhost:8761/config # name of the config server's property source (file.yml) that we want to use name: store profile: prod # profile(s) of the property source label: main # toggle to switch to a different version stored in git jhipster: registry: password: admin
  22. @briandemers / @mraible Tokens @briandemers / @mraible $20

  23. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time- or-oauth-2-dot-1

  24. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible

  25. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible

  26. @briandemers / @mraible OAuth 2.1 @briandemers / @mraible https://oauth.net/2.1 Authorization

    Code + PKCE Client Credentials Device Grant
  27. @briandemers / @mraible OAuth Client Credentials @briandemers / @mraible

  28. @briandemers / @mraible API Gateway API Gateway App App App

    /do s /cats /fish @briandemers / @mraible { Rest } Client
  29. @briandemers / @mraible Use API SDKs @briandemers / @mraible

  30. @briandemers / @mraible Encrypt and Rotate Secrets @briandemers / @mraible

  31. @briandemers / @mraible RBAC and ACLs @briandemers / @mraible Groups

    Admin User Help Desk Privile e Record : Read Record : Create Record : Update Record : Delete Users
  32. @briandemers / @mraible OAuth 2.1 ⭐ ⭐ ⭐ ⭐ ⭐

    API Auth Security Patterns HTTP Basic ⭐ ⭐ Tokens ⭐ ⭐ ⭐ API SDKs ⭐ ⭐ ⭐ ⭐ Encrypt Secrets ⭐ ⭐ ⭐ ⭐ ⭐ RBAC and ACLs ⭐ ⭐ ⭐ ⭐ ⭐ API Gateway ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
  33. @briandemers / @mraible API Auth Security Patterns Tired Wired Build

    it yoursel Static API Tokens CORS wildcard Use existin libraries Short lived access tokens Restrict access with CORS @briandemers / @mraible
  34. @briandemers / @mraible 04 In ra Auth Security Patterns @briandemers

    / @mraible
  35. CHALLENGE SOLUTION @briandemers / @mraible Linux @briandemers / @mraible So

    tware is Automation and Automation is less toil. - Mark Shuttleworth Canonical CEO Larry Ewin
  36. @briandemers / @mraible SSH with Keys @briandemers / @mraible https://www.ssh.com/academy/ssh/protocol

  37. Certificates CC BY 3.0: EFF.or @briandemers / @mraible

  38. @briandemers / @mraible @briandemers / @mraible SSO or Servers https://www.redhat.com/sysadmin/plu

    able-authentication-modules-pam Active Directory Plu able Authentication Modules (PAM) or Linux Okta's Advanced Server Access https://www.redhat.com/sysadmin/plu able-authentication-modules-pam
  39. Scan Docker Ima es @briandemers / @mraible

  40. @briandemers / @mraible Know Your Cloud and Cluster Security @briandemers

    / @mraible https://twitter.com/acloud uru/status/1344724013122260993
  41. @briandemers / @mraible The 4C's o Cloud Native Security https://kubernetes.io/docs/concepts/security/overview/

    @briandemers / @mraible
  42. @briandemers / @mraible Kubernetes Tips Kubernetes Tips Only expose what

    needs to be public Scan and update Kubernetes YAML Check out Kubescape https://www.in oq.com/podcasts/continuous-delivery-with-kubernetes @briandemers / @mraible
  43. @briandemers / @mraible Encrypt Kubernetes Secrets @briandemers / @mraible apiVersion:

    v1 kind: Secret metadata: name: registry-secret namespace: demo type: Opaque data: registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64 encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"
  44. @briandemers / @mraible Automation is Key @briandemers / @mraible WSJ

  45. @briandemers / @mraible Certificates ⭐ ⭐ ⭐ ⭐ In ra

    Auth Security Patterns Linux ⭐ ⭐ ⭐ ⭐ ⭐ SSH with Keys ⭐ ⭐ ⭐ Scan Docker Ima es ⭐ ⭐ ⭐ ⭐ ⭐ Encrypt K8s Secrets ⭐ ⭐ ⭐ ⭐ ⭐ Automate Your In ra ⭐ ⭐ ⭐ ⭐ ⭐ SSO or Servers ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
  46. @briandemers / @mraible In ra Auth Security Patterns Tired Wired

    FROM: some-lar e-ima e:1.2.3 Secrets in Ima es Shared Credentials Use minimal ima es HashiCorp Vault Limit Access @briandemers / @mraible
  47. @briandemers / @mraible 05 Action! @briandemers / @mraible

  48. @briandemers / @mraible Action How to codi y these patterns?

    @briandemers / @mraible spring security
  49. @briandemers / @mraible Action How to test or lack o

    patterns? @briandemers / @mraible https://implicitdetector.io Audit Server Access
  50. @briandemers / @mraible Action How to test or vulnerabilities? @briandemers

    / @mraible
  51. @briandemers / @mraible What about ? @briandemers / @mraible

  52. The OWASP Top 10 really hasn’t chan ed all that

    much in the last ten years. -Johnny Xmas (@J0hnnyXm4s) @briandemers / @mraible
  53. @briandemers / @mraible developer.okta.com/blo @oktadev @briandemers / @mraible

  54. @briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers brian.demers@okta.com

    Matt Raible @mraible @mraible @mraible matt.raible@okta.com https://speakerdeck.com/mraible
  55. developer.okta.com