Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - SpringOne 2021

Matt Raible
PRO
September 02, 2021
Programming
1
610

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - SpringOne 2021

In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.

The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?

If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!

YouTube: https://youtu.be/CebTJ7Nq1Hs

Matt Raible
PRO

September 02, 2021
Tweet

More Decks by Matt Raible

See All by Matt Raible
Micro Frontends for Java Microservices - Utah JUG 2024
mraible
PRO
0
80
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
470
Comparing Native Java REST API Frameworks - jChampions Conference 2024
mraible
PRO
0
640
Comparing Native Java REST API Frameworks - Atlanta JUG 2024
mraible
PRO
1
240
Micro Frontends for Java Microservices - SF JUG 2023
mraible
PRO
1
320
Choosing the Right Java REST Framework - NY Java SIG 2023
mraible
PRO
0
410
OAuth for Java Developers - Garden State JUG 2023
mraible
PRO
0
180
Comparing Native Java REST API Frameworks - Philadelphia JUG 2023
mraible
PRO
2
740
Securing Spring Boot Microservices with OAuth and OpenID Connect - Devoxx Belgium 2023
mraible
PRO
0
95

Other Decks in Programming

See All in Programming
Snowflakeで眠ったデータを起こそう!
estie
0
110
VSCodeでのDatabricks開発もお勧めしたい/I would also recommend Databricks development with VSCode.
kazumain
0
250
今、知っておきたい! 生成AIエージェントの世界
elith
3
350
Rethinking UI building strategies @ SFI 2024
letelete
0
270
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
160
TYPO3 v13 – The road to LTS: What's new and new APIs
luisasofie_xoxo
0
190
データアナリストが行うDatabricksを活用したETLの自動化事例
shinoa
0
260
Changed Rules: Architectures with Lightweight Stores
manfredsteyer
PRO
0
240
Designing for tomorrow's programming workflows
honnibal
PRO
2
120
Folding Cheat Sheet #3
philipschwarz
PRO
0
120
"config" ってなんだ? / What is "config"?
okashoi
0
230

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
92
4.8k
Fontdeck: Realign not Redesign
paulrobertlloyd
76
4.9k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
2k
A Tale of Four Properties
chriscoyier
150
22k
How GitHub (no longer) Works
holman
304
140k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
20
1.6k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
Teambox: Starting and Learning
jrom
128
8.4k
BBQ
matthewcrist
80
8.8k
Automating Front-end Workflow
addyosmani
1355
200k
Product Roadmaps are Hard
iamctodd
43
9.7k

Transcript

  1. Lock That Sh*t Down! Auth Security Patterns or Apps, APIs,

    and In ra Brian Demers and Matt Raible @briandemers / @mraible September 2, 2021

  2. @briandemers / @mraible Who are we? Brian Demers Open Source

    Developer and Java Champion Fun acts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun acts: likes to ski; into classic VWs ✌ @mraible

  3. @briandemers / @mraible Today's A enda What is Auth? AuthN

    vs AuthZ 01 App Auth Security Patterns Web, SPA, Mobile 02 API Auth Security Patterns Tokens, OAuth, Secrets 03 In ra Auth Security Patterns Linux, SSH, Docker, Kubernetes 04 Action! How to implement these patterns 05 @briandemers / @mraible

  4. @briandemers / @mraible 01 What is Auth? @briandemers / @mraible

  5. @briandemers / @mraible Soooo ... Why should you care? @briandemers

    / @mraible

  6. A brie history o Auth @briandemers / @mraible 60s: First

    Password 1977: RSA 1994: SSL 2006: SAML 2.0 2012: OAuth 2.0 2014: OIDC 2017: PKCE

  7. @briandemers / @mraible Developer Personas App Developer Frontend Developer Mobile

    App Developer Web Developer API Developer Java Developer Backend Developer Probably likes tests DevOps System Administrator Deployer Operations Monitorin Security Concerned Consultant Paranoid Geek Security over per ormance @briandemers / @mraible

  8. @briandemers / @mraible 02 App Auth Security Patterns @briandemers /

    @mraible

  9. @briandemers / @mraible Web vs SPA vs Mobile App @briandemers

    / @mraible

  10. @briandemers / @mraible HTTP Basic @briandemers / @mraible

  11. @briandemers / @mraible Form-based Authentication @briandemers / @mraible

  12. CHALLENGE SOLUTION @briandemers / @mraible SAML @briandemers / @mraible SAML

    is to OIDC as SOAP is to REST. -Joël Franusic (@j )

  13. @briandemers / @mraible JWT Authentication @briandemers / @mraible

  14. @briandemers / @mraible @briandemers / @mraible Why JWTs Suck as

    Session Tokens - @rde es on developer.okta.com, 2017 What do we do about JWT? - Security. Crypto raphy. Whatever. podcast, 2021

  15. @briandemers / @mraible OpenID Connect (OIDC) or Auth @briandemers /

    @mraible Identity Provider 🔒Veri y

  16. @briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible

  17. Passwordless password Password1 Password1! We like to think we know

    what we are talking about, at least Okta hasn't fired us yet… @briandemers / @mraible

  18. @briandemers / @mraible SAML ⭐ ⭐ App Auth Security Patterns

    HTTP Basic ⭐ Embedded Auth ⭐ OpenID Connect ⭐ ⭐ ⭐ ⭐ MFA ⭐ ⭐ ⭐ ⭐ ⭐ Passwordless ⭐ ⭐ ⭐ ⭐ ⭐ JWT Auth ⭐ ⭐ @briandemers / @mraible

  19. @briandemers / @mraible App Auth Security Patterns Tired Wired Apps

    handlin passwords Stateless to scale OAuth Implicit Flow Sensitive data in URL Let someone else worry about it Sessions are tried and true OAuth Auth Code w/ PKCE Use headers or the body @briandemers / @mraible

  20. @briandemers / @mraible 03 API Auth Security Patterns @briandemers /

    @mraible

  21. @briandemers / @mraible HTTP Basic @briandemers / @mraible spring: cloud:

    config: fail-fast: true retry: initial-interval: 1000 max-interval: 2000 max-attempts: 100 uri: http://admin:${jhipster.registry.password}@localhost:8761/config # name of the config server's property source (file.yml) that we want to use name: store profile: prod # profile(s) of the property source label: main # toggle to switch to a different version stored in git jhipster: registry: password: admin

  22. @briandemers / @mraible Tokens @briandemers / @mraible $20

  23. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time- or-oauth-2-dot-1

  24. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible

  25. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible

  26. @briandemers / @mraible OAuth 2.1 @briandemers / @mraible https://oauth.net/2.1 Authorization

    Code + PKCE Client Credentials Device Grant

  27. @briandemers / @mraible OAuth Client Credentials @briandemers / @mraible

  28. @briandemers / @mraible API Gateway API Gateway App App App

    /do s /cats /fish @briandemers / @mraible { Rest } Client

  29. @briandemers / @mraible Use API SDKs @briandemers / @mraible

  30. @briandemers / @mraible Encrypt and Rotate Secrets @briandemers / @mraible

  31. @briandemers / @mraible RBAC and ACLs @briandemers / @mraible Groups

    Admin User Help Desk Privile e Record : Read Record : Create Record : Update Record : Delete Users

  32. @briandemers / @mraible OAuth 2.1 ⭐ ⭐ ⭐ ⭐ ⭐

    API Auth Security Patterns HTTP Basic ⭐ ⭐ Tokens ⭐ ⭐ ⭐ API SDKs ⭐ ⭐ ⭐ ⭐ Encrypt Secrets ⭐ ⭐ ⭐ ⭐ ⭐ RBAC and ACLs ⭐ ⭐ ⭐ ⭐ ⭐ API Gateway ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible

  33. @briandemers / @mraible API Auth Security Patterns Tired Wired Build

    it yoursel Static API Tokens CORS wildcard Use existin libraries Short lived access tokens Restrict access with CORS @briandemers / @mraible

  34. @briandemers / @mraible 04 In ra Auth Security Patterns @briandemers

    / @mraible

  35. CHALLENGE SOLUTION @briandemers / @mraible Linux @briandemers / @mraible So

    tware is Automation and Automation is less toil. - Mark Shuttleworth Canonical CEO Larry Ewin

  36. @briandemers / @mraible SSH with Keys @briandemers / @mraible https://www.ssh.com/academy/ssh/protocol

  37. Certificates CC BY 3.0: EFF.or @briandemers / @mraible

  38. @briandemers / @mraible @briandemers / @mraible SSO or Servers https://www.redhat.com/sysadmin/plu

    able-authentication-modules-pam Active Directory Plu able Authentication Modules (PAM) or Linux Okta's Advanced Server Access https://www.redhat.com/sysadmin/plu able-authentication-modules-pam

  39. Scan Docker Ima es @briandemers / @mraible

  40. @briandemers / @mraible Know Your Cloud and Cluster Security @briandemers

    / @mraible https://twitter.com/acloud uru/status/1344724013122260993

  41. @briandemers / @mraible The 4C's o Cloud Native Security https://kubernetes.io/docs/concepts/security/overview/

    @briandemers / @mraible

  42. @briandemers / @mraible Kubernetes Tips Kubernetes Tips Only expose what

    needs to be public Scan and update Kubernetes YAML Check out Kubescape https://www.in oq.com/podcasts/continuous-delivery-with-kubernetes @briandemers / @mraible

  43. @briandemers / @mraible Encrypt Kubernetes Secrets @briandemers / @mraible apiVersion:

    v1 kind: Secret metadata: name: registry-secret namespace: demo type: Opaque data: registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64 encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"

  44. @briandemers / @mraible Automation is Key @briandemers / @mraible WSJ

  45. @briandemers / @mraible Certificates ⭐ ⭐ ⭐ ⭐ In ra

    Auth Security Patterns Linux ⭐ ⭐ ⭐ ⭐ ⭐ SSH with Keys ⭐ ⭐ ⭐ Scan Docker Ima es ⭐ ⭐ ⭐ ⭐ ⭐ Encrypt K8s Secrets ⭐ ⭐ ⭐ ⭐ ⭐ Automate Your In ra ⭐ ⭐ ⭐ ⭐ ⭐ SSO or Servers ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible

  46. @briandemers / @mraible In ra Auth Security Patterns Tired Wired

    FROM: some-lar e-ima e:1.2.3 Secrets in Ima es Shared Credentials Use minimal ima es HashiCorp Vault Limit Access @briandemers / @mraible

  47. @briandemers / @mraible 05 Action! @briandemers / @mraible

  48. @briandemers / @mraible Action How to codi y these patterns?

    @briandemers / @mraible spring security

  49. @briandemers / @mraible Action How to test or lack o

    patterns? @briandemers / @mraible https://implicitdetector.io Audit Server Access

  50. @briandemers / @mraible Action How to test or vulnerabilities? @briandemers

    / @mraible

  51. @briandemers / @mraible What about ? @briandemers / @mraible

  52. The OWASP Top 10 really hasn’t chan ed all that

    much in the last ten years. -Johnny Xmas (@J0hnnyXm4s) @briandemers / @mraible

  53. @briandemers / @mraible developer.okta.com/blo @oktadev @briandemers / @mraible

  54. @briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers [email protected]

    Matt Raible @mraible @mraible @mraible [email protected] https://speakerdeck.com/mraible

  55. developer.okta.com