Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022

Slide 1

Slide 1 text

Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra Brian Demers and Matt Raible @briandemers / @mraible April 13, 2022

Slide 2

Slide 2 text

@briandemers / @mraible Who are we? Brian Demers Open Source Developer and Java Champion Fun facts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun facts: likes to ski; into classic VWs ✌ @mraible

Slide 3

Slide 3 text

@briandemers / @mraible Today's Agenda What is Auth? AuthN vs AuthZ 01 App Auth Security Patterns Web, SPA, Mobile 02 API Auth Security Patterns Tokens, OAuth, Secrets 03 Infra Auth Security Patterns Linux, SSH, Docker, Kubernetes 04 Action! How to implement these patterns 05 @briandemers / @mraible

Slide 4

Slide 4 text

@briandemers / @mraible 01 What is Auth? @briandemers / @mraible

Slide 5

Slide 5 text

@briandemers / @mraible Soooo ... Why should you care? @briandemers / @mraible

Slide 6

Slide 6 text

A brief history of Auth @briandemers / @mraible 60s: First Password 1977: RSA 1994: SSL 2006: SAML 2.0 2012: OAuth 2.0 2014: OIDC 2017: PKCE

Slide 7

Slide 7 text

@briandemers / @mraible Developer Personas App Developer Frontend Developer Mobile App Developer Web Developer API Developer Java Developer Backend Developer Probably likes tests DevOps System Administrator Deployer Operations Monitoring Security Concerned Consultant Paranoid Geek Security over performance @briandemers / @mraible

Slide 8

Slide 8 text

@briandemers / @mraible 02 App Auth Security Patterns @briandemers / @mraible

Slide 9

Slide 9 text

@briandemers / @mraible Web vs SPA vs Mobile App @briandemers / @mraible

Slide 10

Slide 10 text

@briandemers / @mraible HTTP Basic Authentication @briandemers / @mraible

Slide 11

Slide 11 text

@briandemers / @mraible Form-based Authentication @briandemers / @mraible

Slide 12

Slide 12 text

CHALLENGE SOLUTION @briandemers / @mraible SAML @briandemers / @mraible SAML is to OIDC as SOAP is to REST. -Joël Franusic (@jf)

Slide 13

Slide 13 text

@briandemers / @mraible JWT Authentication @briandemers / @mraible

Slide 14

Slide 14 text

@briandemers / @mraible @briandemers / @mraible Why JWTs Suck as Session Tokens - @rdegges on developer.okta.com, 2017 What do we do about JWT? - Security. Cryptography. Whatever. podcast, 2021

Slide 15

Slide 15 text

@briandemers / @mraible OpenID Connect (OIDC) for Auth @briandemers / @mraible Identity Provider 🔒Verify

Slide 16

Slide 16 text

@briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible

Slide 17

Slide 17 text

@briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible

Slide 18

Slide 18 text

Passwordless password Password1 Password1! We like to think we know what we are talking about, at least Okta hasn't fired us yet… @briandemers / @mraible

Slide 19

Slide 19 text

@briandemers / @mraible SAML ⭐ ⭐ App Auth Security Patterns HTTP Basic ⭐ Embedded Auth ⭐ OpenID Connect ⭐ ⭐ ⭐ ⭐ MFA ⭐ ⭐ ⭐ ⭐ ⭐ Passwordless ⭐ ⭐ ⭐ ⭐ ⭐ JWT Auth ⭐ ⭐ @briandemers / @mraible

Slide 20

Slide 20 text

@briandemers / @mraible App Auth Security Patterns Tired Wired Apps handling passwords Stateless to scale OAuth Implicit Flow Sensitive data in URL Let someone else worry about it Sessions are tried and true OAuth Auth Code with PKCE Use headers or the body @briandemers / @mraible

Slide 21

Slide 21 text

@briandemers / @mraible 03 API Auth Security Patterns @briandemers / @mraible

Slide 22

Slide 22 text

@briandemers / @mraible HTTP Basic @briandemers / @mraible spring: cloud: config: fail-fast: true retry: initial-interval: 1000 max-interval: 2000 max-attempts: 100 uri: http://admin:${jhipster.registry.password}@localhost:8761/config # name of the config server's property source (file.yml) that we want to use name: store profile: prod # profile(s) of the property source label: main # toggle to switch to a different version stored in git jhipster: registry: password: admin

Slide 23

Slide 23 text

@briandemers / @mraible Tokens @briandemers / @mraible $20

Slide 24

Slide 24 text

@briandemers / @mraible OAuth 2.0 @briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

Slide 25

Slide 25 text

@briandemers / @mraible OAuth 2.0 @briandemers / @mraible

Slide 26

Slide 26 text

@briandemers / @mraible OAuth 2.0 @briandemers / @mraible

Slide 27

Slide 27 text

@briandemers / @mraible OAuth 2.1 @briandemers / @mraible https://oauth.net/2.1 Authorization Code + PKCE Client Credentials Device Grant

Slide 28

Slide 28 text

@briandemers / @mraible OAuth Client Credentials @briandemers / @mraible

Slide 29

Slide 29 text

@briandemers / @mraible API Gateway API Gateway App App App /dogs /cats /ﬁsh @briandemers / @mraible { Rest } Client

Slide 30

Slide 30 text

@briandemers / @mraible Use API SDKs @briandemers / @mraible

Slide 31

Slide 31 text

@briandemers / @mraible Encrypt and Rotate Secrets @briandemers / @mraible

Slide 32

Slide 32 text

@briandemers / @mraible RBAC and ACLs @briandemers / @mraible Groups Admin User Help Desk Privilege Record : Read Record : Create Record : Update Record : Delete Users

Slide 33

Slide 33 text

@briandemers / @mraible OAuth 2.1 ⭐ ⭐ ⭐ ⭐ ⭐ API Auth Security Patterns HTTP Basic ⭐ ⭐ Tokens ⭐ ⭐ ⭐ API SDKs ⭐ ⭐ ⭐ ⭐ Encrypt Secrets ⭐ ⭐ ⭐ ⭐ ⭐ RBAC and ACLs ⭐ ⭐ ⭐ ⭐ ⭐ API Gateway ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible

Slide 34

Slide 34 text

@briandemers / @mraible API Auth Security Patterns Tired Wired Build it yourself Static API Tokens CORS wildcard Use existing libraries Short lived access tokens Restrict access with CORS @briandemers / @mraible

Slide 35

Slide 35 text

@briandemers / @mraible 04 Infra Auth Security Patterns @briandemers / @mraible

Slide 36

Slide 36 text

CHALLENGE SOLUTION @briandemers / @mraible Linux @briandemers / @mraible Software is Automation and Automation is less toil. - Mark Shuttleworth Canonical CEO Larry Ewing

Slide 37

Slide 37 text

@briandemers / @mraible SSH with Keys @briandemers / @mraible https://www.ssh.com/academy/ssh/protocol

Slide 38

Slide 38 text

Certiﬁcates CC BY 3.0: EFF.org @briandemers / @mraible

Slide 39

Slide 39 text

@briandemers / @mraible @briandemers / @mraible SSO for Servers https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam Active Directory Pluggable Authentication Modules (PAM) for Linux Okta's Advanced Server Access https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam

Slide 40

Slide 40 text

Scan Docker Images @briandemers / @mraible

Slide 41

Slide 41 text

@briandemers / @mraible Know Your Cloud and Cluster Security @briandemers / @mraible https://twitter.com/acloudguru/status/1344724013122260993

Slide 42

Slide 42 text

@briandemers / @mraible The 4C's of Cloud Native Security https://kubernetes.io/docs/concepts/security/overview/ @briandemers / @mraible

Slide 43

Slide 43 text

@briandemers / @mraible Kubernetes Tips Kubernetes Tips Only expose what needs to be public Scan and update Kubernetes YAML Check out Kubescape https://www.infoq.com/podcasts/continuous-delivery-with-kubernetes @briandemers / @mraible

Slide 44

Slide 44 text

@briandemers / @mraible Encrypt Kubernetes Secrets @briandemers / @mraible apiVersion: v1 kind: Secret metadata: name: registry-secret namespace: demo type: Opaque data: registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64 encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"

Slide 45

Slide 45 text

@briandemers / @mraible Automation is Key @briandemers / @mraible WSJ

Slide 46

Slide 46 text

@briandemers / @mraible @briandemers / @mraible

Slide 47

Slide 47 text

@briandemers / @mraible Certiﬁcates ⭐ ⭐ ⭐ ⭐ Infra Auth Security Patterns Linux ⭐ ⭐ ⭐ ⭐ ⭐ SSH with Keys ⭐ ⭐ ⭐ Scan Docker Images ⭐ ⭐ ⭐ ⭐ ⭐ Encrypt K8s Secrets ⭐ ⭐ ⭐ ⭐ ⭐ Automate Your Infra ⭐ ⭐ ⭐ ⭐ ⭐ SSO for Servers ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible

Slide 48

Slide 48 text

@briandemers / @mraible Infra Auth Security Patterns Tired Wired FROM: some-large-image:1.2.3 Secrets in Images Shared Credentials Use minimal images HashiCorp Vault Limit Access @briandemers / @mraible

Slide 49

Slide 49 text

@briandemers / @mraible 05 Action! @briandemers / @mraible

Slide 50

Slide 50 text

@briandemers / @mraible Action How to codify these patterns? @briandemers / @mraible spring security

Slide 51

Slide 51 text

@briandemers / @mraible Action How to test for lack of patterns? @briandemers / @mraible https://implicitdetector.io Audit Server Access

Slide 52

Slide 52 text

@briandemers / @mraible Action How to test for vulnerabilities? @briandemers / @mraible

Slide 53

Slide 53 text

@briandemers / @mraible What about ? @briandemers / @mraible

Slide 54

Slide 54 text

The OWASP Top 10 really hasn’t changed all that much in the last ten years. -Johnny Xmas (@J0hnnyXm4s) @briandemers / @mraible

Slide 55

Slide 55 text

@briandemers / @mraible developer.okta.com/blog @oktadev @briandemers / @mraible

Slide 56

Slide 56 text

@briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers [email protected] Matt Raible @mraible @mraible @mraible [email protected] https://speakerdeck.com/mraible

Slide 57

Slide 57 text

developer.okta.com