Pieces of Auth Chris Cornutt - @enygma 

Thanks to our Sponsors! PHP[TEK] 2017 Thanks to our Sponsors! 

Current State 

Current State Evaluation Risk assessment What controls are in place now? Are they working? Are they even used? Define the users of your system 

Current State Evaluation Modeling (application and services) Compliance requirements (home and abroad) Data storage locations Policies and procedures 

Authentication 

Authentication Defined The act of confirming the truth of an attribute of a single piece of data (a datum) claimed true by an entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's identity, authentication is the process of actually confirming that identity. -Wikipedia 

Authentication Methods Credential based (username/password, etc) One-time use codes Third-party services Federated identity (OAuth) Certificate based 

Authentication questions What is the minimum you need? Should you implement multi-factor? (protip: yes) HTTPS all the things Am I preventing brute force attacks? What is your password policy? 

Passwords bringing the pain Why won’t you die… People are terrible at passwords Password policies Single point of failure Password reuse 

Authorization 

Authorization Defined The function of specifying access rights to resources related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define an access policy. For example, human resources staff is normally authorized to access employee records and this policy is usually formalized as access control rules in a computer system. -Wikipedia 

Authorization Methods Permissions Roles Access Control List Role Based Access Control Properties/Policies 

Authorization in detail On the OWASP Top 10 Quickly becomes complex Multiple layers Multiple types 

Authorization in detail Resource access allowed? Data access allowed? Action access allowed? Does environment matter? 

Authorization questions What is the minimum you need? Where are the highest risk areas? Is it user controllable? (admin=true) Does it rely on “hidden” functionality? 

Session Management 

Session Management in detail Information about the current user Session ID entropy/hash (php.ini setting) Cookie protection (HTTPOnly, Secure flag, etc) Recycle on permission change 

Session Management questions What information is safe to store? Should I encrypt the contents? When should it timeout? Am I protecting from session fixation? Should it be one user at a time or allow multiple? 

Log All The Things 

Log All The Things in detail Flying blind without it Fine balance between too much and not enough Let alerting help (thresholds) Graphs never hurt NEVER log sensitive data 

Log All The Things questions What’s important to log in our system? What data should be included? Should I use a third-party service? How can I protect my logs? How long should I keep my logs? (compliance) 

A Comprehensive Strategy The worst thing you can do for your application is create a fragmented authentication and authorization solution. Define your needs, lay out a plan and stick with it. Auth flaws can be some of the most dangerous and difficult to find. 

Thanks! Chris Cornutt @enygma https://websec.io