Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - SpringOne 2021

Slide 1

Slide 1 text

Lock That Sh*t Down! Auth Security Patterns or Apps, APIs, and In ra Brian Demers and Matt Raible @briandemers / @mraible September 2, 2021

Slide 2

Slide 2 text

@briandemers / @mraible Who are we? Brian Demers Open Source Developer and Java Champion Fun acts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun acts: likes to ski; into classic VWs ✌ @mraible

Slide 3

Slide 3 text

@briandemers / @mraible Today's A enda What is Auth? AuthN vs AuthZ 01 App Auth Security Patterns Web, SPA, Mobile 02 API Auth Security Patterns Tokens, OAuth, Secrets 03 In ra Auth Security Patterns Linux, SSH, Docker, Kubernetes 04 Action! How to implement these patterns 05 @briandemers / @mraible

Slide 4

Slide 4 text

@briandemers / @mraible 01 What is Auth? @briandemers / @mraible

Slide 5

Slide 5 text

@briandemers / @mraible Soooo ... Why should you care? @briandemers / @mraible

Slide 6

Slide 6 text

A brie history o Auth @briandemers / @mraible 60s: First Password 1977: RSA 1994: SSL 2006: SAML 2.0 2012: OAuth 2.0 2014: OIDC 2017: PKCE

Slide 7

Slide 7 text

@briandemers / @mraible Developer Personas App Developer Frontend Developer Mobile App Developer Web Developer API Developer Java Developer Backend Developer Probably likes tests DevOps System Administrator Deployer Operations Monitorin Security Concerned Consultant Paranoid Geek Security over per ormance @briandemers / @mraible

Slide 8

Slide 8 text

@briandemers / @mraible 02 App Auth Security Patterns @briandemers / @mraible

Slide 9

Slide 9 text

@briandemers / @mraible Web vs SPA vs Mobile App @briandemers / @mraible

Slide 10

Slide 10 text

@briandemers / @mraible HTTP Basic @briandemers / @mraible

Slide 11

Slide 11 text

@briandemers / @mraible Form-based Authentication @briandemers / @mraible

Slide 12

Slide 12 text

CHALLENGE SOLUTION @briandemers / @mraible SAML @briandemers / @mraible SAML is to OIDC as SOAP is to REST. -Joël Franusic (@j )

Slide 13

Slide 13 text

@briandemers / @mraible JWT Authentication @briandemers / @mraible

Slide 14

Slide 14 text

@briandemers / @mraible @briandemers / @mraible Why JWTs Suck as Session Tokens - @rde es on developer.okta.com, 2017 What do we do about JWT? - Security. Crypto raphy. Whatever. podcast, 2021

Slide 15

Slide 15 text

@briandemers / @mraible OpenID Connect (OIDC) or Auth @briandemers / @mraible Identity Provider 🔒Veri y

Slide 16

Slide 16 text

@briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible

Slide 17

Slide 17 text

Passwordless password Password1 Password1! We like to think we know what we are talking about, at least Okta hasn't fired us yet… @briandemers / @mraible

Slide 18

Slide 18 text

@briandemers / @mraible SAML ⭐ ⭐ App Auth Security Patterns HTTP Basic ⭐ Embedded Auth ⭐ OpenID Connect ⭐ ⭐ ⭐ ⭐ MFA ⭐ ⭐ ⭐ ⭐ ⭐ Passwordless ⭐ ⭐ ⭐ ⭐ ⭐ JWT Auth ⭐ ⭐ @briandemers / @mraible

Slide 19

Slide 19 text

@briandemers / @mraible App Auth Security Patterns Tired Wired Apps handlin passwords Stateless to scale OAuth Implicit Flow Sensitive data in URL Let someone else worry about it Sessions are tried and true OAuth Auth Code w/ PKCE Use headers or the body @briandemers / @mraible

Slide 20

Slide 20 text

@briandemers / @mraible 03 API Auth Security Patterns @briandemers / @mraible

Slide 21

Slide 21 text

@briandemers / @mraible HTTP Basic @briandemers / @mraible spring: cloud: config: fail-fast: true retry: initial-interval: 1000 max-interval: 2000 max-attempts: 100 uri: http://admin:${jhipster.registry.password}@localhost:8761/config # name of the config server's property source (file.yml) that we want to use name: store profile: prod # profile(s) of the property source label: main # toggle to switch to a different version stored in git jhipster: registry: password: admin

Slide 22

Slide 22 text

@briandemers / @mraible Tokens @briandemers / @mraible $20

Slide 23

Slide 23 text

@briandemers / @mraible OAuth 2.0 @briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time- or-oauth-2-dot-1

Slide 24

Slide 24 text

@briandemers / @mraible OAuth 2.0 @briandemers / @mraible

Slide 25

Slide 25 text

@briandemers / @mraible OAuth 2.0 @briandemers / @mraible

Slide 26

Slide 26 text

@briandemers / @mraible OAuth 2.1 @briandemers / @mraible https://oauth.net/2.1 Authorization Code + PKCE Client Credentials Device Grant

Slide 27

Slide 27 text

@briandemers / @mraible OAuth Client Credentials @briandemers / @mraible

Slide 28

Slide 28 text

@briandemers / @mraible API Gateway API Gateway App App App /do s /cats /ﬁsh @briandemers / @mraible { Rest } Client

Slide 29

Slide 29 text

@briandemers / @mraible Use API SDKs @briandemers / @mraible

Slide 30

Slide 30 text

@briandemers / @mraible Encrypt and Rotate Secrets @briandemers / @mraible

Slide 31

Slide 31 text

@briandemers / @mraible RBAC and ACLs @briandemers / @mraible Groups Admin User Help Desk Privile e Record : Read Record : Create Record : Update Record : Delete Users

Slide 32

Slide 32 text

@briandemers / @mraible OAuth 2.1 ⭐ ⭐ ⭐ ⭐ ⭐ API Auth Security Patterns HTTP Basic ⭐ ⭐ Tokens ⭐ ⭐ ⭐ API SDKs ⭐ ⭐ ⭐ ⭐ Encrypt Secrets ⭐ ⭐ ⭐ ⭐ ⭐ RBAC and ACLs ⭐ ⭐ ⭐ ⭐ ⭐ API Gateway ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible

Slide 33

Slide 33 text

@briandemers / @mraible API Auth Security Patterns Tired Wired Build it yoursel Static API Tokens CORS wildcard Use existin libraries Short lived access tokens Restrict access with CORS @briandemers / @mraible

Slide 34

Slide 34 text

@briandemers / @mraible 04 In ra Auth Security Patterns @briandemers / @mraible

Slide 35

Slide 35 text

CHALLENGE SOLUTION @briandemers / @mraible Linux @briandemers / @mraible So tware is Automation and Automation is less toil. - Mark Shuttleworth Canonical CEO Larry Ewin

Slide 36

Slide 36 text

@briandemers / @mraible SSH with Keys @briandemers / @mraible https://www.ssh.com/academy/ssh/protocol

Slide 37

Slide 37 text

Certiﬁcates CC BY 3.0: EFF.or @briandemers / @mraible

Slide 38

Slide 38 text

@briandemers / @mraible @briandemers / @mraible SSO or Servers https://www.redhat.com/sysadmin/plu able-authentication-modules-pam Active Directory Plu able Authentication Modules (PAM) or Linux Okta's Advanced Server Access https://www.redhat.com/sysadmin/plu able-authentication-modules-pam

Slide 39

Slide 39 text

Scan Docker Ima es @briandemers / @mraible

Slide 40

Slide 40 text

@briandemers / @mraible Know Your Cloud and Cluster Security @briandemers / @mraible https://twitter.com/acloud uru/status/1344724013122260993

Slide 41

Slide 41 text

@briandemers / @mraible The 4C's o Cloud Native Security https://kubernetes.io/docs/concepts/security/overview/ @briandemers / @mraible

Slide 42

Slide 42 text

@briandemers / @mraible Kubernetes Tips Kubernetes Tips Only expose what needs to be public Scan and update Kubernetes YAML Check out Kubescape https://www.in oq.com/podcasts/continuous-delivery-with-kubernetes @briandemers / @mraible

Slide 43

Slide 43 text

@briandemers / @mraible Encrypt Kubernetes Secrets @briandemers / @mraible apiVersion: v1 kind: Secret metadata: name: registry-secret namespace: demo type: Opaque data: registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64 encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"

Slide 44

Slide 44 text

@briandemers / @mraible Automation is Key @briandemers / @mraible WSJ

Slide 45

Slide 45 text

@briandemers / @mraible Certiﬁcates ⭐ ⭐ ⭐ ⭐ In ra Auth Security Patterns Linux ⭐ ⭐ ⭐ ⭐ ⭐ SSH with Keys ⭐ ⭐ ⭐ Scan Docker Ima es ⭐ ⭐ ⭐ ⭐ ⭐ Encrypt K8s Secrets ⭐ ⭐ ⭐ ⭐ ⭐ Automate Your In ra ⭐ ⭐ ⭐ ⭐ ⭐ SSO or Servers ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible

Slide 46

Slide 46 text

@briandemers / @mraible In ra Auth Security Patterns Tired Wired FROM: some-lar e-ima e:1.2.3 Secrets in Ima es Shared Credentials Use minimal ima es HashiCorp Vault Limit Access @briandemers / @mraible

Slide 47

Slide 47 text

@briandemers / @mraible 05 Action! @briandemers / @mraible

Slide 48

Slide 48 text

@briandemers / @mraible Action How to codi y these patterns? @briandemers / @mraible spring security

Slide 49

Slide 49 text

@briandemers / @mraible Action How to test or lack o patterns? @briandemers / @mraible https://implicitdetector.io Audit Server Access

Slide 50

Slide 50 text

@briandemers / @mraible Action How to test or vulnerabilities? @briandemers / @mraible

Slide 51

Slide 51 text

@briandemers / @mraible What about ? @briandemers / @mraible

Slide 52

Slide 52 text

The OWASP Top 10 really hasn’t chan ed all that much in the last ten years. -Johnny Xmas (@J0hnnyXm4s) @briandemers / @mraible

Slide 53

Slide 53 text

@briandemers / @mraible developer.okta.com/blo @oktadev @briandemers / @mraible

Slide 54

Slide 54 text

@briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers [email protected] Matt Raible @mraible @mraible @mraible [email protected] https://speakerdeck.com/mraible

Slide 55

Slide 55 text

developer.okta.com