AtlasCamp 2014: Connect Security

  • 699 views
Uploaded on

To make add-ons in Atlassian OnDemand successful with Atlassian Connect, they have to be secure. Learn what security features Connect provides and why. This session will include: …

To make add-ons in Atlassian OnDemand successful with Atlassian Connect, they have to be secure. Learn what security features Connect provides and why. This session will include:

• Fun security brain teasers!
• Tips on avoiding common pitfalls when Connect add-ons
• A sneak peak at future security features we will introduce for Connect

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
699
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. June 3-5, 2014 | Berlin, Germany
  • 2. Peter Brownlow, Senior Java Developer, Atlassian Connect Security
  • 3. Connect add-ons 3.500 installs from Marketplace
  • 4. in-process plugins 1.500.000 installs from Marketplace
  • 5. grow 500x tension between security & usability overtake in-process plugins
  • 6. Don’t #@!% the customer. - Atlassian value ” “
  • 7. Questions Sneak Peeks Authorization Authentication Connect Security
  • 8. Authentication who said that? ”“
  • 9. Who sent the letter? sender signature
  • 10. Was the letter tampered with? !!! tampering “looks wrong”
  • 11. Was the letter re-sent? too long ago? postmark
  • 12. JSON Web Tokens host product add-on params, token params, token e.g. https://mycompany.com/awsome?user.key=peter&jwt=… also “Authorization” HTTP header
  • 13. JSON Web Tokens • structured • header JSON • claims JSON • signature • base-64 encoded {“typ":"JWT", “alg":"HS256"} .
 {“iss”:"myId", “exp":1300819380} .
 “signature” eyJ0eXAiOi12KL98udNfg8z…
  • 14. JSON Web Tokens Letter ! • sender • signature • changes “look wrong” • postmark date JWT ! • issuer claim • cryptographic signature • signature, query hash claim • expiry claim
  • 15. Questions Sneak Peeks Authorization Authentication Connect Security
  • 16. Authorization can you do that? ”“
  • 17. Authorization Scopes: compare to white-list Who can see the aliens? generals interns
  • 18. Authorization
  • 19. Authorization “How did that guy get in here?” How to avoid “security surprise”? Scopes displayed on installation !!!
  • 20. Authorization
  • 21. Authorization Personal access changes arbitrarily. Add-on user permissions How to accurately allow access?
  • 22. Authorization
  • 23. Authorization
  • 24. Questions Sneak Peeks Authorization Authentication Connect Security
  • 25. Sneak Peeks ideas in motion ”“
  • 26. • Headers hash • Body hash More Custom JWT Claims?
  • 27. • User loads page • Goes to lunch • Comes back, clicks link… • Expired! • Secure! But less usable. JWT expiry improvements • On click: no expiry • JavaScript API?
  • 28. • Act as a specified user • Authorized by users • Server to server • 3LA Granted? • Query parameters • REST resource Three Legged Auth
  • 29. Recap • Authentication • Who said that? • JWT claims • JWT signature • Authorization • Can you do that? • Scopes (static) • User permissions (dynamic)
  • 30. Questions Sneak Peeks Authorization Authentication Connect Security
  • 31. Questions? go.atlassian.com/ac-security