SlideShare a Scribd company logo

Blibli Web Application Security Policy Enforcement Point

SARCCOM
SARCCOM

Blibli Web Application Security Policy Enforcement Point by Yudhi Karunia Surtan, Senior Principal Software Engineer @SARCCOM Event http://sarccom.org

Software
1 of 17
Download to read offline
Blibli Web Application Security Policy Enforcement Point Presented by Yudhi Karunia Surtan
Introduction 2 Yudhi Karunia Surtan Work Code Name : Jon Email : yudhi.k.surtan@gdn-commerce.com Competition Achievement : – Hackathon Bandung 2012, Soft-layer challenge 1st winner. Professional Experience : 12 Years Skill Concentration : Performance And Security Title : Senior Principal Software Development Engineer
Software Security?? 3 Software security is an idea implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks. Security is necessary to provide integrity, authentication and availability.
Our Session Overview • Blibli IT Department Facts • Blibli Enterprise Architecture Overview • Architecture Advantages vs Disadvantages (Security) • Solution • Chosen Technology Overview • How To Combine All Technologies Together • Authentication And Authorization Architecture • Behind The Great Idea • What We at Blibli.com Achieved • What We at Blibli.com Learned 4
Blibli IT Department Facts 5 • > 80 Micro Services (UI and API) for both internal and external customers • > 100 Developers • > 20 Teams • 3 Weeks Release Cycle • < 500 ms Application response time goal (Soft Agreement) • < 4 seconds end user response time
Micro Services Blibli Enterprise Architecture Overview 6 UI B-1 UI A-1 UI B-2 LB LB UI A-1 LB LB API A-1 API A-2 API B-1 API B-2
The Advantages of Architecture • Independent Team and development cycle • Rapid Software Development • Each Microservices maintain their own data • Problem and bug isolation 7
The Disadvantages of Architecture (Security) • Is one user role will be the same across all the UI ? • Are the user duplicated across all the UI ? • How each application will check the role ? • Is that possible to change the role during the runtime ? • Is the user should login every time they change the UI service? • Etc… (Anyone saw problems from previous slide?) 8
Solution • Make an UI Framework which provide the abstraction for authentication and authorization without explicit declaration during development. • Centralize the user repository for easy maintainability purpose • Single Sign On and Single Sign Off features • Developer create roles by functionality point of view, business user will mapping it with their role name 9
Chosen Technology Overview 10 • Spring Security A Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications • Apereo CAS The Central Authentication Service project, more commonly referred to as CAS is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. • Apache Fortress A standards-based access management system, written in Java, that provides role-based access control, delegated administration and password policy services with LDAP.
Combine All the technologies 11 • Apereo CAS will Act as the provider for Single Sign On and Off • Apache Fortress Will Provide Authorization and Whitelist of Security Policies • Spring Security as the main development framework for put the logic authentication and authorization mechanism • Create a templating project, so developer can easily setup their project using those template
Authentication and Authorization Architecture 12 UI Service API Service CAS FortressLDAP Delegate Authentication RESTFul User Http Request
Behind the great idea There are also another problems : 1. How developer should not statically type the roles in their codes, especially in their javascript/presentation layer for hiding a button 2. How to cut the response by roles, unnecessary information need to be hide from other role 13
What We at Blibli Achieved 14 • Decouple business and application logic from security authorization • More productive and predictive software • User Roles Security and Easy Maintainability • Single user repository for all internal application
What We at Blibli.com learned 15
Any Questions? 16
THANK YOU 17

Recommended

Managing Security in Agile Culture
Managing Security in Agile CultureManaging Security in Agile Culture
Managing Security in Agile CultureSARCCOM
 
Telco Business & Technology
Telco Business & TechnologyTelco Business & Technology
Telco Business & TechnologySARCCOM
 
Architecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering CultureArchitecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering Cultureifnu bima
 
Implement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comImplement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comSARCCOM
 
The Evolution of Software for a Startup
The Evolution of Software for a Startup The Evolution of Software for a Startup
The Evolution of Software for a Startup SARCCOM
 
tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21DicodingEvent
 
[WSO2Con EU 2017] Resilience Patterns with Ballerina
[WSO2Con EU 2017] Resilience Patterns with Ballerina[WSO2Con EU 2017] Resilience Patterns with Ballerina
[WSO2Con EU 2017] Resilience Patterns with BallerinaWSO2
 
The DevOps Journey
The DevOps JourneyThe DevOps Journey
The DevOps JourneyMicro Focus
 

Recommended

Managing Security in Agile Culture
Managing Security in Agile CultureManaging Security in Agile Culture
Managing Security in Agile CultureSARCCOM
 
Telco Business & Technology
Telco Business & TechnologyTelco Business & Technology
Telco Business & TechnologySARCCOM
 
Architecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering CultureArchitecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering Cultureifnu bima
 
Implement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comImplement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comSARCCOM
 
The Evolution of Software for a Startup
The Evolution of Software for a Startup The Evolution of Software for a Startup
The Evolution of Software for a Startup SARCCOM
 
tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21DicodingEvent
 
[WSO2Con EU 2017] Resilience Patterns with Ballerina
[WSO2Con EU 2017] Resilience Patterns with Ballerina[WSO2Con EU 2017] Resilience Patterns with Ballerina
[WSO2Con EU 2017] Resilience Patterns with BallerinaWSO2
 
The DevOps Journey
The DevOps JourneyThe DevOps Journey
The DevOps JourneyMicro Focus
 
Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas Destor
 
OReilly Software Architecture Conference: Architecture as code - objective m...
OReilly Software Architecture Conference: Architecture as code - objective m...OReilly Software Architecture Conference: Architecture as code - objective m...
OReilly Software Architecture Conference: Architecture as code - objective m...PaulaPaulSlides
 
Connect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deckConnect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deckGregor Vogrin
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assuranceOllie Whitehouse
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
Training Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise ArchitectureTraining Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise ArchitectureOutSystems
 
What's New In Entando 6 (And Why Your Developers Will Love It)
What's New In Entando 6 (And Why Your Developers Will Love It)What's New In Entando 6 (And Why Your Developers Will Love It)
What's New In Entando 6 (And Why Your Developers Will Love It)Entando
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
Do you need microservices architecture?
Do you need microservices architecture?Do you need microservices architecture?
Do you need microservices architecture?Manu Pk
 
Enable DevSecOps using JIRA Software
Enable DevSecOps using JIRA SoftwareEnable DevSecOps using JIRA Software
Enable DevSecOps using JIRA SoftwareAUGNYC
 
Windows 7 v/ Kristian Svantorp Microsoft
Windows 7 v/ Kristian Svantorp MicrosoftWindows 7 v/ Kristian Svantorp Microsoft
Windows 7 v/ Kristian Svantorp Microsoftguestb7fda43
 
DevOps Security: A New Paradigm
DevOps Security: A New ParadigmDevOps Security: A New Paradigm
DevOps Security: A New ParadigmTripwire
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage [WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage WSO2
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Profile_Ahmad2
Profile_Ahmad2Profile_Ahmad2
Profile_Ahmad2Mohammad Owais Ahmad
 
The user s identities
The user s identitiesThe user s identities
The user s identitiesGiuliano Latini
 

More Related Content

What's hot

Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas Destor
 
OReilly Software Architecture Conference: Architecture as code - objective m...
OReilly Software Architecture Conference: Architecture as code - objective m...OReilly Software Architecture Conference: Architecture as code - objective m...
OReilly Software Architecture Conference: Architecture as code - objective m...PaulaPaulSlides
 
Connect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deckConnect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deckGregor Vogrin
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assuranceOllie Whitehouse
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
Training Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise ArchitectureTraining Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise ArchitectureOutSystems
 
What's New In Entando 6 (And Why Your Developers Will Love It)
What's New In Entando 6 (And Why Your Developers Will Love It)What's New In Entando 6 (And Why Your Developers Will Love It)
What's New In Entando 6 (And Why Your Developers Will Love It)Entando
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
Do you need microservices architecture?
Do you need microservices architecture?Do you need microservices architecture?
Do you need microservices architecture?Manu Pk
 
Enable DevSecOps using JIRA Software
Enable DevSecOps using JIRA SoftwareEnable DevSecOps using JIRA Software
Enable DevSecOps using JIRA SoftwareAUGNYC
 
Windows 7 v/ Kristian Svantorp Microsoft
Windows 7 v/ Kristian Svantorp MicrosoftWindows 7 v/ Kristian Svantorp Microsoft
Windows 7 v/ Kristian Svantorp Microsoftguestb7fda43
 
DevOps Security: A New Paradigm
DevOps Security: A New ParadigmDevOps Security: A New Paradigm
DevOps Security: A New ParadigmTripwire
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage [WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage WSO2
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 

What's hot (20)

Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018
 
OReilly Software Architecture Conference: Architecture as code - objective m...
OReilly Software Architecture Conference: Architecture as code - objective m...OReilly Software Architecture Conference: Architecture as code - objective m...
OReilly Software Architecture Conference: Architecture as code - objective m...
 
Connect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deckConnect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deck
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suite
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assurance
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A
 
Training Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise ArchitectureTraining Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise Architecture
 
What's New In Entando 6 (And Why Your Developers Will Love It)
What's New In Entando 6 (And Why Your Developers Will Love It)What's New In Entando 6 (And Why Your Developers Will Love It)
What's New In Entando 6 (And Why Your Developers Will Love It)
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub
 
Do you need microservices architecture?
Do you need microservices architecture?Do you need microservices architecture?
Do you need microservices architecture?
 
Enable DevSecOps using JIRA Software
Enable DevSecOps using JIRA SoftwareEnable DevSecOps using JIRA Software
Enable DevSecOps using JIRA Software
 
Windows 7 v/ Kristian Svantorp Microsoft
Windows 7 v/ Kristian Svantorp MicrosoftWindows 7 v/ Kristian Svantorp Microsoft
Windows 7 v/ Kristian Svantorp Microsoft
 
DevOps Security: A New Paradigm
DevOps Security: A New ParadigmDevOps Security: A New Paradigm
DevOps Security: A New Paradigm
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage [WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 

Similar to Blibli Web Application Security Policy Enforcement Point

7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodromDoina Draganescu
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudRevelation Technologies
 
Subhajit das resume_2015
Subhajit das resume_2015Subhajit das resume_2015
Subhajit das resume_2015Subhajit Das
 
Subhajit_Das_Resume_2015
Subhajit_Das_Resume_2015Subhajit_Das_Resume_2015
Subhajit_Das_Resume_2015Subhajit Das
 
Introduction-to-the-Waterfall-Model.pptx
Introduction-to-the-Waterfall-Model.pptxIntroduction-to-the-Waterfall-Model.pptx
Introduction-to-the-Waterfall-Model.pptxAsadBaig49
 
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major HighlightsWebinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major HighlightsAPPSeCONNECT
 
Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men Oracle Mobility Webinar- 11-December-2014Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men Oracle Mobility Webinar- 11-December-2014Wise Men
 
5.10 years Expetience in Asp.net with MVC
5.10 years Expetience in Asp.net with MVC5.10 years Expetience in Asp.net with MVC
5.10 years Expetience in Asp.net with MVCprashant zope
 
Malli Resume_30 Jun 2012
Malli Resume_30 Jun 2012Malli Resume_30 Jun 2012
Malli Resume_30 Jun 2012mallikarjun ch
 

Similar to Blibli Web Application Security Policy Enforcement Point (20)

Profile_Ahmad2
Profile_Ahmad2Profile_Ahmad2
Profile_Ahmad2
 
The user s identities
The user s identitiesThe user s identities
The user s identities
 
Abhishek latest
Abhishek latestAbhishek latest
Abhishek latest
 
7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom7. oracle iam11g+strategyodrom
7. oracle iam11g+strategyodrom
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
Subhajit das resume_2015
Subhajit das resume_2015Subhajit das resume_2015
Subhajit das resume_2015
 
Subhajit_Das_Resume_2015
Subhajit_Das_Resume_2015Subhajit_Das_Resume_2015
Subhajit_Das_Resume_2015
 
BadesahebKBichu
BadesahebKBichuBadesahebKBichu
BadesahebKBichu
 
kowsalyamanickam_resume_OIM
kowsalyamanickam_resume_OIMkowsalyamanickam_resume_OIM
kowsalyamanickam_resume_OIM
 
Surya_CV
Surya_CVSurya_CV
Surya_CV
 
Resume_Dhiren
Resume_DhirenResume_Dhiren
Resume_Dhiren
 
Introduction-to-the-Waterfall-Model.pptx
Introduction-to-the-Waterfall-Model.pptxIntroduction-to-the-Waterfall-Model.pptx
Introduction-to-the-Waterfall-Model.pptx
 
ABC’s Proposal
ABC’s ProposalABC’s Proposal
ABC’s Proposal
 
Resume_Dhiren
Resume_DhirenResume_Dhiren
Resume_Dhiren
 
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major HighlightsWebinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
 
Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men Oracle Mobility Webinar- 11-December-2014Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men Oracle Mobility Webinar- 11-December-2014
 
Alpana_Srivastava
Alpana_SrivastavaAlpana_Srivastava
Alpana_Srivastava
 
5.10 years Expetience in Asp.net with MVC
5.10 years Expetience in Asp.net with MVC5.10 years Expetience in Asp.net with MVC
5.10 years Expetience in Asp.net with MVC
 
Malli Resume_30 Jun 2012
Malli Resume_30 Jun 2012Malli Resume_30 Jun 2012
Malli Resume_30 Jun 2012
 

More from SARCCOM

Week 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-OnWeek 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-OnSARCCOM
 
Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning SARCCOM
 
Week 1 Natural Language Processing Introduction
Week 1 Natural Language Processing IntroductionWeek 1 Natural Language Processing Introduction
Week 1 Natural Language Processing IntroductionSARCCOM
 
The Secret of Most Wanted Geek
The Secret of Most Wanted GeekThe Secret of Most Wanted Geek
The Secret of Most Wanted GeekSARCCOM
 
Fundamental of Machine Learning
Fundamental of Machine LearningFundamental of Machine Learning
Fundamental of Machine LearningSARCCOM
 
Data Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data EcosystemData Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data EcosystemSARCCOM
 
Startup Engineering Culture
Startup Engineering CultureStartup Engineering Culture
Startup Engineering CultureSARCCOM
 
Menggapai Paripurna Rekayasa
Menggapai Paripurna RekayasaMenggapai Paripurna Rekayasa
Menggapai Paripurna RekayasaSARCCOM
 
Requirement Gathering Jump Start
Requirement Gathering Jump StartRequirement Gathering Jump Start
Requirement Gathering Jump StartSARCCOM
 
Legacy code - Taming The Beast
Legacy code - Taming The BeastLegacy code - Taming The Beast
Legacy code - Taming The BeastSARCCOM
 
The Role of IT Architect in Enterprise Company (Garuda Indonesia)
The Role of IT Architect in Enterprise Company (Garuda Indonesia)The Role of IT Architect in Enterprise Company (Garuda Indonesia)
The Role of IT Architect in Enterprise Company (Garuda Indonesia)SARCCOM
 
The Role of IT Architect in Startup Company
The Role of IT Architect in Startup CompanyThe Role of IT Architect in Startup Company
The Role of IT Architect in Startup CompanySARCCOM
 
Architecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering CultureArchitecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering CultureSARCCOM
 
Software Architecture Introduction
Software Architecture IntroductionSoftware Architecture Introduction
Software Architecture IntroductionSARCCOM
 
Software Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skillSoftware Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skillSARCCOM
 
Best Practice In Software Development
Best Practice In Software DevelopmentBest Practice In Software Development
Best Practice In Software DevelopmentSARCCOM
 
Is your code SOLID enough?
Is your code SOLID enough? Is your code SOLID enough?
Is your code SOLID enough?SARCCOM
 
How to work with us? We are Gen Y!
How to work with us? We are Gen Y!How to work with us? We are Gen Y!
How to work with us? We are Gen Y!SARCCOM
 

More from SARCCOM (18)

Week 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-OnWeek 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-On
 
Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning
 
Week 1 Natural Language Processing Introduction
Week 1 Natural Language Processing IntroductionWeek 1 Natural Language Processing Introduction
Week 1 Natural Language Processing Introduction
 
The Secret of Most Wanted Geek
The Secret of Most Wanted GeekThe Secret of Most Wanted Geek
The Secret of Most Wanted Geek
 
Fundamental of Machine Learning
Fundamental of Machine LearningFundamental of Machine Learning
Fundamental of Machine Learning
 
Data Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data EcosystemData Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data Ecosystem
 
Startup Engineering Culture
Startup Engineering CultureStartup Engineering Culture
Startup Engineering Culture
 
Menggapai Paripurna Rekayasa
Menggapai Paripurna RekayasaMenggapai Paripurna Rekayasa
Menggapai Paripurna Rekayasa
 
Requirement Gathering Jump Start
Requirement Gathering Jump StartRequirement Gathering Jump Start
Requirement Gathering Jump Start
 
Legacy code - Taming The Beast
Legacy code - Taming The BeastLegacy code - Taming The Beast
Legacy code - Taming The Beast
 
The Role of IT Architect in Enterprise Company (Garuda Indonesia)
The Role of IT Architect in Enterprise Company (Garuda Indonesia)The Role of IT Architect in Enterprise Company (Garuda Indonesia)
The Role of IT Architect in Enterprise Company (Garuda Indonesia)
 
The Role of IT Architect in Startup Company
The Role of IT Architect in Startup CompanyThe Role of IT Architect in Startup Company
The Role of IT Architect in Startup Company
 
Architecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering CultureArchitecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering Culture
 
Software Architecture Introduction
Software Architecture IntroductionSoftware Architecture Introduction
Software Architecture Introduction
 
Software Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skillSoftware Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skill
 
Best Practice In Software Development
Best Practice In Software DevelopmentBest Practice In Software Development
Best Practice In Software Development
 
Is your code SOLID enough?
Is your code SOLID enough? Is your code SOLID enough?
Is your code SOLID enough?
 
How to work with us? We are Gen Y!
How to work with us? We are Gen Y!How to work with us? We are Gen Y!
How to work with us? We are Gen Y!
 

Recently uploaded

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 

Recently uploaded (20)

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 

Blibli Web Application Security Policy Enforcement Point

  • 1. Blibli Web Application Security Policy Enforcement Point Presented by Yudhi Karunia Surtan
  • 2. Introduction 2 Yudhi Karunia Surtan Work Code Name : Jon Email : yudhi.k.surtan@gdn-commerce.com Competition Achievement : – Hackathon Bandung 2012, Soft-layer challenge 1st winner. Professional Experience : 12 Years Skill Concentration : Performance And Security Title : Senior Principal Software Development Engineer
  • 3. Software Security?? 3 Software security is an idea implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks. Security is necessary to provide integrity, authentication and availability.
  • 4. Our Session Overview • Blibli IT Department Facts • Blibli Enterprise Architecture Overview • Architecture Advantages vs Disadvantages (Security) • Solution • Chosen Technology Overview • How To Combine All Technologies Together • Authentication And Authorization Architecture • Behind The Great Idea • What We at Blibli.com Achieved • What We at Blibli.com Learned 4
  • 5. Blibli IT Department Facts 5 • > 80 Micro Services (UI and API) for both internal and external customers • > 100 Developers • > 20 Teams • 3 Weeks Release Cycle • < 500 ms Application response time goal (Soft Agreement) • < 4 seconds end user response time
  • 6. Micro Services Blibli Enterprise Architecture Overview 6 UI B-1 UI A-1 UI B-2 LB LB UI A-1 LB LB API A-1 API A-2 API B-1 API B-2
  • 7. The Advantages of Architecture • Independent Team and development cycle • Rapid Software Development • Each Microservices maintain their own data • Problem and bug isolation 7
  • 8. The Disadvantages of Architecture (Security) • Is one user role will be the same across all the UI ? • Are the user duplicated across all the UI ? • How each application will check the role ? • Is that possible to change the role during the runtime ? • Is the user should login every time they change the UI service? • Etc… (Anyone saw problems from previous slide?) 8
  • 9. Solution • Make an UI Framework which provide the abstraction for authentication and authorization without explicit declaration during development. • Centralize the user repository for easy maintainability purpose • Single Sign On and Single Sign Off features • Developer create roles by functionality point of view, business user will mapping it with their role name 9
  • 10. Chosen Technology Overview 10 • Spring Security A Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications • Apereo CAS The Central Authentication Service project, more commonly referred to as CAS is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. • Apache Fortress A standards-based access management system, written in Java, that provides role-based access control, delegated administration and password policy services with LDAP.
  • 11. Combine All the technologies 11 • Apereo CAS will Act as the provider for Single Sign On and Off • Apache Fortress Will Provide Authorization and Whitelist of Security Policies • Spring Security as the main development framework for put the logic authentication and authorization mechanism • Create a templating project, so developer can easily setup their project using those template
  • 12. Authentication and Authorization Architecture 12 UI Service API Service CAS FortressLDAP Delegate Authentication RESTFul User Http Request
  • 13. Behind the great idea There are also another problems : 1. How developer should not statically type the roles in their codes, especially in their javascript/presentation layer for hiding a button 2. How to cut the response by roles, unnecessary information need to be hide from other role 13
  • 14. What We at Blibli Achieved 14 • Decouple business and application logic from security authorization • More productive and predictive software • User Roles Security and Easy Maintainability • Single user repository for all internal application
  • 15. What We at Blibli.com learned 15