The Clef security architecture provides single sign-on authentication using a user's smartphone. It works by generating a unique ID on the server and displaying it as a "wave" on the website. The user scans the wave with their phone app which signs the ID and sends it to the server for verification. If verified, an OAuth token is issued allowing the user to access the connected website without re-entering credentials. Features like lost device protection and automatic logout across devices add additional security.
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
Entreprises are deploying more applications to workers phones and tablets. These applications are currently all using separate authentications to establish user identity and authorization.
This session will look at how the Native Application profile of OpenID Connect creates a local token broker on the device to centralize authentication for multiple enterprise and SaaS applications on a device.
This can be used to increase security by enabling additional authentication factors and a enhanced view of device posture, as well as increasing usability, bu reducing the number of unnecessary authentications that interrupt the users work flow every day.
In this presentation, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.
In this presentation, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.
WSO2 Identity Server is an API-driven, open-source, cloud-native IAM product. With Get-Started session you will get high level knowledge about WSO2 IS features and why you should get start working with WSO2 Identity Server
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
Entreprises are deploying more applications to workers phones and tablets. These applications are currently all using separate authentications to establish user identity and authorization.
This session will look at how the Native Application profile of OpenID Connect creates a local token broker on the device to centralize authentication for multiple enterprise and SaaS applications on a device.
This can be used to increase security by enabling additional authentication factors and a enhanced view of device posture, as well as increasing usability, bu reducing the number of unnecessary authentications that interrupt the users work flow every day.
In this presentation, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.
In this presentation, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.
WSO2 Identity Server is an API-driven, open-source, cloud-native IAM product. With Get-Started session you will get high level knowledge about WSO2 IS features and why you should get start working with WSO2 Identity Server
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
Look under the hood of several applications that implement the standard using various profiles and discuss the benefits of OpenID Connect versus OAuth2.0. Our goal is to deepen
understanding of the protocol and its uses.
This presentation was given at Web Directions South in 2008. It is a developers guide to building sites using OpenID, OAuth and webservices - no code, but enough to point you in the right direction
FIWARE Academy Courses
Identity Management - Keyrock GE
Lesson 3. Applications. How to create OAuth2 tokens.
https://edu.fiware.org/course/view.php?id=79
Álvaro Alonso
UPM-DIT. Security Chapter
FIWARE Academy
https://edu.fiware.org
http://fiware.org
Introduction to safedrop.com secure communications. If sending an email is like sending a postcard sending a safedrop is a hand delivered letter from 007!
Understanding the oAuth2 flows can be challenging. At some point we have probably interacted with one, most of us struggle with how they work, and often times they leaves us very confused. Whether you are on the frontend or backend, understanding oAuth2 can take your skills to the next level. Learn how to secure your APIs through the oAuth2 flows using express. We will dive into the different oAuth flows, the use of scopes, and validating Json Web Tokens (JWT). Each step along the way will be illustrated with code examples using express. Finally, we will touch on the challenges with integration testing and local development.
A central authentication server to rule all your services
Many companies or organizations run not only one ore two services, but 10 and more.
Often each of these services has its own isolated user management implementation, or talks to other micro services over hardcoded API keys.
The OAuth2 standard supports multiple authentication mechanisms to rule all of these requirements in one central place.
Don’t reinvent the wheel with every new application.
Slides used to spread awareness between mobile developers and back-end developers on how to follow best practices to secure back-end HTTP services and avoid common pitfall and leaky APIs, OAuth 2.0 used to as solution for securing the HTTP Services.
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
Look under the hood of several applications that implement the standard using various profiles and discuss the benefits of OpenID Connect versus OAuth2.0. Our goal is to deepen
understanding of the protocol and its uses.
This presentation was given at Web Directions South in 2008. It is a developers guide to building sites using OpenID, OAuth and webservices - no code, but enough to point you in the right direction
FIWARE Academy Courses
Identity Management - Keyrock GE
Lesson 3. Applications. How to create OAuth2 tokens.
https://edu.fiware.org/course/view.php?id=79
Álvaro Alonso
UPM-DIT. Security Chapter
FIWARE Academy
https://edu.fiware.org
http://fiware.org
Introduction to safedrop.com secure communications. If sending an email is like sending a postcard sending a safedrop is a hand delivered letter from 007!
Understanding the oAuth2 flows can be challenging. At some point we have probably interacted with one, most of us struggle with how they work, and often times they leaves us very confused. Whether you are on the frontend or backend, understanding oAuth2 can take your skills to the next level. Learn how to secure your APIs through the oAuth2 flows using express. We will dive into the different oAuth flows, the use of scopes, and validating Json Web Tokens (JWT). Each step along the way will be illustrated with code examples using express. Finally, we will touch on the challenges with integration testing and local development.
A central authentication server to rule all your services
Many companies or organizations run not only one ore two services, but 10 and more.
Often each of these services has its own isolated user management implementation, or talks to other micro services over hardcoded API keys.
The OAuth2 standard supports multiple authentication mechanisms to rule all of these requirements in one central place.
Don’t reinvent the wheel with every new application.
Slides used to spread awareness between mobile developers and back-end developers on how to follow best practices to secure back-end HTTP services and avoid common pitfall and leaky APIs, OAuth 2.0 used to as solution for securing the HTTP Services.
Zack Urlocker of Duo Security talks at BoS Conference USA 2016
See all talks here: http://businessofsoftware.org/2016/07/all-talks-from-business-of-software-conferences-in-one-place-saas-software-talks/
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
If you're like many IT security professionals, you're on a quest to do a better job of authenticating users in the face of new security and business challenges.
Have you gotten caught up in one of five authentication traps, like many of your peers?
Full replay of the recording is available online:
https://go.duosecurity.com/Forrester_Webinar_Signs_Youre_Doing_Authentication_Wrong.html
In this webinar, you will learn:
* Five signs you're doing authentication wrong
* Forrester research on key trends and generational shifts in the authentication market
* How to assess solution usability, deployability and security
* Will it ever be truly possible to "kill the password?"
Join the following guest speakers as they comment on the virtues of a thoughtfully deployed authentication solution.
* Eve Maler, Forrester Research
* Brian Kelly, Duo Security
* Daniel Frye, CedarCrestone
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
We know and love our authentication standards for the web, yet on mobile we often still resort to usernames & passwords in our apps.
This presentation explores OpenID Connect (OIDC) and OAuth 2.0 in the context of mobile apps to see how they decouple authentication logic from your app and promote simpler and more flexible patterns for user authentication and API authorization.
This presentation was first given in the London Mobile Security Meetup
https://www.meetup.com/London-Mobile-Developer-Security/
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
My presentation at DDD Melbourne 2014 Conference on Security in ASP.Net Web API 2. Includes a brief introduction to OWIN and Katana.
http://www.dddmelbourne.com/
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonDavid Johansson
Privacy Risks with Using Client Certificates for Authentication
Know the risks to user privacy when client certificate authentication is used, and be aware of how attackers can spoof web sites to expose the identity of connecting clients.
OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
The Skype for Business (Lync) apps are one of the ubiquitous aspect of the product. Mobility is cross platform (Android, IOS and Windows are supported), has specific requirements and (in Skype for Business) adds some specific limits for clients on authentication, security and features. As part of the default server features, mobility is now both easier and more critical to understand. In this session, we will see what has been made available for the mobile users and what will be released. Configurations, requirements and deployment suggestions will be explained for on-premises, Cloud and hybrid deployments
The WiKID Strong Authentication Systems OverviewNick Owen
A high-level overview of the WiKID Strong Authentication System, a dual-source, software-based, two-factor authentication solution. WiKID uses public-key cryptography unlike most token systems and is therefore a secure, extensible replacement for hardware tokens.
Enterprise internet data privacy protection with encryption in transit, in process and at rest with secure infrastructure perimeter for authentication and authorization
PortalGuard’s Flexible Two-factor Authentication options are designed as strong authentication methods for securing web applications. PortalGuard leverages a one-time password (OTP) as a factor to further prove a user's identity. The OTP can be delivered via SMS, email, printer, and transparent token. Configurable by user, group or application this is a cost effective approach to stronger authentication security.
Tutorial: http://pg.portalguard.com/flexible_two-factor_tutorial
WordPress Security Update: How we're building the web's most secure platform ...jessepollak
How we're building the web's most secure platform and what you can do to help. A talk given by Brennen Byrne, CEO of Clef, at the SF WordPress Meetup on June 25th, 2014.
Passwords and Botnets and Zombies (oh my!)jessepollak
The WordPress community has a huge security challenge on the horizon. Now powering almost 20% of the Internet, WordPress lets us build businesses and lifestyles behind a single password. Protecting one site is hard, but the real challenge is making sure that distributed attacks across WordPress sites don't find unprotected sites to attack. In this talk, Brennen Byrne, the CEO of Clef, discusses the attacks and defenses being established in the new security paradigm and the new strategies being worked on to protect your site from the robot army.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
2. OVERVIEW
Logging in with Clef
1.
Unique id sent to browser and
displayed as wave
2.
Phone’s camera used to scan
wave and transfer id
3.
Private key on phone used to
generate signature with id and
timestamp- sent to Clef Server
4.
Signature verified and OAuth
Code sent to browser
5.
Redirect in browser sends
OAuth Code to Site Server
6.
OAuth Handshake between Clef
Server and Site Server
7.
User info sent to Site Server
8.
User is logged in to site
4. Registration on the Phone
• User downloads app
• Email address confirmed, PIN set up
• 2048-bit RSA key pair generated on phone
• Public key sent to server and stored
• Private key encrypted on device
• for iOS—KeychainServices for hardware encryption
• for Android—PIN-based encryption (PKCS#5)
5. Registering a New Site
• Developer creates account at
developer.getclef.com
• Developer receives App ID and App Secret
• <script> tag with App ID embedded in login form
• Standard code to handle OAuth 2.0 Handshake
7. Generating the Clef Wave
• <script> creates “Log in with Clef” button
• On user click, loads iframe from Clef Server
• iframe requests unique id (Session Key)
• Session Key is stored as a signed cookie
• displayed as animated barcode, the Clef Wave
8. Scanning the Clef Wave
• User opens Clef App on their smartphone
• Enters PIN to unlock the app
• On-screen guide instructs user to sync Clef Wave
• Phone’s camera reads Session Key from Clef
Wave
9. Verifying the Signature
• Signature is generated with Session Key, user id,
and current timestamp
• Signature is sent to Clef Server over TLS/SSL
• Clef Server verifies signature using stored public
key
• Timestamp is checked for recency to prevent
replay attacks
10. OAuth 2.0 Handshake
!
• Clef server generates OAuth code and pushes to browser
using WebSockets
• Browser redirects to site’s specified redirect URL with
OAuth code to initiate OAuth 2.0 handshake
• Site Server sends OAuth code, App ID, App Secret to Clef
Server for verification
• Clef Server returns OAuth token
• Site Server exchanges OAuth token for user information
11. Finishing the Login
• Site receives user information from Clef Server,
including site-specific identifier (clef_id)
• Site looks up user in database with clef_id
• Site sets a cookie to manage user’s session
• User is redirected to logged-in page
13. Single Sign Off
• Site specifies a logout webhook URL on
developer.getclef.com
• User taps “log out” on phone (or logout timer
expires), signed logout request sent to Clef Server
• Clef server notifies each site of the logout via their
webhook URL
14. Database Logout
• Site stores login timestamp as part of session
• When webhook is triggered, site stores time of
logout in database
• On page request, site compares both timestamps
to determine whether user has logged out
16. Deactivating a Lost Device
• A phone can be reported lost or stolen on
getclef.com/lost
• Notifications are sent through available channels
alerting user of attempted deactivation
• 24 hour wait period before deactivation, can be
skipped by verifying through email
• Public key is wiped from Clef Server after wait
period or verification
17. After Deactivation
• Temporary passcode is granted after deactivation
• Passcode can be used to log in at getclef.com
• Because of single sign on, allows access to all
connected services
18. Reactivation
• User reconfirms email address and PIN
• RSA key pair is generated on new device
• New public key is associated with old account
22. Console Requirements
• Visual display for Clef Wave
• Networked with access to Verification Server
• Ability to look up users and store timestamps (for
logout)
24. Replacing OAuth 2.0
• If within a completely trusted environment, no
need to do any handshake
• Otherwise, can replace OAuth 2.0 with asymmetric
cryptography between Verification Server and
Consoles
25. Networking Devices
• Both phone and console must be able to
communicate with Verification Server
• No dependency on Internet
26. White-labeled App
• Clef functionality wrapped in client app
• Configured to work only within intranet
• BYOD compatible
• Available for iOS and Android devices
29. Geofencing
• Logins will be happening within a small geofence
• Using device location can prevent external attacks
• Force logout when user leaves fence
30. Automatic Logouts
• As users move from console to console, they must
log out each time
• Use geolocation, Bluetooth, or NFC to make this
automatic
• Reduce vulnerability through carelessness
