Synergisticly using digital identity to securely adopt cloud computing, mobile, and social. Introduction to the "Neo Security Stack" of digital identity standards, namely OpenID Connect, OAuth, JWT, and SCIM and how to use them together.
Technologies that are being used together to secure RESTful APIs: SAML (and eventually OpenID Connect), OAuth, SCIM, and the JSON Identity Protocol Suite (esp. JWT).
Discussion how these technologies can be combined to provide enterprise grade security for APIs and put this need into the broader context.
What secure standards are there when working with a new API? And why should you care?
Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Trondheim, June 11 - 2013
Technologies that are being used together to secure RESTful APIs: SAML (and eventually OpenID Connect), OAuth, SCIM, and the JSON Identity Protocol Suite (esp. JWT).
Discussion how these technologies can be combined to provide enterprise grade security for APIs and put this need into the broader context.
What secure standards are there when working with a new API? And why should you care?
Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Trondheim, June 11 - 2013
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden.
Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to ScopesNordic APIs
In this presentation, Travis Spencer, CEO of Curity and expert in OAuth, will explain what claims are. He will demonstrate their useful, and show them in the context of the various actors and flows involved in an OAuth-based system. He will go on to explain how they related to the ever-confusing idea of scopes. His presentation will conclude with an explanation of how claims an be used to increase privacy, enhance security, improve UX, and serve in creating more fine-grained access control systems.
Attendees will leave with a better understanding of what OAuth scopes are, the role of claims in API security, and how to authorize access using these concepts when building APIs.
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBrian Campbell
The overwhelming majority of security tokens used today on the web are bearer tokens (e.g. HTTP cookies, OpenID Connect ID tokens, SAML assertions, OAuth tokens). Any party in possession of a bearer token is able to use it to gain access to the associated protected resources, which makes them a highly attractive target for attackers. Although there have been many efforts to provide better than bearer security, none have achieved widespread deployment success. Token Binding is new IETF protocol that enables strong cryptographic defenses against the use of stolen security tokens and, with a novel approach and the backing of some very significant industry players, has the potential to find the success that’s been elusive to previous attempts. This session will provide an overview of how Token Binding works and its application to higher level protocols like OpenID Connect and OAuth. Some bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.
Making Security Approachable for Developers and OperatorsArmonDadgar
Security is a complex topic filled with jargon and subtle nuances. The "weakest link" challenge in security means we must be concerned with every threat vector and apply best practices universally. This becomes challenging when we need to bring developers and operators into the fold, since our infrastructure and applications are critical to the our security posture. Instead of expecting everybody to become an expert in security, we need to make security more approachable for these audiences. In this talk, we discuss how to apply best practices and make them accessible to developers and operators through APIs, secure by default platforms, and policy as code.
A presentation on System for Cross-domain Identity Management (SCIM) formerly Simple Cloud Identity Management presented at the Cloud Identity Summit (CIS) 2012 by Travis Spencer, CEO of Twobo Technologies, a consulting firm specializing in Identity and Access Management (IAM), cloud security, and mobile security
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
Identity on the Internet is changing. Social networking has kicked off a massive change in how we integrate identity across applications. This is much more than a simple redesign of security tokens and protocols; instead it is a radical redistribution of power and control over entitlements, shifting it away from the centralized control of a cabal of directory engineers and out to the users themselves.
There are compelling reasons for this shift: it enables scaling of identity administration, and it promotes rapid and agile integration of applications. These are goals shared by the enterprise, but this change has significant implications on infrastructure, people and process. Join us to learn how you can bring modern identity management into the enterprise.
Spellpoint - Securing Access for MicroservicesUbisecure
Spellpoint presentation slides from Ubisecure's IAMwithUBI Nordic IAM event May 2018. How Customer IAM (CIAM) principles and technology can be applied to identities for microservices to provide authentication and authorization of APIs.
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden.
Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.
OAuth Claims Ontology: Using Claims in OAuth and How They Relate to ScopesNordic APIs
In this presentation, Travis Spencer, CEO of Curity and expert in OAuth, will explain what claims are. He will demonstrate their useful, and show them in the context of the various actors and flows involved in an OAuth-based system. He will go on to explain how they related to the ever-confusing idea of scopes. His presentation will conclude with an explanation of how claims an be used to increase privacy, enhance security, improve UX, and serve in creating more fine-grained access control systems.
Attendees will leave with a better understanding of what OAuth scopes are, the role of claims in API security, and how to authorize access using these concepts when building APIs.
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBrian Campbell
The overwhelming majority of security tokens used today on the web are bearer tokens (e.g. HTTP cookies, OpenID Connect ID tokens, SAML assertions, OAuth tokens). Any party in possession of a bearer token is able to use it to gain access to the associated protected resources, which makes them a highly attractive target for attackers. Although there have been many efforts to provide better than bearer security, none have achieved widespread deployment success. Token Binding is new IETF protocol that enables strong cryptographic defenses against the use of stolen security tokens and, with a novel approach and the backing of some very significant industry players, has the potential to find the success that’s been elusive to previous attempts. This session will provide an overview of how Token Binding works and its application to higher level protocols like OpenID Connect and OAuth. Some bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.
Making Security Approachable for Developers and OperatorsArmonDadgar
Security is a complex topic filled with jargon and subtle nuances. The "weakest link" challenge in security means we must be concerned with every threat vector and apply best practices universally. This becomes challenging when we need to bring developers and operators into the fold, since our infrastructure and applications are critical to the our security posture. Instead of expecting everybody to become an expert in security, we need to make security more approachable for these audiences. In this talk, we discuss how to apply best practices and make them accessible to developers and operators through APIs, secure by default platforms, and policy as code.
A presentation on System for Cross-domain Identity Management (SCIM) formerly Simple Cloud Identity Management presented at the Cloud Identity Summit (CIS) 2012 by Travis Spencer, CEO of Twobo Technologies, a consulting firm specializing in Identity and Access Management (IAM), cloud security, and mobile security
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
Identity on the Internet is changing. Social networking has kicked off a massive change in how we integrate identity across applications. This is much more than a simple redesign of security tokens and protocols; instead it is a radical redistribution of power and control over entitlements, shifting it away from the centralized control of a cabal of directory engineers and out to the users themselves.
There are compelling reasons for this shift: it enables scaling of identity administration, and it promotes rapid and agile integration of applications. These are goals shared by the enterprise, but this change has significant implications on infrastructure, people and process. Join us to learn how you can bring modern identity management into the enterprise.
Spellpoint - Securing Access for MicroservicesUbisecure
Spellpoint presentation slides from Ubisecure's IAMwithUBI Nordic IAM event May 2018. How Customer IAM (CIAM) principles and technology can be applied to identities for microservices to provide authentication and authorization of APIs.
RTView - Monitoring Service for SmartCloud ApplicationsSL Corporation
IBM’s Mac Devine and SL’s Tom Lubinski show how easy it is to monitor your SmartCloud deployed applications. The webinar includes:
• How monitoring is added to manage all components deployed through application patterns
• Application monitoring summary views of all deployed components
• Detailed views of infrastructure components to be able to pinpoint and detect application bottlenecks
Migrating and Modernizing Identity on the Path to Multi CloudStrata Identity
After dozens of customer interviews with some of the world’s largest enterprises, the team here at Strata learned first hand the challenges customers face when considering identity migration and modernization projects. We're sharing those learnings in this session while outlining the 5 most common migration use cases. We also cover how the right combination of software and services can accelerate delivery timelines while removing uncertainty from your project.
Presentation by Hans Zandbelt from Ping Identity (pingidentity.com) from Nordic APIs (nordicapis.com) Stockholm March 2013 about the need of identity services when publishing an API.
http://prolifics.com/
This presentation takes a deep dive into the latest features of IBM WebSphere MQ and Message Broker to see how these new capabilities are changing the world. It examines how MQ and Message Broker can connect anything, anywhere and achieve universal connectivity with:
- Enhanced file and messaging capabilities of IBM WebSphere Message Broker 8.0 and WebSphere MQ 7.5, including the ability to handle many formats (i.e. XML, CSV, etc.)
- The ability of WebSphere MQ Telemetry Transport (MQTT) to connect through the web or through devices
- An extended reach of WebSphere MQ via the new HTTP and FTP bridges
- High Availability that makes the system more reliable than ever and allows WebSphere MQ clients to automatically reconnect
Join the discussion with Andrew Hay, Chief Evangelist of CloudPassage and Dave Shackleford, Senior Vice President, Research and Chief Technology Officer of IANS.
In this presentation, we will discuss:
- How compliance is affected by using private, hybrid, and public cloud environments
- What to consider when researching providers who offer "PCI-compliant" clouds
- Recommendations for improving compliance and security posture in the cloud
Serverless is now well established pattern for all things Cloud. As we leverage this style architecture with more power we require more control. Discover how good architects and developers design and develop serverless platforms for the enterprise. We describe a framework that will move your serverless systems from good to great and help you grow our connected world.
Single Sign-On: Our Path to Password EliminationSymantec
By eliminating the password sprawl that cloud applications can cause, we freed our employees from having to create a dozen or more logins and passwords just to do their jobs.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Monitoring Java Application Security with JDK Tools and JFR Events
Synergies of Cloud Identity: Putting it All Together
1. Synergies of Cloud Identity: Putting it All
Together
By Travis Spencer, CEO
2. Agenda
• Impact of mobile and cloud on business
• Central role of identity in coping with these
changes
• Using the different identity specs together to
this end
Copyright (C) 2012 Twobo Technologies AB
3. Mobile is Changing Business
• 75% of mobiles in Scandinavia
are smartphones; 50% in rest of
Europe & US
• BYOD is a foregone conclusion
for most
– 90% of orgs will support corporate
apps on personal devices by 2014
• 80% of orgs will use tablets by
next year
Copyright (C) 2012 Twobo Technologies AB
4. Mobilizing Business Processes
• Workflows are a business’s
circulatory system
• Automation and efficiency
are critical
• Mobile helps optimizes
these processes
Copyright (C) 2012 Twobo Technologies AB
5. Reusing Existing Technology
• Prior technology
investments will remain on
the books for years
• Existing data/systems
must be available to mobile
users and cloud services
• IT organizations need to
bridge the old and new
technologies
Copyright (C) 2012 Twobo Technologies AB
6. Seamless Access to Cloud Apps
• Giving employees new passwords for each
cloud app is not secure or scalable
• 123456 is not a secure password, but cloud
providers allows it!
• Existing OTP tokens are not supported
• Seamless cloud access is required
Copyright (C) 2012 Twobo Technologies AB
7. Crucial Security Concerns
Enterprise API Mobile
Security Security Security
Copyright (C) 2012 Twobo Technologies AB
8. Identity is Central
Mobile
Security
MDM MAM
Identity
Enterprise A
u API
Security t Security
h
Z
Copyright (C) 2012 Twobo Technologies AB Venn diagram by Gunnar Peterson
9. Neo-security Stack
OpenID Connect
• SCIM, SAML, OAuth, and JWT are the new
standards-based cloud security stack
• OAuth 2 is the new meta-protocol defining
how tokens are handled
• These address old requirements, solves
new problems & are composed
in useful ways Grandpa SAML
& junior
• WS- again?
Copyright (C) 2012 Twobo Technologies AB
10. SAML + OAuth
• Relay OAuth token in SAML
messages
• Use SAML tokens to authenticate
OAuth clients or as the AS’s output
token format
• Use SAML SSO to authenticate
users to AS
Copyright (C) 2012 Twobo Technologies AB
11. SCIM + OAuth
• Use OAuth to secure
SCIM API calls
• Use SCIM to create
accounts needed to
access APIs secured
using OAuth
Copyright (C) 2012 Twobo Technologies AB
12. Push Tokens & Pull Identities
IdP/SCIM Server SP / SCIM Client
User Data
Get User
Access token in
federation message
Browser
Copyright (C) 2012 Twobo Technologies AB
13. SCIM + SAML/OIC
• Carry SCIM attributes in SAML assertions
(bindings for SCIM)
– Enables JIT provisioning
– Supplements SCIM API & schema
• Provisioning accounts using SCIM API to
updated before/after logon
Copyright (C) 2012 Twobo Technologies AB
14. OpenID Connect
• Builds on OAuth for profile sharing
• Uses the flows optimized for user-consent
scenarios
• Adds identity-based inputs/outputs to core
OAuth messages
• Tokens are JWTs
Copyright (C) 2012 Twobo Technologies AB
15. User Managed Access
• Also extends OAuth 2
• Allows users to centrally
control distribution of
their identity data
• Used with Personal Data
Stores (PDS) to create
“identity data lockers”
Copyright (C) 2012 Twobo Technologies AB