Download as PDF, PPTX
Uploaded byMatt Raible
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - JokerConf 2021
The document discusses authentication security patterns applicable to applications, APIs, and infrastructure, focusing on various methods such as OAuth, OpenID Connect, and multi-factor authentication. It provides a historical overview of authentication methods and outlines strategies for implementing security in software development, including the use of tokens, secrets, and infrastructure automation. The presentation concludes with recommendations for codifying these patterns using tools like Spring Security and emphasizes the importance of verifying server access and testing for vulnerabilities.
More Related Content
Similar to Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - JokerConf 2021
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - JokerConf 2021
- 1. Lock That Sh*t Down! AuthSecurity Patterns for Apps, APIs, and Infra Brian Demers and Matt Raible @briandemers / @mraible October 28, 2021
- 2. @briandemers / @mraible Whoare we? Brian Demers Open Source Developer and Java Champion Fun facts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun facts: likes to ski; into classic VWs ✌ @mraible
- 3. @briandemers / @mraible Today'sAgenda What is Auth? AuthN vs AuthZ 01 App Auth Security Patterns Web, SPA, Mobile 02 API Auth Security Patterns Tokens, OAuth, Secrets 03 Infra Auth Security Patterns Linux, SSH, Docker, Kubernetes 04 Action! How to implement these patterns 05 @briandemers / @mraible
- 4. @briandemers / @mraible 01 Whatis Auth? @briandemers / @mraible
- 5. @briandemers / @mraible Soooo... Why should you care? @briandemers / @mraible
- 6. A brief historyof Auth @briandemers / @mraible 60s: First Password 1977: RSA 1994: SSL 2006: SAML 2.0 2012: OAuth 2.0 2014: OIDC 2017: PKCE
- 7. @briandemers / @mraible DeveloperPersonas App Developer Frontend Developer Mobile App Developer Web Developer API Developer Java Developer Backend Developer Probably likes tests DevOps System Administrator Deployer Operations Monitoring Security Concerned Consultant Paranoid Geek Security over performance @briandemers / @mraible
- 8. @briandemers / @mraible 02 AppAuth Security Patterns @briandemers / @mraible
- 9. @briandemers / @mraible Webvs SPA vs Mobile App @briandemers / @mraible
- 10. @briandemers / @mraible HTTPBasic @briandemers / @mraible
- 11. @briandemers / @mraible Form-basedAuthentication @briandemers / @mraible
- 12. CHALLENGE SOLUTION @briandemers /@mraible SAML @briandemers / @mraible SAML is to OIDC as SOAP is to REST. -Joël Franusic (@jf)
- 13. @briandemers / @mraible JWTAuthentication @briandemers / @mraible
- 14. @briandemers / @mraible @briandemers/ @mraible Why JWTs Suck as Session Tokens -@rdegges on developer.okta.com, 2017 What do we do about JWT? -Security. Cryptography. Whatever. podcast, 2021
- 15. @briandemers / @mraible OpenIDConnect (OIDC) for Auth @briandemers / @mraible Identity Provider 🔒Verify
- 16. @briandemers / @mraible Multi-FactorAuthentication (MFA) @briandemers / @mraible
- 17. @briandemers / @mraible Multi-FactorAuthentication (MFA) @briandemers / @mraible
- 18. Passwordless password Password1 Password1! We like tothink we know what we are talking about, at least Okta hasn't fired us yet… @briandemers / @mraible
- 19. @briandemers / @mraible SAML ⭐⭐ App Auth Security Patterns HTTP Basic ⭐ Embedded Auth ⭐ OpenID Connect ⭐ ⭐ ⭐ ⭐ MFA ⭐ ⭐ ⭐ ⭐ ⭐ Passwordless ⭐ ⭐ ⭐ ⭐ ⭐ JWT Auth ⭐ ⭐ @briandemers / @mraible
- 20. @briandemers / @mraible AppAuth Security Patterns Tired Wired Apps handling passwords Stateless to scale OAuth Implicit Flow Sensitive data in URL Let someone else worry about it Sessions are tried and true OAuth Auth Code w/ PKCE Use headers or the body @briandemers / @mraible
- 21. @briandemers / @mraible 03 APIAuth Security Patterns @briandemers / @mraible
- 22. @briandemers / @mraible HTTPBasic @briandemers / @mraible spring: cloud: config: fail-fast: true retry: initial-interval: 1000 max-interval: 2000 max-attempts: 100 uri: http://admin:${jhipster.registry.password}@localhost:8761/config # name of the config server's property source (file.yml) that we want to use name: store profile: prod # profile(s) of the property source label: main # toggle to switch to a different version stored in git jhipster: registry: password: admin
- 23. @briandemers / @mraible Tokens @briandemers/ @mraible $20
- 24. @briandemers / @mraible OAuth2.0 @briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
- 25. @briandemers / @mraible OAuth2.0 @briandemers / @mraible
- 26. @briandemers / @mraible OAuth2.0 @briandemers / @mraible
- 27. @briandemers / @mraible OAuth2.1 @briandemers / @mraible https://oauth.net/2.1 Authorization Code + PKCE Client Credentials Device Grant
- 28. @briandemers / @mraible OAuthClient Credentials @briandemers / @mraible
- 29. @briandemers / @mraible APIGateway API Gateway App App App /dogs /cats /fish @briandemers / @mraible { Rest } Client
- 30. @briandemers / @mraible UseAPI SDKs @briandemers / @mraible
- 31. @briandemers / @mraible Encryptand Rotate Secrets @briandemers / @mraible
- 32. @briandemers / @mraible RBACand ACLs @briandemers / @mraible Groups Admin User Help Desk Privilege Record : Read Record : Create Record : Update Record : Delete Users
- 33. @briandemers / @mraible OAuth2.1 ⭐ ⭐ ⭐ ⭐ ⭐ API Auth Security Patterns HTTP Basic ⭐ ⭐ Tokens ⭐ ⭐ ⭐ API SDKs ⭐ ⭐ ⭐ ⭐ Encrypt Secrets ⭐ ⭐ ⭐ ⭐ ⭐ RBAC and ACLs ⭐ ⭐ ⭐ ⭐ ⭐ API Gateway ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
- 34. @briandemers / @mraible APIAuth Security Patterns Tired Wired Build it yourself Static API Tokens CORS wildcard Use existing libraries Short lived access tokens Restrict access with CORS @briandemers / @mraible
- 35. @briandemers / @mraible 04 InfraAuth Security Patterns @briandemers / @mraible
- 36. CHALLENGE SOLUTION @briandemers /@mraible Linux @briandemers / @mraible Software is Automation and Automation is less toil. -Mark Shuttleworth Canonical CEO Larry Ewing
- 37. @briandemers / @mraible SSHwith Keys @briandemers / @mraible https://www.ssh.com/academy/ssh/protocol
- 38. Certificates CC BY 3.0:EFF.org @briandemers / @mraible
- 39. @briandemers / @mraible @briandemers/ @mraible SSO for Servers https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam Active Directory Pluggable Authentication Modules (PAM) for Linux Okta's Advanced Server Access https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
- 40. Scan Docker Images @briandemers/ @mraible
- 41. @briandemers / @mraible KnowYour Cloud and Cluster Security @briandemers / @mraible https://twitter.com/acloudguru/status/1344724013122260993
- 42. @briandemers / @mraible The4C's of Cloud Native Security https://kubernetes.io/docs/concepts/security/overview/ @briandemers / @mraible
- 43. @briandemers / @mraible KubernetesTips Kubernetes Tips Only expose what needs to be public Scan and update Kubernetes YAML Check out Kubescape https://www.infoq.com/podcasts/continuous-delivery-with-kubernetes @briandemers / @mraible
- 44. @briandemers / @mraible EncryptKubernetes Secrets @briandemers / @mraible apiVersion: v1 kind: Secret metadata: name: registry-secret namespace: demo type: Opaque data: registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64 encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"
- 45. @briandemers / @mraible Automationis Key @briandemers / @mraible WSJ
- 46. @briandemers / @mraible @briandemers/ @mraible
- 47. @briandemers / @mraible Certificates ⭐⭐ ⭐ ⭐ Infra Auth Security Patterns Linux ⭐ ⭐ ⭐ ⭐ ⭐ SSH with Keys ⭐ ⭐ ⭐ Scan Docker Images ⭐ ⭐ ⭐ ⭐ ⭐ Encrypt K8s Secrets ⭐ ⭐ ⭐ ⭐ ⭐ Automate Your Infra ⭐ ⭐ ⭐ ⭐ ⭐ SSO for Servers ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
- 48. @briandemers / @mraible InfraAuth Security Patterns Tired Wired FROM: some-large-image:1.2.3 Secrets in Images Shared Credentials Use minimal images HashiCorp Vault Limit Access @briandemers / @mraible
- 49.
- 50. @briandemers / @mraible Action Howto codify these patterns? @briandemers / @mraible spring security
- 51. @briandemers / @mraible Action Howto test for lack of patterns? @briandemers / @mraible https://implicitdetector.io Audit Server Access
- 52. @briandemers / @mraible Action Howto test for vulnerabilities? @briandemers / @mraible
- 53. @briandemers / @mraible Whatabout ? @briandemers / @mraible
- 54. The OWASP Top10 really hasn’t changed all that much in the last ten years. -Johnny Xmas (@J0hnnyXm4s) @briandemers / @mraible
- 55.
- 56. @briandemers / @mraible Thanks! BrianDemers @briandemers @bdemers @bdemers brian.demers@okta.com Matt Raible @mraible @mraible @mraible matt.raible@okta.com https://speakerdeck.com/mraible
- 57.