OAuth 2.0 is an open standard for authorization that allows third-party applications to obtain limited access to a user's data without requiring them to share their passwords. It allows users to securely authorize third-party access to their private resources like photos, videos, contact lists, and calendars without sharing their passwords. The latest OAuth 2.0 specification was published in October 2021 and defines authorization flows and token types for confidential and public clients.
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
Richard Bullington-McGuire presented this talk on PKI enabling web applications for the DoD at the 2009 MIL-OSS conference:
http://www.mil-oss.org/
It is a case study that shares some of the challenges and solutions surrounding the implementation of the Forge.mil system.
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
Richard Bullington-McGuire presented this talk on PKI enabling web applications for the DoD at the 2009 MIL-OSS conference:
http://www.mil-oss.org/
It is a case study that shares some of the challenges and solutions surrounding the implementation of the Forge.mil system.
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
TrustBearer's Brian Kelly gave this presentation during the Identity Management track at the Virginia Security Summit in Richmond, VA. It compares SAML to OpenID and explains how different authentication methods can be used with either of these Single Sign On standards.
SMS PASSCODE represents a new generation innovative solution that enables organizations and companies to easily protect employee remote access to corporate systems (Citrix, Microsoft icl. OWA, Virtual Desktops VPN, SSL VPN etc.) with two-factor authentication via SMS, voice call or secure e-mail. In short, the solution first validates the user name and password before creating and sending a one-time-password only, valid for that login attempt. Because it can only be generated this way and only works for that login on that computer, it is award-winning security against these modern threats. Easy and very secure.
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards.
In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices
Key Takeaways
Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization
Consume OpenID Connect from popular Identity providers with Social Sign-On
Provide a single, branded Identity to your own users and applications using OpenID Connect
Use OpenID Connect to easily build Identity-enabled mobile applications
Plan for the next generation of connected devices
Intended Audience
This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards
My 2012 homerun in IT-security: For many years nothing happened in Web security - with respect to security-enabling the HTTP stack. This is not true anymore: game-changing innovations do emerge right now. Their impact will - likely - be pervasive. It is important to understand what exactly is being launched, why this is happening and which forces are driving this. This presentation establishes this context and elaborates on the implications.
This presentation was given at the Card Tech Secure Tech (CTST) Conference on May 5, 2009 in New Orleans, LA. Brian Kelly was on a panel with Gilles Lisimaque, Siddharth Bajaj and Michael Poitner to discuss emerging technologies in Smart Cards, Tokens & Digital Identity
Presented at Seminar at Bahria University June 2007
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, Certification Authority, Secure Socket Layer (SSL), Secure Electronic Transaction (SET)
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
TrustBearer's Brian Kelly gave this presentation during the Identity Management track at the Virginia Security Summit in Richmond, VA. It compares SAML to OpenID and explains how different authentication methods can be used with either of these Single Sign On standards.
SMS PASSCODE represents a new generation innovative solution that enables organizations and companies to easily protect employee remote access to corporate systems (Citrix, Microsoft icl. OWA, Virtual Desktops VPN, SSL VPN etc.) with two-factor authentication via SMS, voice call or secure e-mail. In short, the solution first validates the user name and password before creating and sending a one-time-password only, valid for that login attempt. Because it can only be generated this way and only works for that login on that computer, it is award-winning security against these modern threats. Easy and very secure.
OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers
With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards.
In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices
Key Takeaways
Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization
Consume OpenID Connect from popular Identity providers with Social Sign-On
Provide a single, branded Identity to your own users and applications using OpenID Connect
Use OpenID Connect to easily build Identity-enabled mobile applications
Plan for the next generation of connected devices
Intended Audience
This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards
My 2012 homerun in IT-security: For many years nothing happened in Web security - with respect to security-enabling the HTTP stack. This is not true anymore: game-changing innovations do emerge right now. Their impact will - likely - be pervasive. It is important to understand what exactly is being launched, why this is happening and which forces are driving this. This presentation establishes this context and elaborates on the implications.
This presentation was given at the Card Tech Secure Tech (CTST) Conference on May 5, 2009 in New Orleans, LA. Brian Kelly was on a panel with Gilles Lisimaque, Siddharth Bajaj and Michael Poitner to discuss emerging technologies in Smart Cards, Tokens & Digital Identity
Presented at Seminar at Bahria University June 2007
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, Certification Authority, Secure Socket Layer (SSL), Secure Electronic Transaction (SET)
OAuth 2.0 (RFC 6749/50) is a delegated authorization framework that makes requesting access for and authenticating as a client to an API as easy as getting a token and using a token. This session will explore the different OAuth flows in the spec as will as discuss extensions such as the JWT assertion flow and SAML bearer extension, and will also discuss security mitigations needed to use the protocol safely.
Cross Platform Mobile Apps with APIs from Qcon San FranciscoCA API Management
Building cloud and API driven mobile apps introduces numerous complexities around syncing, caching, and securing data. In this presentation Alex Gaber explored numerous tools and frameworks including best practices around building HTML5 cross-platform hybrid native applications.
Layer 7's Chief Architect Francois Lascelles will be speaking at The Chicago Mobile Meetup Group's meeting on August 14. He will be discussing mobile apps and API Management. This is an informal professional group focused on developing relationships and fostering mobile technology innovation.
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Why Assertion-based Access Token is preferred to a Handle-based one?
Yoshiyuki Tabata, Software Engineer at Hitachi
The OAuth2 Framework allows you to protect your web resources using the next generation OAuth, (http://oauth.net/2/) as well as accessing OAuth2 protected resources, most notably the Facebook Graph API. The API consists of libraries for building your own OAuth2 server as well as client side access. The standard is still in draft mode so expect some level of changes. Currently version 10 of the OAuth 2 specification is the one being supported.
The framework is implemented in Java on top of Restlet.org HTTP framework.
It can execute on all platforms that Restlet is available on and it is validated using Java SE, EE and Android.
Donated to Restlet.org as an open source project with very generous open source license for reuse.
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
Understanding how emerging standards like OAuth and OpenID Connect impact federation
Federation is a critical technology for reconciling user identity across Web applications. Now that users consume the same data through cloud and mobile, federation infrastructure must adapt to enable these new channels while maintaining security and providing a consistent user experience.
This webinar will examine the differences between identity federation across Web, cloud and mobile, look at API specific use cases and explore the impact of emerging federation standards.
You Will Learn
Best practices for federating identity across mobile and cloud
How emerging identity federation standards will impact your infrastructure
How to implement an identity-centric API security and management infrastructure
Presenters
Ehud Amiri
Director, Product Management, CA Technologies
Francois Lascelles
Chief Architect, Layer 7
The objective of this presentation is to implement an Authentication provider that can be used simply to authenticate users only once. This may be like the one you use for authenticating yourself on Facebook, LinkedIn, or Google.
The authentication should be Web-based and/or API-based and should authenticate against our LDAP Server.
This provider should also remember which third-party systems are authorized to authenticate against this server and what information, if any, shared.
Similar to OAuth 2.0 Updates #technight in Osaka (20)
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
40. Core response_type = token
Resource Owner Client Authorization Server
Initiate
client_id=...&
response_type=token&
redirect_uri=https://...
Require Approval
Approve
All clients MUST pre-register “redirect_uri”
Access Token
OpenID TechNight #7
11 9 8
41. Core Notes
For Servers
Do you support public clients?
Do you need iPhone/Android apps support?
Require full redirect URI registration
Narrower scopes / shorter lifetime for public clients
For Clients
Don’t include client secret in your mobile app
OpenID TechNight #7
11 9 8
42. Core Security Considerations
Don’t issue “client_secret” to public clients
“redirect_uri” verification is important especially for
public clients
Consider security policy per client type
Use “state” param against CSRF / code injection attack
etc.
OpenID TechNight #7
11 9 8
44. Attacker Client Authorization Server
Initiate
Require Approval
Approve
Allow attacker to login
Code
with attacker’s Twitter account
Code
Code
Code
Access Token
OpenID TechNight #7
11 9 8
45. Attacker Client Authorization Server
Store “state”
Initiate in Cookie etc.
Require Approval State
Approve
Code State
State
Code
Code State “state”
verification
failed!!
OpenID TechNight #7
11 9 8
46. In dra, 21, “state” is RECOMMENDED
OpenID TechNight #7
11 9 8
47. Token Type Spec
Authorization
Server
Authorize
Client Access
Access
Token
Resource
Server
Resource
Owner
Client API
Access
OpenID TechNight #7
11 9 8
48. Token Token Type Spec
Bearer MAC
No signature Signature
No token secret Token secret
Mainstream Similar to OAuth 1.0
+ extensions
OpenID TechNight #7
11 9 8
53. Token Notes
For Servers
Access Token Response
Set “token_type” as “bearer”
Resource Request
Support both “OAuth” and “Bearer” auth header
Support both “oauth_token” and “access_token”
query/body params
OpenID TechNight #7
11 9 8
54. Token Notes
For Clients
Move from “OAuth” to “Bearer”
Move from “oauth_token” to “access_token”
Only for Facebook API developers
Access token response will be JSON
OpenID TechNight #7
11 9 8
57. OAuth Migration
(by 2011.09.30)
Using legacy FB APIs? (~2010.04)
No more “fb_sig” and “fb_sig_session_key”
Migrate to OAuth 2.0 (http://j.mp/fb_sig_to_oauth)
Your library might not work anymore
OpenID TechNight #7
11 9 8
58. OAuth Migration
(by 2011.09.30)
Developing canvas or page tab apps?
No more “fb_sig”
Migrate to “signed_request”
Obtain SSL certificate
OpenID TechNight #7
11 9 8
59. OAuth Migration
(by 2011.09.30)
Using FB.login (or <fb:login-button>) and FB cookie?
Now “code” is in the cookie, not “access_token”
Needs to exchange the code with access token
OpenID TechNight #7
11 9 8
60. OAuth Spec Updates
Using “response_type=code_and_token”?
Use “response_type=code%20token” instead
OpenID TechNight #7
11 9 8