SlideShare a Scribd company logo

Security Architecture Consulting - Hiren Shah

NSConclave
NSConclave

In modern age it has become crucial to perform secure architecture review along with regular pentest practice. Application architecture review can be defined as reviewing the current security controls in the application architecture. This helps a user to identify potential security flaws at an early stage and mitigate them before starting the development stage.

Technology
1 of 31
SecurityArchitecture Consulting- TheNext Stop!
#whoami – Hiren Shah • 25 Years in Business & IT field • President & Mentor of Net Square • LinkedIn: hirens • Twitter: @hiren_sh Business & IT Leader Mixed into One
Security Architecture Consulting - The Next Stop!
1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” Key Drivers and Considerations of today’s Global Banks 2
1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE 2
1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE CLOUD ENABLED MICROSERVICES DRIVEN INTEGRATION APPROACH PERSONALIZATION AND CONTEXTUALIZATION MULTILINGUAL SUPPORT FUTURE PROOF OMNI CHANNEL POLYGLOT PERSISTENCE 2 ADVANTAGES
1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE Stateless Architecture API Management Infrastructure Security Data Security CLOUD ENABLED MICROSERVICES DRIVEN INTEGRATION APPROACH PERSONALIZATION AND CONTEXTUALIZATION MULTILINGUAL SUPPORT FUTURE PROOF OMNI CHANNEL POLYGLOT PERSISTENCE 2 ADVANTAGES SECURITY CHALLENGES
Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on MQ Config-Server Databases Orchestrator 3
Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception MQ Config-Server Databases Orchestrator 3
Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Challenges in System administration on new platforms and Technologies MQ Config-Server Databases Orchestrator 3
Config-Server Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Orchestrator Databases Redis MQ AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Polyglot persistence -How data should be stored? Challenges in System administration on new platforms and Technologies 3
Config-Server Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Orchestrator Databases Redis MQ AngularJS app WAF mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Polyglot persistence -How data should be stored? Challenges in System administration on new platforms and Technologies Limitation of Tools e.g. CoPnCtFaPilantfoermrisationof Messaging layer? 3
4 Build Security Design Patterns
Secured SPA Applications JSON /HTTPS CSS Images Fonts Model (JSON) Angular Framework View Controller (HTML) +Service (TypeScript) Http Interceptor (AUTH) Stateless Microservices Spring Boot + Allied Frameworks Protocol Adaptor (REST/JMS) Application Database OIDC / OAuth Server HTTPS NotificationEngine (SMS / Email) JMS Unstructured Datastore Caching Http Interceptor (AUTH-FILTER) RestController Message Listener Service Model (POJO)DAO JDBC Internal Queues JMS TCP /IP JDBC 4 Security Specs: • jsrsasign v8.0.12 (Javascript library) on client ( https:// www.npmjs.com/package/jsrsasign ); • Java Cryptography Extension (JCE) implementation of Java SE 8 (on server) • Secret Key generation per sessionon • Encryption of sensitive data on client using RSA (2048 bits) public key • MAC computation using HmacSHA512 and secret-key for every request/response Build Security Design Patterns TYPICAL TECHNICAL ARCHITECTURE
Secured SPA Applications JSON /HTTPS CSS Images Fonts Model (JSON) Angular Framework View Controller (HTML) +Service (TypeScript) Http Interceptor (AUTH) Stateless Microservices Spring Boot + Allied Frameworks Protocol Adaptor (REST/JMS) Application Database OIDC / OAuth Server HTTPS NotificationEngine (SMS / Email) JMS Unstructured Datastore Caching Http Interceptor (AUTH-FILTER) RestController Message Listener Service Model (POJO)DAO JDBC Internal Queues JMS TCP /IP JDBC Security Specs: • jsrsasign v8.0.12 (Javascript library) on client ( https:// www.npmjs.com/package/jsrsasign ); • Java Cryptography Extension (JCE) implementation of Java SE 8 (on server) • Secret Key generation per sessionon • Encryption of sensitive data on client using RSA (2048 bits) public key • MAC computation using HmacSHA512 and secret-key for every request/response Build Security Design Patterns 4 Validate design principlese.g. Is the proposed solution tomaintain state in stateless architecture Build patterns of Security Principles e.g. OTT TYPICAL TECHNICAL ARCHITECTURE
The Devil is in the Detail! 5 this.clientSessionId = this.generateRandom(); function generateRandom() { var asciiArray = new Uint32Array([0xFAFBA, 0xAFFBC, 0xFABBD, 0xFFFBA, 0xFAFFE, 0xFADBA, 0xFEFBB, 0xFAFBD]); window.crypto.getRandomValues(asciiArray); return this.padZero(asciiArray); } function padZero(randomNumberArray) { return '0' + randomNumberArray[0] + '0' + randomNumberArray[1] + '0' + randomNumberArray[2] + '0' + randomNumberArray[3] + '0' + randomNumberArray[4] + '0' + randomNumberArray[5] + '0' + randomNumberArray[6] + '0' + randomNumberArray[7]; } New “nonce” header value sent on every Request and validated against Response header value. Also acts as correlation-id to trace & correlate user requests in logs across backend services. Format: (16-digit random per session | 16-digit random per request) var requestId = this.generateRandom(); RequestHeaders[‘nonce’] = this.clientSessionId + '|' + requestId; “state” is unique server session id. Created for tracking conversation of Multi-Factor Login Flow with max. idle/inactivity timeout of short duration (e.g. 5 mins). Format: Base64.getUrlEncoder().withoutPadding().encode( User-Agent | client_id | clientSessionId | UID | UUID.randomUUID().toString() ) LogonUI (AngularClient) Authentication Service End-User 1. InputUserId [nonce]{state,authMethod} CacheServer (Redis) POST/v1/idp/login [nonce]{client_id, userId} HTTP Server https://www.kotak.com/Signin/ generateNonce() //Look-upUserIdand CRN, generateState() validateNonce() put(state,HashMap) Display Fields Relevant for authMethod //BustFrames Reverse Proxy should add standard Security Headers to ALL Responses: Strict-Transport-Security: max-age=599 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Access-Control-Allow-Origin: https://www.abcbank.com FindUID authMethod
Prioritise review of some controls over theothers
These you will get a chance to test thoroughly during Appsec also Controls Testing Goals Authentication Authenticate users before allowing access to any sensitive data or operations. Safeguard user accounts from misuse or unauthorized use. Protect authentication credentials when stored or in transit. Authorization Prevent user access to resources outside their assigned privileges. Restrict functionality to only those resources required to fulfil the task. Input Validation All client side input must be regarded asuntrusted. All input must be validated before being passed to the application logic. Only good and expected input should be allowed. Session Management Protect against session hijacking. Protect against brute forcing. Well-defined login and logout points. Expired sessions cannot be re-used later. Client Protection Assume an untrusted endpoint environment. Assist in application layer endpoint security. Prohibit sensitive data to be stored on the client. Assist in preventing data leaks from the endpoint. Prioritise review of some controls over theothers
a chance totest Controls Testing Goals Authentication Authenticate users before allowing access to any sensitive data or operations. Safeguard user accounts from misuse or unauthorized i Authorizatio use. Protect authenticat transit. Prevent user access privileges. Restrict functionalit y n credentials when stored or in o resources outside their assigned These you will get to only those resources required Session Managemen n t i to fulfil the task. on All client side input All input must be va application logic. Only good and expe Protect against sess Protect against brut Well-defined login a Expired sessions can o t m li c o e n n ust be regarded as untrusted. thoroughly duringdated before being passed to the ted input should be allowed. Appsec also n hijacking. forcing. d logout points. ot be re-used later. Client Protection Assume an untrusted endpoint environment. Assist in application layer endpoint security. Prohibit sensitive data to be stored on the client. Assist in preventing data leaks from the endpoint. Cryptography Appropriate choice and justification of cryptographic algorithms. Well-known and tested cryptography. Detect inadvertent use of cryptography. Logging Input Validati Auditing capabilities independent of any other system audit trails. Events should be labelled appropriately within the log data. Log review. Protected from unauthorized access and tampering. Prioritise review of some controls over theothers
Orchestrator Node NodeNode Container Orchestration Assessment Network Assessment Multiple Instances Infrastructure Virtualization Take a “Holistic” View 7 Extend the coverage to include all aspects of the solution including administration of platforms
8 Process & Policy are not“out-of-scope”!
8 Technical Vulnerability in funds transfer allows unauthorized funds transfer Process & Policy are not“out-of-scope”!
Technical Vulnerability in funds transfer allows unauthorized funds transfer Policy User id for customer identification is a sequential number Process Transfer money to a beneficiary without registration Process & Policy are not“out-of-scope”! Serious security breaches typically manifest because of weakness in process and policy design along with Technicalvulnerabilities 8
9 # Activity 1 Documents Review (Network, Data Flow, etc.) Understand the network and data flow of application with all components part of its ecosystem or any other applications it is trying to connect 2 Inter-Tier Authentication Functionality of the interfaces, encryption used (SSL, TLS, etc.) 3 User Authentication & Authorization Authentication – AD/local authentication; Role based access, master maintenance (maker/checker for important functions) Dormant accounts, how are they managed; Service accounts and related security (interactivelogin disabled) Multifactor authentication – known vulnerabilities Check if software component used for authentication has knownvulnerabilities. 4 Data at Rest Identify how sensitive data stored indatabase 5 Data intransit Reviewing how sensitive data transmitting over communicationchannel 6 Security Review API and Web Services associated with integrations (If applicable) Review the technology (OAuth, JWT, etc.) used for API or Web Service and identify any known vulnerability present or not e.g. no validation of session tokens 7 User Access Management (Provisioning / De-provisioning / Modification) Review how users are provisioned and removed. What is frequency of user access review, is there any documented procedure for the same. Dormant account handling. 8 Password Policy Review the password of application, if not integrated with AD then is it as per Kotak defined password policy. Sometimes, “what client wants”
10 # Activity 9 Multifactor Authentication Review multifactor authentication (Google Authenticator) used in and check for any known vulnerabilities and whether implementation is secure or not. 10 Cryptography Management Review encryption /hashing algorithm used in application, are they as per Kotak defined cryptographicstandard 11 Audit Logging Review logging of sensitive information, identify logging various components (OS, App, DB, etc.) 12 Application deployment process How final compiled code is getting deployed, is there any defined process for the same or app owner can directly push the binaries to production. 13 Backend (Database/ MQ) Tampering for initiating a transaction / updating balances Actually tampering request /files which is used for processing the transaction and review whether it getting executed successfully. Trying to update the same values directly in the backend database and reviewing the execution. 14 Financial transaction flow (STP / Manual) Review the transaction flow and check the controls around it, like checking if there is File Integrity solution for file based transaction system. 15 Identify and Configuration review controls (e.g. WAF, IDS / IPS responsible for application) Identify the technologies used as compensating controls for known vulnerabilities and review configuration / implementation. 16 Data Integrity As a security measure request payload or file is sent with checksum to provide assurance on integrity of the data. Reviewing the same whether it is implemented securely (algorithms used for generating checksum is obsolete ornot). Sometimes, “what client wants”
Document threat scenarios They are your Test Cases while doing Appsec 11
Challenges -Lack of Documentation 12
12 Challenges -Lack of Documentation Give them some Templates…andnudge! You will find manyhere
If done right…. 13
The response is always “Awesome”! 14
Yes! Sometimes it will beDaunting! Thanks! 15

Recommended

“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything
Dave Hay
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017
Vortexbird
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on
CA Technologies
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
Shiu-Fun Poon
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?Tobias Koprowski
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 

Recommended

“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything
Dave Hay
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017
Vortexbird
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on
CA Technologies
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
Shiu-Fun Poon
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?Tobias Koprowski
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration Component
ForgeRock
 
Aerohive-GuestManager
Aerohive-GuestManagerAerohive-GuestManager
Aerohive-GuestManager
ppuichaud
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest Access
Altaware, Inc.
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on system
Swati Sinha
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
pqrs1234
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela
 
SiteMinder
SiteMinderSiteMinder
SiteMinderInformation Technology
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ system531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ system
Robert Parker
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
Michele Leroux Bustamante
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case Study
Mohamed Ridha CHEBBI, CISSP
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
Vasiliy Fomichev
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 

More Related Content

What's hot

OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration Component
ForgeRock
 
Aerohive-GuestManager
Aerohive-GuestManagerAerohive-GuestManager
Aerohive-GuestManager
ppuichaud
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CloudIDSummit
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest Access
Altaware, Inc.
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
Gasperi Jerome
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on system
Swati Sinha
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
pqrs1234
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
PortalGuard dba PistolStar, Inc.
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CloudIDSummit
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Kenneth Peeples
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
vivekbhat
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ system531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ system
Robert Parker
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
Michele Leroux Bustamante
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case Study
Mohamed Ridha CHEBBI, CISSP
 

What's hot (20)

OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration Component
 
Aerohive-GuestManager
Aerohive-GuestManagerAerohive-GuestManager
Aerohive-GuestManager
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest Access
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on system
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
 
SiteMinder
SiteMinderSiteMinder
SiteMinder
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ system531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ system
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case Study
 

Similar to Security Architecture Consulting - Hiren Shah

SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
Vasiliy Fomichev
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
Shiu-Fun Poon
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateway
 
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCFMigrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Roy Braam
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
llangit
 
Microservices on a budget meetup
Microservices on a budget meetupMicroservices on a budget meetup
Microservices on a budget meetup
Matthew Reynolds
 
2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon
aaronwso2
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Araf Karsh Hamid
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
guest2a5a03
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
VMware Tanzu
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
VMware Tanzu
 
Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven Cawn
Valeri Illescas
 
Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers! Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers!
elangovans
 
Cisco’s Cloud Ready Infrastructure
Cisco’s Cloud Ready InfrastructureCisco’s Cloud Ready Infrastructure
Cisco’s Cloud Ready Infrastructure
Cisco Canada
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
K.Mohamed Faizal
 
Predix
PredixPredix
Predix
Sandeep Shabd
 

Similar to Security Architecture Consulting - Hiren Shah (20)

SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2
 
Profile_Ahmad2
Profile_Ahmad2Profile_Ahmad2
Profile_Ahmad2
 
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCFMigrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
Microservices on a budget meetup
Microservices on a budget meetupMicroservices on a budget meetup
Microservices on a budget meetup
 
2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 
Detailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaDetailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-Hamida
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
 
Resume
ResumeResume
Resume
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
 
Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven Cawn
 
Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers! Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers!
 
Cisco’s Cloud Ready Infrastructure
Cisco’s Cloud Ready InfrastructureCisco’s Cloud Ready Infrastructure
Cisco’s Cloud Ready Infrastructure
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
 
Predix
PredixPredix
Predix
 

More from NSConclave

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
NSConclave
 
Create a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the ExtensionCreate a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the Extension
NSConclave
 
IOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's ApproachIOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's Approach
NSConclave
 
Debugging Android Native Library
Debugging Android Native LibraryDebugging Android Native Library
Debugging Android Native Library
NSConclave
 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension Development
NSConclave
 
Log Analysis
Log AnalysisLog Analysis
Log Analysis
NSConclave
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression Injection
NSConclave
 
HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)
NSConclave
 
Node.js Deserialization
Node.js DeserializationNode.js Deserialization
Node.js Deserialization
NSConclave
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
NSConclave
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP Injection
NSConclave
 
Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization Attacks
NSConclave
 
Sandboxing
SandboxingSandboxing
Sandboxing
NSConclave
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
NSConclave
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing Advanced
NSConclave
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing Basics
NSConclave
 
Markdown
MarkdownMarkdown
Markdown
NSConclave
 
Docker 101
Docker 101Docker 101
Docker 101
NSConclave
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
NSConclave
 
Lets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit JoshiLets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit Joshi
NSConclave
 

More from NSConclave (20)

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Create a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the ExtensionCreate a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the Extension
 
IOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's ApproachIOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's Approach
 
Debugging Android Native Library
Debugging Android Native LibraryDebugging Android Native Library
Debugging Android Native Library
 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension Development
 
Log Analysis
Log AnalysisLog Analysis
Log Analysis
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression Injection
 
HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)
 
Node.js Deserialization
Node.js DeserializationNode.js Deserialization
Node.js Deserialization
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP Injection
 
Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization Attacks
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing Advanced
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing Basics
 
Markdown
MarkdownMarkdown
Markdown
 
Docker 101
Docker 101Docker 101
Docker 101
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
 
Lets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit JoshiLets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit Joshi
 

Recently uploaded

Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 

Recently uploaded (20)

Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 

Security Architecture Consulting - Hiren Shah

  • 2. #whoami – Hiren Shah • 25 Years in Business & IT field • President & Mentor of Net Square • LinkedIn: hirens • Twitter: @hiren_sh Business & IT Leader Mixed into One
  • 4. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” Key Drivers and Considerations of today’s Global Banks 2
  • 5. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE 2
  • 6. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE CLOUD ENABLED MICROSERVICES DRIVEN INTEGRATION APPROACH PERSONALIZATION AND CONTEXTUALIZATION MULTILINGUAL SUPPORT FUTURE PROOF OMNI CHANNEL POLYGLOT PERSISTENCE 2 ADVANTAGES
  • 7. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE Stateless Architecture API Management Infrastructure Security Data Security CLOUD ENABLED MICROSERVICES DRIVEN INTEGRATION APPROACH PERSONALIZATION AND CONTEXTUALIZATION MULTILINGUAL SUPPORT FUTURE PROOF OMNI CHANNEL POLYGLOT PERSISTENCE 2 ADVANTAGES SECURITY CHALLENGES
  • 8. Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on MQ Config-Server Databases Orchestrator 3
  • 9. Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception MQ Config-Server Databases Orchestrator 3
  • 10. Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Challenges in System administration on new platforms and Technologies MQ Config-Server Databases Orchestrator 3
  • 11. Config-Server Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Orchestrator Databases Redis MQ AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Polyglot persistence -How data should be stored? Challenges in System administration on new platforms and Technologies 3
  • 12. Config-Server Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Orchestrator Databases Redis MQ AngularJS app WAF mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Polyglot persistence -How data should be stored? Challenges in System administration on new platforms and Technologies Limitation of Tools e.g. CoPnCtFaPilantfoermrisationof Messaging layer? 3
  • 14. Secured SPA Applications JSON /HTTPS CSS Images Fonts Model (JSON) Angular Framework View Controller (HTML) +Service (TypeScript) Http Interceptor (AUTH) Stateless Microservices Spring Boot + Allied Frameworks Protocol Adaptor (REST/JMS) Application Database OIDC / OAuth Server HTTPS NotificationEngine (SMS / Email) JMS Unstructured Datastore Caching Http Interceptor (AUTH-FILTER) RestController Message Listener Service Model (POJO)DAO JDBC Internal Queues JMS TCP /IP JDBC 4 Security Specs: • jsrsasign v8.0.12 (Javascript library) on client ( https:// www.npmjs.com/package/jsrsasign ); • Java Cryptography Extension (JCE) implementation of Java SE 8 (on server) • Secret Key generation per sessionon • Encryption of sensitive data on client using RSA (2048 bits) public key • MAC computation using HmacSHA512 and secret-key for every request/response Build Security Design Patterns TYPICAL TECHNICAL ARCHITECTURE
  • 15. Secured SPA Applications JSON /HTTPS CSS Images Fonts Model (JSON) Angular Framework View Controller (HTML) +Service (TypeScript) Http Interceptor (AUTH) Stateless Microservices Spring Boot + Allied Frameworks Protocol Adaptor (REST/JMS) Application Database OIDC / OAuth Server HTTPS NotificationEngine (SMS / Email) JMS Unstructured Datastore Caching Http Interceptor (AUTH-FILTER) RestController Message Listener Service Model (POJO)DAO JDBC Internal Queues JMS TCP /IP JDBC Security Specs: • jsrsasign v8.0.12 (Javascript library) on client ( https:// www.npmjs.com/package/jsrsasign ); • Java Cryptography Extension (JCE) implementation of Java SE 8 (on server) • Secret Key generation per sessionon • Encryption of sensitive data on client using RSA (2048 bits) public key • MAC computation using HmacSHA512 and secret-key for every request/response Build Security Design Patterns 4 Validate design principlese.g. Is the proposed solution tomaintain state in stateless architecture Build patterns of Security Principles e.g. OTT TYPICAL TECHNICAL ARCHITECTURE
  • 16. The Devil is in the Detail! 5 this.clientSessionId = this.generateRandom(); function generateRandom() { var asciiArray = new Uint32Array([0xFAFBA, 0xAFFBC, 0xFABBD, 0xFFFBA, 0xFAFFE, 0xFADBA, 0xFEFBB, 0xFAFBD]); window.crypto.getRandomValues(asciiArray); return this.padZero(asciiArray); } function padZero(randomNumberArray) { return '0' + randomNumberArray[0] + '0' + randomNumberArray[1] + '0' + randomNumberArray[2] + '0' + randomNumberArray[3] + '0' + randomNumberArray[4] + '0' + randomNumberArray[5] + '0' + randomNumberArray[6] + '0' + randomNumberArray[7]; } New “nonce” header value sent on every Request and validated against Response header value. Also acts as correlation-id to trace & correlate user requests in logs across backend services. Format: (16-digit random per session | 16-digit random per request) var requestId = this.generateRandom(); RequestHeaders[‘nonce’] = this.clientSessionId + '|' + requestId; “state” is unique server session id. Created for tracking conversation of Multi-Factor Login Flow with max. idle/inactivity timeout of short duration (e.g. 5 mins). Format: Base64.getUrlEncoder().withoutPadding().encode( User-Agent | client_id | clientSessionId | UID | UUID.randomUUID().toString() ) LogonUI (AngularClient) Authentication Service End-User 1. InputUserId [nonce]{state,authMethod} CacheServer (Redis) POST/v1/idp/login [nonce]{client_id, userId} HTTP Server https://www.kotak.com/Signin/ generateNonce() //Look-upUserIdand CRN, generateState() validateNonce() put(state,HashMap) Display Fields Relevant for authMethod //BustFrames Reverse Proxy should add standard Security Headers to ALL Responses: Strict-Transport-Security: max-age=599 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Access-Control-Allow-Origin: https://www.abcbank.com FindUID authMethod
  • 17. Prioritise review of some controls over theothers
  • 18. These you will get a chance to test thoroughly during Appsec also Controls Testing Goals Authentication Authenticate users before allowing access to any sensitive data or operations. Safeguard user accounts from misuse or unauthorized use. Protect authentication credentials when stored or in transit. Authorization Prevent user access to resources outside their assigned privileges. Restrict functionality to only those resources required to fulfil the task. Input Validation All client side input must be regarded asuntrusted. All input must be validated before being passed to the application logic. Only good and expected input should be allowed. Session Management Protect against session hijacking. Protect against brute forcing. Well-defined login and logout points. Expired sessions cannot be re-used later. Client Protection Assume an untrusted endpoint environment. Assist in application layer endpoint security. Prohibit sensitive data to be stored on the client. Assist in preventing data leaks from the endpoint. Prioritise review of some controls over theothers
  • 19. a chance totest Controls Testing Goals Authentication Authenticate users before allowing access to any sensitive data or operations. Safeguard user accounts from misuse or unauthorized i Authorizatio use. Protect authenticat transit. Prevent user access privileges. Restrict functionalit y n credentials when stored or in o resources outside their assigned These you will get to only those resources required Session Managemen n t i to fulfil the task. on All client side input All input must be va application logic. Only good and expe Protect against sess Protect against brut Well-defined login a Expired sessions can o t m li c o e n n ust be regarded as untrusted. thoroughly duringdated before being passed to the ted input should be allowed. Appsec also n hijacking. forcing. d logout points. ot be re-used later. Client Protection Assume an untrusted endpoint environment. Assist in application layer endpoint security. Prohibit sensitive data to be stored on the client. Assist in preventing data leaks from the endpoint. Cryptography Appropriate choice and justification of cryptographic algorithms. Well-known and tested cryptography. Detect inadvertent use of cryptography. Logging Input Validati Auditing capabilities independent of any other system audit trails. Events should be labelled appropriately within the log data. Log review. Protected from unauthorized access and tampering. Prioritise review of some controls over theothers
  • 20. Orchestrator Node NodeNode Container Orchestration Assessment Network Assessment Multiple Instances Infrastructure Virtualization Take a “Holistic” View 7 Extend the coverage to include all aspects of the solution including administration of platforms
  • 21. 8 Process & Policy are not“out-of-scope”!
  • 22. 8 Technical Vulnerability in funds transfer allows unauthorized funds transfer Process & Policy are not“out-of-scope”!
  • 23. Technical Vulnerability in funds transfer allows unauthorized funds transfer Policy User id for customer identification is a sequential number Process Transfer money to a beneficiary without registration Process & Policy are not“out-of-scope”! Serious security breaches typically manifest because of weakness in process and policy design along with Technicalvulnerabilities 8
  • 24. 9 # Activity 1 Documents Review (Network, Data Flow, etc.) Understand the network and data flow of application with all components part of its ecosystem or any other applications it is trying to connect 2 Inter-Tier Authentication Functionality of the interfaces, encryption used (SSL, TLS, etc.) 3 User Authentication & Authorization Authentication – AD/local authentication; Role based access, master maintenance (maker/checker for important functions) Dormant accounts, how are they managed; Service accounts and related security (interactivelogin disabled) Multifactor authentication – known vulnerabilities Check if software component used for authentication has knownvulnerabilities. 4 Data at Rest Identify how sensitive data stored indatabase 5 Data intransit Reviewing how sensitive data transmitting over communicationchannel 6 Security Review API and Web Services associated with integrations (If applicable) Review the technology (OAuth, JWT, etc.) used for API or Web Service and identify any known vulnerability present or not e.g. no validation of session tokens 7 User Access Management (Provisioning / De-provisioning / Modification) Review how users are provisioned and removed. What is frequency of user access review, is there any documented procedure for the same. Dormant account handling. 8 Password Policy Review the password of application, if not integrated with AD then is it as per Kotak defined password policy. Sometimes, “what client wants”
  • 25. 10 # Activity 9 Multifactor Authentication Review multifactor authentication (Google Authenticator) used in and check for any known vulnerabilities and whether implementation is secure or not. 10 Cryptography Management Review encryption /hashing algorithm used in application, are they as per Kotak defined cryptographicstandard 11 Audit Logging Review logging of sensitive information, identify logging various components (OS, App, DB, etc.) 12 Application deployment process How final compiled code is getting deployed, is there any defined process for the same or app owner can directly push the binaries to production. 13 Backend (Database/ MQ) Tampering for initiating a transaction / updating balances Actually tampering request /files which is used for processing the transaction and review whether it getting executed successfully. Trying to update the same values directly in the backend database and reviewing the execution. 14 Financial transaction flow (STP / Manual) Review the transaction flow and check the controls around it, like checking if there is File Integrity solution for file based transaction system. 15 Identify and Configuration review controls (e.g. WAF, IDS / IPS responsible for application) Identify the technologies used as compensating controls for known vulnerabilities and review configuration / implementation. 16 Data Integrity As a security measure request payload or file is sent with checksum to provide assurance on integrity of the data. Reviewing the same whether it is implemented securely (algorithms used for generating checksum is obsolete ornot). Sometimes, “what client wants”
  • 26. Document threat scenarios They are your Test Cases while doing Appsec 11
  • 27. Challenges -Lack of Documentation 12
  • 28. 12 Challenges -Lack of Documentation Give them some Templates…andnudge! You will find manyhere
  • 30. The response is always “Awesome”! 14
  • 31. Yes! Sometimes it will beDaunting! Thanks! 15