In modern age it has become crucial to perform secure architecture review along with regular pentest practice. Application architecture review can be defined as reviewing the current security controls in the application architecture. This helps a user to identify potential security flaws at an early stage and mitigate them before starting the development stage.
Que es Spring Security
Arquitectura de Spring Security
Configuraciones:
Modulos de spring security en maven
web.xml
securityContext.xml
applicationContext.xml
AuthenticationProvider.java
Login.xhtml
ManageBean login
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
Ensuring hi-fidelity delivery of applications to a mobile user base is a major challenge. User expectations for performance and ease of use are set by consumer-centric services. However, we must maintain enterprise security and compliance standards. Proper integration of network services and identity management can simplify user experience while ensuring rapid application response time and preserving security. Identity management is fundamental. Not only must it be strong, to ensure usability it must be as transparent as possible. This session will describe the integration of Citrix NetScaler SDX and CA Single Sign-On together provide for highly performing, highly secure and highly available delivery of mobile applications to a global user base.
For more information on CA Security solutions, please visit: http://bit.ly/10WHYDm
Que es Spring Security
Arquitectura de Spring Security
Configuraciones:
Modulos de spring security en maven
web.xml
securityContext.xml
applicationContext.xml
AuthenticationProvider.java
Login.xhtml
ManageBean login
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
Ensuring hi-fidelity delivery of applications to a mobile user base is a major challenge. User expectations for performance and ease of use are set by consumer-centric services. However, we must maintain enterprise security and compliance standards. Proper integration of network services and identity management can simplify user experience while ensuring rapid application response time and preserving security. Identity management is fundamental. Not only must it be strong, to ensure usability it must be as transparent as possible. This session will describe the integration of Citrix NetScaler SDX and CA Single Sign-On together provide for highly performing, highly secure and highly available delivery of mobile applications to a global user base.
For more information on CA Security solutions, please visit: http://bit.ly/10WHYDm
Case Studies on STORK, IDAP, & eID. Led by Zaeher Rachid, lead access management and OpenAM engineer at Paradigmo and Wouter Vandenbussche
Identity And Access Management Consultant, Global Consulting and Integration Services | Verizon Enterprise Solutions
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2
WSO2 Identity Server 5.3.0 has added a number of new features that were requested for by its users and which are critical for any product in the identity and access management (IAM) space. After a redesign of the identity management framework, a host of new account and password management features were introduced. Now it also supports a host of new IAM protocols including SAML2 single sign-on (SSO) metadata, SAML2 Assertion Query/ Request Profile, the complete OpenID Connect protocol suite and REST Profile for XACML 3.0 among others.
What’s more, WSO2 Identity Server 5.3.0 now performs real-time analytics that monitors the identity ecosystem and alerts you when abnormal sessions or suspicious logins occur. This aspect of the product also has the ability to terminate sessions to ensure that your enterprise is fully secured.
This webinar will explore
New features and improvements in account and password management
New IAM protocols that are supported
Real-time security alerting capabilities
WSO2 Identity Server 6.0 roadmap
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
Outline :
Introduction of SSO
Need of SSO
Simple SSO process
Types of SSO
Architecture of web SSO system
Kerberos-Based Authentication
How it works?
Conclusion
References
PortalGuard’s Flexible Two-factor Authentication options are designed as strong authentication methods for securing web applications. PortalGuard leverages a one-time password (OTP) as a factor to further prove a user's identity. The OTP can be delivered via SMS, email, printer, and transparent token. Configurable by user, group or application this is a cost effective approach to stronger authentication security.
Tutorial: http://pg.portalguard.com/flexible_two-factor_tutorial
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
Adam Lewis, Office of the CTO, Motorola
RESTful APIs, WS-* / SOAP APIs, Proprietary APIs, protocols beyond APIs, OAuth for Authentication, Federated Authorization Servers across security domains, Token Translation between SAML and JWT, SSO across native applications, all running across Windows desktops and Android mobile computing platforms… and the glue to tie all that together? Are you kidding? Tune-in to this technical chat on a real-life case study of a small but dedicated band of engineers’ attempts to harmonize identity in a very un-harmonized world.
531: Controlling access to your IBM MQ systemRobert Parker
This presentation was originally presented at IBM TechCon 2021. In it we go through the various options in IBM MQ to secure your queue manager and control applications and users from accessing your vital configuration and data.
Session I delivered at Oredev, with some updates, more detail, reviewing all of the security standards including ws-federation, saml, ws-trust, oauth,openID connect.
A practical guide to building secure composable SaaS solutions with Sitecore in the cloud. Learn the methodology, process, and get the blueprints for building secure exterprise applications with Sitecore XM Cloud in Azure Cloud.
Securing Microservices using Play and Akka HTTPRafal Gancarz
Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures.
This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.
Case Studies on STORK, IDAP, & eID. Led by Zaeher Rachid, lead access management and OpenAM engineer at Paradigmo and Wouter Vandenbussche
Identity And Access Management Consultant, Global Consulting and Integration Services | Verizon Enterprise Solutions
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2
WSO2 Identity Server 5.3.0 has added a number of new features that were requested for by its users and which are critical for any product in the identity and access management (IAM) space. After a redesign of the identity management framework, a host of new account and password management features were introduced. Now it also supports a host of new IAM protocols including SAML2 single sign-on (SSO) metadata, SAML2 Assertion Query/ Request Profile, the complete OpenID Connect protocol suite and REST Profile for XACML 3.0 among others.
What’s more, WSO2 Identity Server 5.3.0 now performs real-time analytics that monitors the identity ecosystem and alerts you when abnormal sessions or suspicious logins occur. This aspect of the product also has the ability to terminate sessions to ensure that your enterprise is fully secured.
This webinar will explore
New features and improvements in account and password management
New IAM protocols that are supported
Real-time security alerting capabilities
WSO2 Identity Server 6.0 roadmap
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
Outline :
Introduction of SSO
Need of SSO
Simple SSO process
Types of SSO
Architecture of web SSO system
Kerberos-Based Authentication
How it works?
Conclusion
References
PortalGuard’s Flexible Two-factor Authentication options are designed as strong authentication methods for securing web applications. PortalGuard leverages a one-time password (OTP) as a factor to further prove a user's identity. The OTP can be delivered via SMS, email, printer, and transparent token. Configurable by user, group or application this is a cost effective approach to stronger authentication security.
Tutorial: http://pg.portalguard.com/flexible_two-factor_tutorial
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
Adam Lewis, Office of the CTO, Motorola
RESTful APIs, WS-* / SOAP APIs, Proprietary APIs, protocols beyond APIs, OAuth for Authentication, Federated Authorization Servers across security domains, Token Translation between SAML and JWT, SSO across native applications, all running across Windows desktops and Android mobile computing platforms… and the glue to tie all that together? Are you kidding? Tune-in to this technical chat on a real-life case study of a small but dedicated band of engineers’ attempts to harmonize identity in a very un-harmonized world.
531: Controlling access to your IBM MQ systemRobert Parker
This presentation was originally presented at IBM TechCon 2021. In it we go through the various options in IBM MQ to secure your queue manager and control applications and users from accessing your vital configuration and data.
Session I delivered at Oredev, with some updates, more detail, reviewing all of the security standards including ws-federation, saml, ws-trust, oauth,openID connect.
A practical guide to building secure composable SaaS solutions with Sitecore in the cloud. Learn the methodology, process, and get the blueprints for building secure exterprise applications with Sitecore XM Cloud in Azure Cloud.
Securing Microservices using Play and Akka HTTPRafal Gancarz
Going down the microservices route makes a lot of things around creating and maintaining large systems easier but it comes at a cost too, particularly associated with challenges around security. While securing monolithic applications was a relatively well understood area, the same can't be said about microservice based architectures.
This presentation covers how implementing microservices affects the security of distributed systems, outlines pros and cons of several standards and common practices and offers practical suggestions for securing microservice based systems using Play and Akka HTTP.
In this deck, I cover all the new exciting security feature we have in both gateway and APIC.
We are excited about the new features, and how they can be used to help protect the customer's deployment environment.
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCFRoy Braam
This describes a story about a couple of teams that started their migration to the public cloud so the platform becomes available for ~300 teams. War stories, their journey, bloopers and their choices all shared.
Slides for the Denver Microservices meetup 9/27 presentation by Matt Reynolds, Dirk Butters, Kevin Kalmbach, Bill Bauernschmidt, Mike Sarver. Unfortunately with this upload the overview diagram didn't make it and you don't get to see the explosion animation...
An overview of how electronic signature objects are generated and used within PDF documents including the overview of Aodbe LiveCycle ES's ability to programmatically work with them server side.
Cisco Virtualized Multi-tenant Data Center solution (VMDC) is an architectural approach to IT which delivers a Cloud Ready Infrastructure. The architecture encompasses multiple systems and functions defining a standard framework for an IT organization. Standardization allows the organization to achieve operational efficiencies, reduce risk and achieve cost reductions while offering a consistent platform for business.
A red team or team red are a group that plays the role of an enemy or competitor to provide security feedback from that perspective.A red-team assessment is similar to a penetration test, but is more targeted.
These slides were used to explain the concepts such as android's native
library, NDK and JNI using which demonstration of native library
debugging at runtime was presented in #NSConclave2023.
Presentation on - How to create custom Burp Suite extensions using Jython to test the web
application / mobile applications with strong encryptions in HTTP requests and responses.
Logs are one of the most valuable assets when it comes to IT system management and monitoring. As they record every action that took place on your network, logs provide the insight you need to spot issues that might impact performance, compliance, and security.
This session is a part of the #TechieThursday initiative from Net-Square for the internal team. In this webinar, we discussed several introductory topics including:
The difference between containers and VMs
Defined key Docker terminology that beginners should familiarize themselves with Learned how to get started with docker with a hands-on demo
OSINT: Open Source Intelligence - Rohan BraganzaNSConclave
Speaker is going to conduct hands-on training on how an individual can use Open-source intelligence (OSINT) to collect data from publicly available sources. Speaker will showcase tools and techniques used in collecting information from the public sources.
https://nsconclave.net-square.com/advanced-reconnaissance-using-OSINT.html
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
2. #whoami – Hiren Shah
• 25 Years in Business & IT field
• President & Mentor of Net Square
• LinkedIn: hirens
• Twitter: @hiren_sh
Business & IT Leader Mixed into One
4. 1. Cross-Selling for Financial And Non-Financial Products
2. Deliver Experience based on Personalisation
3. Support customer segments with different web capabilities
4. Support innovation -agility to implement new features
5. Seamless Experience Across Channels
“To Provide state-of-the-art customized
seamless and uniform User Experience forall
customer segments across desktop & mobile
web”
Key Drivers and Considerations of today’s Global Banks
2
5. 1. Cross-Selling for Financial And Non-Financial Products
2. Deliver Experience based on Personalisation
3. Support customer segments with different web capabilities
4. Support innovation -agility to implement new features
5. Seamless Experience Across Channels
Key Drivers and Considerations of today’s Global Banks
“To Provide state-of-the-art customized
seamless and uniform User Experience forall
customer segments across desktop & mobile
web”
TYPICAL LOGICAL ARCHITECTURE
2
6. 1. Cross-Selling for Financial And Non-Financial Products
2. Deliver Experience based on Personalisation
3. Support customer segments with different web capabilities
4. Support innovation -agility to implement new features
5. Seamless Experience Across Channels
Key Drivers and Considerations of today’s Global Banks
“To Provide state-of-the-art customized
seamless and uniform User Experience forall
customer segments across desktop & mobile
web”
TYPICAL LOGICAL ARCHITECTURE
CLOUD ENABLED
MICROSERVICES DRIVEN
INTEGRATION APPROACH
PERSONALIZATION AND
CONTEXTUALIZATION
MULTILINGUAL SUPPORT
FUTURE PROOF
OMNI CHANNEL
POLYGLOT PERSISTENCE
2
ADVANTAGES
7. 1. Cross-Selling for Financial And Non-Financial Products
2. Deliver Experience based on Personalisation
3. Support customer segments with different web capabilities
4. Support innovation -agility to implement new features
5. Seamless Experience Across Channels
Key Drivers and Considerations of today’s Global Banks
“To Provide state-of-the-art customized
seamless and uniform User Experience forall
customer segments across desktop & mobile
web”
TYPICAL LOGICAL ARCHITECTURE
Stateless
Architecture
API Management
Infrastructure
Security
Data Security
CLOUD ENABLED
MICROSERVICES DRIVEN
INTEGRATION APPROACH
PERSONALIZATION AND
CONTEXTUALIZATION
MULTILINGUAL SUPPORT
FUTURE PROOF
OMNI CHANNEL
POLYGLOT PERSISTENCE
2
ADVANTAGES SECURITY
CHALLENGES
8. Netscaler (LB)
Nginx (Reverse Proxy / SLB) Active
Directory
ADFS
Client Browser
Nginx
Redis AngularJS
app
WAF
PCF Platform
mca
t
t
Http Http
MicroService A MicroService B
Embedded To Embedded Tomca
Https
Http
Http
Identifying security holes early on
MQ
Config-Server
Databases
Orchestrator
3
9. Netscaler (LB)
Nginx (Reverse Proxy / SLB) Active
Directory
ADFS
Client Browser
Nginx
Redis AngularJS
app
WAF
PCF Platform
mca
t
t
Http Http
MicroService A MicroService B
Embedded To Embedded Tomca
Https
Http
Http
Identifying security holes early on
Question the client on
Threat perception
MQ
Config-Server
Databases
Orchestrator
3
10. Netscaler (LB)
Nginx (Reverse Proxy / SLB) Active
Directory
ADFS
Client Browser
Nginx
Redis AngularJS
app
WAF
PCF Platform
mca
t
t
Http Http
MicroService A MicroService B
Embedded To Embedded Tomca
Https
Http
Http
Identifying security holes early on
Question the client on
Threat perception
Challenges in System
administration on new
platforms and
Technologies
MQ
Config-Server
Databases
Orchestrator
3
11. Config-Server
Netscaler (LB)
Nginx (Reverse Proxy / SLB) Active
Directory
ADFS
Client Browser
Nginx
Orchestrator
Databases
Redis
MQ
AngularJS
app
WAF
PCF Platform
mca
t
t
Http Http
MicroService A MicroService B
Embedded To Embedded Tomca
Https
Http
Http
Identifying security holes early on
Question the client on
Threat perception
Polyglot
persistence -How
data should be
stored?
Challenges in System
administration on new
platforms and
Technologies
3
12. Config-Server
Netscaler (LB)
Nginx (Reverse Proxy / SLB) Active
Directory
ADFS
Client Browser
Nginx
Orchestrator
Databases
Redis
MQ
AngularJS
app
WAF
mca
t
t
Http Http
MicroService A MicroService B
Embedded To Embedded Tomca
Https
Http
Http
Identifying security holes early on
Question the client on
Threat perception
Polyglot
persistence -How
data should be
stored?
Challenges in System
administration on new
platforms and
Technologies
Limitation of
Tools e.g.
CoPnCtFaPilantfoermrisationof
Messaging layer?
3
14. Secured SPA Applications
JSON /HTTPS
CSS
Images
Fonts
Model
(JSON)
Angular Framework
View Controller
(HTML) +Service
(TypeScript)
Http Interceptor (AUTH)
Stateless Microservices
Spring Boot + Allied Frameworks
Protocol
Adaptor
(REST/JMS)
Application
Database
OIDC / OAuth Server
HTTPS
NotificationEngine
(SMS / Email)
JMS
Unstructured
Datastore
Caching
Http Interceptor (AUTH-FILTER)
RestController Message
Listener
Service
Model
(POJO)DAO
JDBC
Internal
Queues
JMS
TCP /IP
JDBC
4
Security Specs:
• jsrsasign v8.0.12 (Javascript library) on client ( https://
www.npmjs.com/package/jsrsasign );
• Java Cryptography Extension (JCE) implementation of
Java SE 8 (on server)
• Secret Key generation per sessionon
• Encryption of sensitive data on client using RSA (2048
bits) public key
• MAC computation using HmacSHA512 and secret-key
for every request/response
Build Security Design Patterns
TYPICAL
TECHNICAL
ARCHITECTURE
15. Secured SPA Applications
JSON /HTTPS
CSS
Images
Fonts
Model
(JSON)
Angular Framework
View Controller
(HTML) +Service
(TypeScript)
Http Interceptor (AUTH)
Stateless Microservices
Spring Boot + Allied Frameworks
Protocol
Adaptor
(REST/JMS)
Application
Database
OIDC / OAuth Server
HTTPS
NotificationEngine
(SMS / Email)
JMS
Unstructured
Datastore
Caching
Http Interceptor (AUTH-FILTER)
RestController Message
Listener
Service
Model
(POJO)DAO
JDBC
Internal
Queues
JMS
TCP /IP
JDBC
Security Specs:
• jsrsasign v8.0.12 (Javascript library) on client ( https://
www.npmjs.com/package/jsrsasign );
• Java Cryptography Extension (JCE) implementation of
Java SE 8 (on server)
• Secret Key generation per sessionon
• Encryption of sensitive data on client using RSA (2048
bits) public key
• MAC computation using HmacSHA512 and secret-key
for every request/response
Build Security Design Patterns
4
Validate design principlese.g.
Is the proposed solution tomaintain
state in stateless architecture
Build patterns of Security
Principles e.g. OTT
TYPICAL
TECHNICAL
ARCHITECTURE
16. The Devil is in the Detail!
5
this.clientSessionId = this.generateRandom();
function generateRandom() {
var asciiArray = new Uint32Array([0xFAFBA, 0xAFFBC, 0xFABBD,
0xFFFBA, 0xFAFFE, 0xFADBA, 0xFEFBB, 0xFAFBD]);
window.crypto.getRandomValues(asciiArray);
return this.padZero(asciiArray);
}
function padZero(randomNumberArray) {
return '0' + randomNumberArray[0] +
'0' + randomNumberArray[1] +
'0' + randomNumberArray[2] +
'0' + randomNumberArray[3] +
'0' + randomNumberArray[4] +
'0' + randomNumberArray[5] +
'0' + randomNumberArray[6] +
'0' + randomNumberArray[7];
}
New “nonce” header value sent on every Request and validated
against Response header value. Also acts as correlation-id to trace &
correlate user requests in logs across backend services.
Format: (16-digit random per session | 16-digit random per request)
var requestId = this.generateRandom();
RequestHeaders[‘nonce’] = this.clientSessionId + '|' + requestId;
“state” is unique server session id. Created for tracking conversation of Multi-Factor Login
Flow with max. idle/inactivity timeout of short duration (e.g. 5 mins).
Format: Base64.getUrlEncoder().withoutPadding().encode(
User-Agent | client_id | clientSessionId | UID | UUID.randomUUID().toString() )
LogonUI
(AngularClient)
Authentication
Service
End-User
1. InputUserId
[nonce]{state,authMethod}
CacheServer
(Redis)
POST/v1/idp/login
[nonce]{client_id, userId}
HTTP
Server
https://www.kotak.com/Signin/
generateNonce()
//Look-upUserIdand
CRN,
generateState()
validateNonce()
put(state,HashMap)
Display Fields
Relevant for
authMethod
//BustFrames
Reverse Proxy should add standard Security Headers to ALL Responses:
Strict-Transport-Security: max-age=599
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Access-Control-Allow-Origin: https://www.abcbank.com
FindUID authMethod
18. These you will get
a chance to test
thoroughly during
Appsec also
Controls Testing Goals
Authentication Authenticate users before allowing access to any
sensitive data or operations.
Safeguard user accounts from misuse or unauthorized
use.
Protect authentication credentials when stored or in
transit.
Authorization Prevent user access to resources outside their assigned
privileges.
Restrict functionality to only those resources required
to fulfil the task.
Input Validation All client side input must be regarded asuntrusted.
All input must be validated before being passed to the
application logic.
Only good and expected input should be allowed.
Session
Management
Protect against session hijacking.
Protect against brute forcing.
Well-defined login and logout points.
Expired sessions cannot be re-used later.
Client Protection Assume an untrusted endpoint environment.
Assist in application layer endpoint security.
Prohibit sensitive data to be stored on the client.
Assist in preventing data leaks from the endpoint.
Prioritise review of some controls over theothers
19. a chance totest
Controls Testing Goals
Authentication Authenticate users before allowing access to any
sensitive data or operations.
Safeguard user accounts from misuse or unauthorized
i
Authorizatio
use.
Protect authenticat
transit.
Prevent user access
privileges.
Restrict functionalit y
n credentials when stored or in
o resources outside their assigned
These you will get
to only those resources required
Session
Managemen
n
t
i
to fulfil the task.
on All client side input
All input must be va
application logic.
Only good and expe
Protect against sess
Protect against brut
Well-defined login a
Expired sessions can
o
t
m
li
c
o
e
n
n
ust be regarded as untrusted.
thoroughly duringdated before being passed to the
ted input should be allowed. Appsec also
n hijacking.
forcing.
d logout points.
ot be re-used later.
Client Protection Assume an untrusted endpoint environment.
Assist in application layer endpoint security.
Prohibit sensitive data to be stored on the client.
Assist in preventing data leaks from the endpoint.
Cryptography Appropriate choice and justification of cryptographic
algorithms.
Well-known and tested cryptography.
Detect inadvertent use of cryptography.
Logging
Input Validati Auditing capabilities independent of any other system
audit trails.
Events should be labelled appropriately within the log
data.
Log review.
Protected from unauthorized access and tampering.
Prioritise review of some controls over theothers
23. Technical
Vulnerability in
funds transfer
allows
unauthorized
funds transfer
Policy
User id for
customer
identification
is a sequential
number
Process
Transfer
money to a
beneficiary
without
registration
Process & Policy are not“out-of-scope”!
Serious security breaches typically manifest because of weakness in process and
policy design along with Technicalvulnerabilities
8
24. 9
# Activity
1 Documents Review (Network, Data Flow, etc.)
Understand the network and data flow of application with all components part of its ecosystem or any other
applications it is trying to connect
2 Inter-Tier Authentication
Functionality of the interfaces, encryption used (SSL, TLS, etc.)
3 User Authentication & Authorization
Authentication – AD/local authentication; Role based access, master maintenance (maker/checker for important
functions)
Dormant accounts, how are they managed; Service accounts and related security (interactivelogin disabled)
Multifactor authentication – known vulnerabilities
Check if software component used for authentication has knownvulnerabilities.
4 Data at Rest
Identify how sensitive data stored indatabase
5 Data intransit
Reviewing how sensitive data transmitting over communicationchannel
6 Security Review API and Web Services associated with integrations (If applicable)
Review the technology (OAuth, JWT, etc.) used for API or Web Service and identify any known vulnerability present or
not e.g. no validation of session tokens
7 User Access Management (Provisioning / De-provisioning / Modification)
Review how users are provisioned and removed. What is frequency of user access review, is there any documented
procedure for the same. Dormant account handling.
8 Password Policy
Review the password of application, if not integrated with AD then is it as per Kotak defined password policy.
Sometimes, “what client wants”
25. 10
# Activity
9 Multifactor Authentication
Review multifactor authentication (Google Authenticator) used in and check for any known vulnerabilities and
whether implementation is secure or not.
10 Cryptography Management
Review encryption /hashing algorithm used in application, are they as per Kotak defined cryptographicstandard
11 Audit Logging
Review logging of sensitive information, identify logging various components (OS, App, DB, etc.)
12 Application deployment process
How final compiled code is getting deployed, is there any defined process for the same or app owner can directly
push the binaries to production.
13 Backend (Database/ MQ) Tampering for initiating a transaction / updating balances
Actually tampering request /files which is used for processing the transaction and review whether it getting executed
successfully. Trying to update the same values directly in the backend database and reviewing the execution.
14 Financial transaction flow (STP / Manual)
Review the transaction flow and check the controls around it, like checking if there is File Integrity solution for file
based transaction system.
15 Identify and Configuration review controls (e.g. WAF, IDS / IPS responsible for application)
Identify the technologies used as compensating controls for known vulnerabilities and review configuration /
implementation.
16 Data Integrity
As a security measure request payload or file is sent with checksum to provide assurance on integrity of the data.
Reviewing the same whether it is implemented securely (algorithms used for generating checksum is obsolete ornot).
Sometimes, “what client wants”