Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Lock That Shit Down! Auth Security Patterns for...

Matt Raible
September 02, 2021

Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - SpringOne 2021

In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.

The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?

If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!

YouTube: https://youtu.be/CebTJ7Nq1Hs

Matt Raible

September 02, 2021
Tweet

More Decks by Matt Raible

Other Decks in Programming

Transcript

  1. Lock That Sh*t Down! Auth Security Patterns or Apps, APIs,

    and In ra Brian Demers and Matt Raible @briandemers / @mraible September 2, 2021
  2. @briandemers / @mraible Who are we? Brian Demers Open Source

    Developer and Java Champion Fun acts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun acts: likes to ski; into classic VWs ✌ @mraible
  3. @briandemers / @mraible Today's A enda What is Auth? AuthN

    vs AuthZ 01 App Auth Security Patterns Web, SPA, Mobile 02 API Auth Security Patterns Tokens, OAuth, Secrets 03 In ra Auth Security Patterns Linux, SSH, Docker, Kubernetes 04 Action! How to implement these patterns 05 @briandemers / @mraible
  4. A brie history o Auth @briandemers / @mraible 60s: First

    Password 1977: RSA 1994: SSL 2006: SAML 2.0 2012: OAuth 2.0 2014: OIDC 2017: PKCE
  5. @briandemers / @mraible Developer Personas App Developer Frontend Developer Mobile

    App Developer Web Developer API Developer Java Developer Backend Developer Probably likes tests DevOps System Administrator Deployer Operations Monitorin Security Concerned Consultant Paranoid Geek Security over per ormance @briandemers / @mraible
  6. CHALLENGE SOLUTION @briandemers / @mraible SAML @briandemers / @mraible SAML

    is to OIDC as SOAP is to REST. -Joël Franusic (@j )
  7. @briandemers / @mraible @briandemers / @mraible Why JWTs Suck as

    Session Tokens - @rde es on developer.okta.com, 2017 What do we do about JWT? - Security. Crypto raphy. Whatever. podcast, 2021
  8. Passwordless password Password1 Password1! We like to think we know

    what we are talking about, at least Okta hasn't fired us yet… @briandemers / @mraible
  9. @briandemers / @mraible SAML ⭐ ⭐ App Auth Security Patterns

    HTTP Basic ⭐ Embedded Auth ⭐ OpenID Connect ⭐ ⭐ ⭐ ⭐ MFA ⭐ ⭐ ⭐ ⭐ ⭐ Passwordless ⭐ ⭐ ⭐ ⭐ ⭐ JWT Auth ⭐ ⭐ @briandemers / @mraible
  10. @briandemers / @mraible App Auth Security Patterns Tired Wired Apps

    handlin passwords Stateless to scale OAuth Implicit Flow Sensitive data in URL Let someone else worry about it Sessions are tried and true OAuth Auth Code w/ PKCE Use headers or the body @briandemers / @mraible
  11. @briandemers / @mraible HTTP Basic @briandemers / @mraible spring: cloud:

    config: fail-fast: true retry: initial-interval: 1000 max-interval: 2000 max-attempts: 100 uri: http://admin:${jhipster.registry.password}@localhost:8761/config # name of the config server's property source (file.yml) that we want to use name: store profile: prod # profile(s) of the property source label: main # toggle to switch to a different version stored in git jhipster: registry: password: admin
  12. @briandemers / @mraible API Gateway API Gateway App App App

    /do s /cats /fish @briandemers / @mraible { Rest } Client
  13. @briandemers / @mraible RBAC and ACLs @briandemers / @mraible Groups

    Admin User Help Desk Privile e Record : Read Record : Create Record : Update Record : Delete Users
  14. @briandemers / @mraible OAuth 2.1 ⭐ ⭐ ⭐ ⭐ ⭐

    API Auth Security Patterns HTTP Basic ⭐ ⭐ Tokens ⭐ ⭐ ⭐ API SDKs ⭐ ⭐ ⭐ ⭐ Encrypt Secrets ⭐ ⭐ ⭐ ⭐ ⭐ RBAC and ACLs ⭐ ⭐ ⭐ ⭐ ⭐ API Gateway ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
  15. @briandemers / @mraible API Auth Security Patterns Tired Wired Build

    it yoursel Static API Tokens CORS wildcard Use existin libraries Short lived access tokens Restrict access with CORS @briandemers / @mraible
  16. CHALLENGE SOLUTION @briandemers / @mraible Linux @briandemers / @mraible So

    tware is Automation and Automation is less toil. - Mark Shuttleworth Canonical CEO Larry Ewin
  17. @briandemers / @mraible @briandemers / @mraible SSO or Servers https://www.redhat.com/sysadmin/plu

    able-authentication-modules-pam Active Directory Plu able Authentication Modules (PAM) or Linux Okta's Advanced Server Access https://www.redhat.com/sysadmin/plu able-authentication-modules-pam
  18. @briandemers / @mraible Know Your Cloud and Cluster Security @briandemers

    / @mraible https://twitter.com/acloud uru/status/1344724013122260993
  19. @briandemers / @mraible Kubernetes Tips Kubernetes Tips Only expose what

    needs to be public Scan and update Kubernetes YAML Check out Kubescape https://www.in oq.com/podcasts/continuous-delivery-with-kubernetes @briandemers / @mraible
  20. @briandemers / @mraible Encrypt Kubernetes Secrets @briandemers / @mraible apiVersion:

    v1 kind: Secret metadata: name: registry-secret namespace: demo type: Opaque data: registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64 encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"
  21. @briandemers / @mraible Certificates ⭐ ⭐ ⭐ ⭐ In ra

    Auth Security Patterns Linux ⭐ ⭐ ⭐ ⭐ ⭐ SSH with Keys ⭐ ⭐ ⭐ Scan Docker Ima es ⭐ ⭐ ⭐ ⭐ ⭐ Encrypt K8s Secrets ⭐ ⭐ ⭐ ⭐ ⭐ Automate Your In ra ⭐ ⭐ ⭐ ⭐ ⭐ SSO or Servers ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
  22. @briandemers / @mraible In ra Auth Security Patterns Tired Wired

    FROM: some-lar e-ima e:1.2.3 Secrets in Ima es Shared Credentials Use minimal ima es HashiCorp Vault Limit Access @briandemers / @mraible
  23. @briandemers / @mraible Action How to codi y these patterns?

    @briandemers / @mraible spring security
  24. @briandemers / @mraible Action How to test or lack o

    patterns? @briandemers / @mraible https://implicitdetector.io Audit Server Access
  25. The OWASP Top 10 really hasn’t chan ed all that

    much in the last ten years. -Johnny Xmas (@J0hnnyXm4s) @briandemers / @mraible