Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
0 likes238 views
The document discusses various authentication security patterns and practices for applications, APIs, and infrastructure, presented by Brian Demers and Matt Raible. It covers topics such as application authentication, API security patterns, and implementation strategies while emphasizing the importance of securing sensitive data and using proper authentication protocols. The document also outlines the evolution of authentication methods and highlights the significance of automation and auditing in maintaining security.
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
- 1. Lock That Sh*t Down! Auth Security Patterns or Apps, APIs, and In ra Brian Demers and Matt Raible @briandemers / @mraible September 2, 2021
- 2. @briandemers / @mraible Who are we? Brian Demers Open Source Developer and Java Champion Fun acts: likes to snowboard; into 🐝 @bdemers Matt Raible Open Source Developer and Java Champion Fun acts: likes to ski; into classic VWs ✌ @mraible
- 3. @briandemers / @mraible Today's A enda What is Auth? AuthN vs AuthZ 01 App Auth Security Patterns Web, SPA, Mobile 02 API Auth Security Patterns Tokens, OAuth, Secrets 03 In ra Auth Security Patterns Linux, SSH, Docker, Kubernetes 04 Action! How to implement these patterns 05 @briandemers / @mraible
- 4. @briandemers / @mraible 01 What is Auth? @briandemers / @mraible
- 5. @briandemers / @mraible Soooo ... Why should you care? @briandemers / @mraible
- 6. A brie history o Auth @briandemers / @mraible 60s: First Password 1977: RSA 1994: SSL 2006: SAML 2.0 2012: OAuth 2.0 2014: OIDC 2017: PKCE
- 7. @briandemers / @mraible Developer Personas App Developer Frontend Developer Mobile App Developer Web Developer API Developer Java Developer Backend Developer Probably likes tests DevOps System Administrator Deployer Operations Monitorin Security Concerned Consultant Paranoid Geek Security over per ormance @briandemers / @mraible
- 8. @briandemers / @mraible 02 App Auth Security Patterns @briandemers / @mraible
- 9. @briandemers / @mraible Web vs SPA vs Mobile App @briandemers / @mraible
- 10. @briandemers / @mraible HTTP Basic @briandemers / @mraible
- 11. @briandemers / @mraible Form-based Authentication @briandemers / @mraible
- 12. CHALLENGE SOLUTION @briandemers / @mraible SAML @briandemers / @mraible SAML is to OIDC as SOAP is to REST. -Joël Franusic (@j )
- 13. @briandemers / @mraible JWT Authentication @briandemers / @mraible
- 14. @briandemers / @mraible @briandemers / @mraible Why JWTs Suck as Session Tokens -@rde es on developer.okta.com, 2017 What do we do about JWT? -Security. Crypto raphy. Whatever. podcast, 2021
- 15. @briandemers / @mraible OpenID Connect (OIDC) or Auth @briandemers / @mraible Identity Provider 🔒Veri y
- 16. @briandemers / @mraible Multi-Factor Authentication (MFA) @briandemers / @mraible
- 17. Passwordless password Password1 Password1! We like to think we know what we are talking about, at least Okta hasn't fired us yet… @briandemers / @mraible
- 18. @briandemers / @mraible SAML ⭐ ⭐ App Auth Security Patterns HTTP Basic ⭐ Embedded Auth ⭐ OpenID Connect ⭐ ⭐ ⭐ ⭐ MFA ⭐ ⭐ ⭐ ⭐ ⭐ Passwordless ⭐ ⭐ ⭐ ⭐ ⭐ JWT Auth ⭐ ⭐ @briandemers / @mraible
- 19. @briandemers / @mraible App Auth Security Patterns Tired Wired Apps handlin passwords Stateless to scale OAuth Implicit Flow Sensitive data in URL Let someone else worry about it Sessions are tried and true OAuth Auth Code w/ PKCE Use headers or the body @briandemers / @mraible
- 20. @briandemers / @mraible 03 API Auth Security Patterns @briandemers / @mraible
- 21. @briandemers / @mraible HTTP Basic @briandemers / @mraible spring: cloud: config: fail-fast: true retry: initial-interval: 1000 max-interval: 2000 max-attempts: 100 uri: http://admin:${jhipster.registry.password}@localhost:8761/config # name of the config server's property source (file.yml) that we want to use name: store profile: prod # profile(s) of the property source label: main # toggle to switch to a different version stored in git jhipster: registry: password: admin
- 22. @briandemers / @mraible Tokens @briandemers / @mraible $20
- 23. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time- or-oauth-2-dot-1
- 24. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible
- 25. @briandemers / @mraible OAuth 2.0 @briandemers / @mraible
- 26. @briandemers / @mraible OAuth 2.1 @briandemers / @mraible https://oauth.net/2.1 Authorization Code + PKCE Client Credentials Device Grant
- 27. @briandemers / @mraible OAuth Client Credentials @briandemers / @mraible
- 28. @briandemers / @mraible API Gateway API Gateway App App App /do s /cats /fish @briandemers / @mraible { Rest } Client
- 29. @briandemers / @mraible Use API SDKs @briandemers / @mraible
- 30. @briandemers / @mraible Encrypt and Rotate Secrets @briandemers / @mraible
- 31. @briandemers / @mraible RBAC and ACLs @briandemers / @mraible Groups Admin User Help Desk Privile e Record : Read Record : Create Record : Update Record : Delete Users
- 32. @briandemers / @mraible OAuth 2.1 ⭐ ⭐ ⭐ ⭐ ⭐ API Auth Security Patterns HTTP Basic ⭐ ⭐ Tokens ⭐ ⭐ ⭐ API SDKs ⭐ ⭐ ⭐ ⭐ Encrypt Secrets ⭐ ⭐ ⭐ ⭐ ⭐ RBAC and ACLs ⭐ ⭐ ⭐ ⭐ ⭐ API Gateway ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
- 33. @briandemers / @mraible API Auth Security Patterns Tired Wired Build it yoursel Static API Tokens CORS wildcard Use existin libraries Short lived access tokens Restrict access with CORS @briandemers / @mraible
- 34. @briandemers / @mraible 04 In ra Auth Security Patterns @briandemers / @mraible
- 35. CHALLENGE SOLUTION @briandemers / @mraible Linux @briandemers / @mraible So tware is Automation and Automation is less toil. -Mark Shuttleworth Canonical CEO Larry Ewin
- 36. @briandemers / @mraible SSH with Keys @briandemers / @mraible https://www.ssh.com/academy/ssh/protocol
- 37. Certificates CC BY 3.0: EFF.or @briandemers / @mraible
- 38. @briandemers / @mraible @briandemers / @mraible SSO or Servers https://www.redhat.com/sysadmin/plu able-authentication-modules-pam Active Directory Plu able Authentication Modules (PAM) or Linux Okta's Advanced Server Access https://www.redhat.com/sysadmin/plu able-authentication-modules-pam
- 39. Scan Docker Ima es @briandemers / @mraible
- 40. @briandemers / @mraible Know Your Cloud and Cluster Security @briandemers / @mraible https://twitter.com/acloud uru/status/1344724013122260993
- 41. @briandemers / @mraible The 4C's o Cloud Native Security https://kubernetes.io/docs/concepts/security/overview/ @briandemers / @mraible
- 42. @briandemers / @mraible Kubernetes Tips Kubernetes Tips Only expose what needs to be public Scan and update Kubernetes YAML Check out Kubescape https://www.in oq.com/podcasts/continuous-delivery-with-kubernetes @briandemers / @mraible
- 43. @briandemers / @mraible Encrypt Kubernetes Secrets @briandemers / @mraible apiVersion: v1 kind: Secret metadata: name: registry-secret namespace: demo type: Opaque data: registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64 encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"
- 44. @briandemers / @mraible Automation is Key @briandemers / @mraible WSJ
- 45. @briandemers / @mraible Certificates ⭐ ⭐ ⭐ ⭐ In ra Auth Security Patterns Linux ⭐ ⭐ ⭐ ⭐ ⭐ SSH with Keys ⭐ ⭐ ⭐ Scan Docker Ima es ⭐ ⭐ ⭐ ⭐ ⭐ Encrypt K8s Secrets ⭐ ⭐ ⭐ ⭐ ⭐ Automate Your In ra ⭐ ⭐ ⭐ ⭐ ⭐ SSO or Servers ⭐ ⭐ ⭐ ⭐ ⭐ @briandemers / @mraible
- 46. @briandemers / @mraible In ra Auth Security Patterns Tired Wired FROM: some-lar e-ima e:1.2.3 Secrets in Ima es Shared Credentials Use minimal ima es HashiCorp Vault Limit Access @briandemers / @mraible
- 47. @briandemers / @mraible 05 Action! @briandemers / @mraible
- 48. @briandemers / @mraible Action How to codi y these patterns? @briandemers / @mraible spring security
- 49. @briandemers / @mraible Action How to test or lack o patterns? @briandemers / @mraible https://implicitdetector.io Audit Server Access
- 50. @briandemers / @mraible Action How to test or vulnerabilities? @briandemers / @mraible
- 51. @briandemers / @mraible What about ? @briandemers / @mraible
- 52. The OWASP Top 10 really hasn’t chan ed all that much in the last ten years. -Johnny Xmas (@J0hnnyXm4s) @briandemers / @mraible
- 54. @briandemers / @mraible Thanks! Brian Demers @briandemers @bdemers @bdemers [email protected] Matt Raible @mraible @mraible @mraible [email protected] https://speakerdeck.com/mraible