In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps. The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open-source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them? If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!

1. Lock That Sh*t
Down!
Auth Security Patterns for
Apps, APIs, and Infra
Brian Demers and Matt Raible
@briandemers / @mraible
April 13, 2022

2. @briandemers / @mraible
Who are we?
Brian Demers
Open Source Developer and Java Champion
Fun facts: likes to snowboard; into 🐝
@bdemers
Matt Raible
Open Source Developer and Java Champion
Fun facts: likes to ski; into classic VWs ✌
@mraible

3. @briandemers / @mraible
Today's Agenda What is Auth?
AuthN vs AuthZ
01
App Auth Security Patterns
Web, SPA, Mobile
02
API Auth Security Patterns
Tokens, OAuth, Secrets
03
Infra Auth Security Patterns
Linux, SSH, Docker, Kubernetes
04
Action!
How to implement these patterns
05
@briandemers / @mraible

4. @briandemers / @mraible
01
What is Auth?
@briandemers / @mraible

5. @briandemers / @mraible
Soooo ...
Why should you care?
@briandemers / @mraible

6. A brief history of Auth
@briandemers / @mraible
60s: First
Password
1977:
RSA
1994:
SSL
2006:
SAML 2.0
2012:
OAuth 2.0
2014:
OIDC
2017:
PKCE

7. @briandemers / @mraible
Developer Personas
App Developer
Frontend Developer
Mobile App Developer
Web Developer
API Developer
Java Developer
Backend Developer
Probably likes tests
DevOps
System Administrator
Deployer
Operations
Monitoring
Security
Concerned Consultant
Paranoid Geek
Security over
performance
@briandemers / @mraible

8. @briandemers / @mraible
02
App Auth
Security
Patterns
@briandemers / @mraible

9. @briandemers / @mraible
Web vs SPA vs
Mobile App
@briandemers / @mraible

10. @briandemers / @mraible
HTTP Basic Authentication
@briandemers / @mraible

11. @briandemers / @mraible
Form-based Authentication
@briandemers / @mraible

12. CHALLENGE SOLUTION
@briandemers / @mraible
SAML
@briandemers / @mraible
SAML is to OIDC as
SOAP is to REST.
-Joël Franusic (@jf)

13. @briandemers / @mraible
JWT Authentication
@briandemers / @mraible

14. @briandemers / @mraible
@briandemers / @mraible
Why JWTs Suck as Session Tokens
-@rdegges on developer.okta.com, 2017
What do we do about JWT?
-Security. Cryptography. Whatever. podcast, 2021

15. @briandemers / @mraible
OpenID Connect (OIDC) for Auth
@briandemers / @mraible
Identity
Provider
🔒Verify

16. @briandemers / @mraible
Multi-Factor Authentication (MFA)
@briandemers / @mraible

17. @briandemers / @mraible
Multi-Factor Authentication (MFA)
@briandemers / @mraible

18. Passwordless
password
Password1
Password1!
We like to think we know what we are talking
about, at least Okta hasn't fired us yet…
@briandemers / @mraible

19. @briandemers / @mraible
SAML
⭐ ⭐
App Auth
Security
Patterns HTTP Basic
⭐
Embedded Auth
⭐
OpenID Connect
⭐ ⭐ ⭐ ⭐
MFA
⭐ ⭐ ⭐ ⭐ ⭐
Passwordless
⭐ ⭐ ⭐ ⭐ ⭐
JWT Auth
⭐ ⭐
@briandemers / @mraible

20. @briandemers / @mraible
App Auth Security Patterns
Tired Wired
Apps handling passwords
Stateless to scale
OAuth Implicit Flow
Sensitive data in URL
Let someone else worry about it
Sessions are tried and true
OAuth Auth Code with PKCE
Use headers or the body
@briandemers / @mraible

21. @briandemers / @mraible
03
API Auth
Security
Patterns
@briandemers / @mraible

22. @briandemers / @mraible
HTTP Basic
@briandemers / @mraible
spring:
cloud:
config:
fail-fast: true
retry:
initial-interval: 1000
max-interval: 2000
max-attempts: 100
uri: http://admin:${jhipster.registry.password}@localhost:8761/config
# name of the config server's property source (file.yml) that we want to use
name: store
profile: prod # profile(s) of the property source
label: main # toggle to switch to a different version stored in git
jhipster:
registry:
password: admin

23. @briandemers / @mraible
Tokens
@briandemers / @mraible
$20

24. @briandemers / @mraible
OAuth 2.0
@briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

25. @briandemers / @mraible
OAuth 2.0
@briandemers / @mraible

26. @briandemers / @mraible
OAuth 2.0
@briandemers / @mraible

27. @briandemers / @mraible
OAuth 2.1
@briandemers / @mraible
https://oauth.net/2.1
Authorization Code + PKCE
Client Credentials
Device Grant

28. @briandemers / @mraible
OAuth Client Credentials
@briandemers / @mraible

29. @briandemers / @mraible
API Gateway
API
Gateway
App
App
App
/dogs
/cats
/fish
@briandemers / @mraible
{ Rest }
Client

30. @briandemers / @mraible
Use API SDKs
@briandemers / @mraible

31. @briandemers / @mraible
Encrypt and Rotate Secrets
@briandemers / @mraible

32. @briandemers / @mraible
RBAC and ACLs
@briandemers / @mraible
Groups
Admin
User
Help Desk
Privilege
Record : Read
Record : Create
Record : Update
Record : Delete
Users

33. @briandemers / @mraible
OAuth 2.1
⭐ ⭐ ⭐ ⭐ ⭐
API Auth
Security
Patterns HTTP Basic
⭐ ⭐
Tokens
⭐ ⭐ ⭐
API SDKs
⭐ ⭐ ⭐ ⭐
Encrypt Secrets
⭐ ⭐ ⭐ ⭐ ⭐
RBAC and ACLs
⭐ ⭐ ⭐ ⭐ ⭐
API Gateway
⭐ ⭐ ⭐ ⭐ ⭐
@briandemers / @mraible

34. @briandemers / @mraible
API Auth Security Patterns
Tired Wired
Build it yourself
Static API Tokens
CORS wildcard
Use existing libraries
Short lived access tokens
Restrict access with CORS
@briandemers / @mraible

35. @briandemers / @mraible
04
Infra Auth
Security
Patterns
@briandemers / @mraible

36. CHALLENGE SOLUTION
@briandemers / @mraible
Linux
@briandemers / @mraible
Software is Automation
and Automation is
less toil.
-Mark Shuttleworth
Canonical CEO
Larry Ewing

37. @briandemers / @mraible
SSH with Keys
@briandemers / @mraible
https://www.ssh.com/academy/ssh/protocol

38. Certificates
CC BY 3.0: EFF.org
@briandemers / @mraible

39. @briandemers / @mraible
@briandemers / @mraible
SSO for Servers
https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
Active Directory
Pluggable Authentication Modules (PAM) for Linux
Okta's Advanced Server Access
https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam

40. Scan Docker Images
@briandemers / @mraible

41. @briandemers / @mraible
Know Your Cloud and Cluster Security
@briandemers / @mraible https://twitter.com/acloudguru/status/1344724013122260993

42. @briandemers / @mraible
The 4C's of Cloud Native Security
https://kubernetes.io/docs/concepts/security/overview/
@briandemers / @mraible

43. @briandemers / @mraible
Kubernetes Tips
Kubernetes Tips
Only expose what needs to be public
Scan and update Kubernetes YAML
Check out Kubescape
https://www.infoq.com/podcasts/continuous-delivery-with-kubernetes
@briandemers / @mraible

44. @briandemers / @mraible
Encrypt Kubernetes Secrets
@briandemers / @mraible
apiVersion: v1
kind: Secret
metadata:
name: registry-secret
namespace: demo
type: Opaque
data:
registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64
encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"

45. @briandemers / @mraible
Automation is Key
@briandemers / @mraible
WSJ

46. @briandemers / @mraible
@briandemers / @mraible

47. @briandemers / @mraible
Certificates
⭐ ⭐ ⭐ ⭐
Infra Auth
Security
Patterns Linux
⭐ ⭐ ⭐ ⭐ ⭐
SSH with Keys
⭐ ⭐ ⭐
Scan Docker Images
⭐ ⭐ ⭐ ⭐ ⭐
Encrypt K8s Secrets
⭐ ⭐ ⭐ ⭐ ⭐
Automate Your Infra
⭐ ⭐ ⭐ ⭐ ⭐
SSO for Servers
⭐ ⭐ ⭐ ⭐ ⭐
@briandemers / @mraible

48. @briandemers / @mraible
Infra Auth Security Patterns
Tired Wired
FROM: some-large-image:1.2.3
Secrets in Images
Shared Credentials
Use minimal images
HashiCorp Vault
Limit Access
@briandemers / @mraible

49. @briandemers / @mraible
05
Action!
@briandemers / @mraible

50. @briandemers / @mraible
Action
How to codify these patterns?
@briandemers / @mraible
spring
security

51. @briandemers / @mraible
Action
How to test for lack of
patterns?
@briandemers / @mraible
https://implicitdetector.io
Audit Server Access

52. @briandemers / @mraible
Action
How to test for vulnerabilities?
@briandemers / @mraible

53. @briandemers / @mraible
What about ?
@briandemers / @mraible

54. The OWASP Top 10 really
hasn’t changed all that
much in the last ten years.
-Johnny Xmas (@J0hnnyXm4s)
@briandemers / @mraible

55. @briandemers / @mraible
developer.okta.com/blog
@oktadev
@briandemers / @mraible

56. @briandemers / @mraible
Thanks!
Brian Demers
@briandemers @bdemers
@bdemers
brian.demers@okta.com
Matt Raible
@mraible @mraible
@mraible
matt.raible@okta.com
https://speakerdeck.com/mraible

57. developer.okta.com