In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.
The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open-source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?
If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
1. Lock That Sh*t
Down!
Auth Security Patterns for
Apps, APIs, and Infra
Brian Demers and Matt Raible
@briandemers / @mraible
April 13, 2022
2. @briandemers / @mraible
Who are we?
Brian Demers
Open Source Developer and Java Champion
Fun facts: likes to snowboard; into 🐝
@bdemers
Matt Raible
Open Source Developer and Java Champion
Fun facts: likes to ski; into classic VWs ✌
@mraible
3. @briandemers / @mraible
Today's Agenda What is Auth?
AuthN vs AuthZ
01
App Auth Security Patterns
Web, SPA, Mobile
02
API Auth Security Patterns
Tokens, OAuth, Secrets
03
Infra Auth Security Patterns
Linux, SSH, Docker, Kubernetes
04
Action!
How to implement these patterns
05
@briandemers / @mraible
14. @briandemers / @mraible
@briandemers / @mraible
Why JWTs Suck as Session Tokens
-@rdegges on developer.okta.com, 2017
What do we do about JWT?
-Security. Cryptography. Whatever. podcast, 2021
20. @briandemers / @mraible
App Auth Security Patterns
Tired Wired
Apps handling passwords
Stateless to scale
OAuth Implicit Flow
Sensitive data in URL
Let someone else worry about it
Sessions are tried and true
OAuth Auth Code with PKCE
Use headers or the body
@briandemers / @mraible
22. @briandemers / @mraible
HTTP Basic
@briandemers / @mraible
spring:
cloud:
config:
fail-fast: true
retry:
initial-interval: 1000
max-interval: 2000
max-attempts: 100
uri: http://admin:${jhipster.registry.password}@localhost:8761/config
# name of the config server's property source (file.yml) that we want to use
name: store
profile: prod # profile(s) of the property source
label: main # toggle to switch to a different version stored in git
jhipster:
registry:
password: admin
32. @briandemers / @mraible
RBAC and ACLs
@briandemers / @mraible
Groups
Admin
User
Help Desk
Privilege
Record : Read
Record : Create
Record : Update
Record : Delete
Users
34. @briandemers / @mraible
API Auth Security Patterns
Tired Wired
Build it yourself
Static API Tokens
CORS wildcard
Use existing libraries
Short lived access tokens
Restrict access with CORS
@briandemers / @mraible
36. CHALLENGE SOLUTION
@briandemers / @mraible
Linux
@briandemers / @mraible
Software is Automation
and Automation is
less toil.
-Mark Shuttleworth
Canonical CEO
Larry Ewing
39. @briandemers / @mraible
@briandemers / @mraible
SSO for Servers
https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
Active Directory
Pluggable Authentication Modules (PAM) for Linux
Okta's Advanced Server Access
https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
41. @briandemers / @mraible
Know Your Cloud and Cluster Security
@briandemers / @mraible https://twitter.com/acloudguru/status/1344724013122260993
42. @briandemers / @mraible
The 4C's of Cloud Native Security
https://kubernetes.io/docs/concepts/security/overview/
@briandemers / @mraible
43. @briandemers / @mraible
Kubernetes Tips
Kubernetes Tips
Only expose what needs to be public
Scan and update Kubernetes YAML
Check out Kubescape
https://www.infoq.com/podcasts/continuous-delivery-with-kubernetes
@briandemers / @mraible