Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022

Lock That Sh*t
Down!
Auth Security Patterns for
Apps, APIs, and Infra
Brian Demers and Matt Raible
@briandemers / @mraible
April 13, 2022

Who are we?
Brian Demers
Open Source Developer and Java Champion
Fun facts: likes to snowboard; into 🐝
@bdemers
Matt Raible
Open Source Developer and Java Champion
Fun facts: likes to ski; into classic VWs ✌
@mraible

Today's Agenda What is Auth?
AuthN vs AuthZ
01
App Auth Security Patterns
Web, SPA, Mobile
02
API Auth Security Patterns
Tokens, OAuth, Secrets
03
Infra Auth Security Patterns
Linux, SSH, Docker, Kubernetes
04
Action!
How to implement these patterns
05

01
What is Auth?

Soooo ...
Why should you care?

A brief history of Auth
60s: First
Password
1977:
RSA
1994:
SSL
2006:
SAML 2.0
2012:
OAuth 2.0
2014:
OIDC
2017:
PKCE

Developer Personas
App Developer
Frontend Developer
Mobile App Developer
Web Developer
API Developer
Java Developer
Backend Developer
Probably likes tests
DevOps
System Administrator
Deployer
Operations
Monitoring
Security
Concerned Consultant
Paranoid Geek
Security over
performance

02
App Auth
Security
Patterns

Web vs SPA vs
Mobile App

HTTP Basic Authentication

Form-based Authentication

CHALLENGE SOLUTION
SAML
SAML is to OIDC as
SOAP is to REST.
-Joël Franusic (@jf)

JWT Authentication

Why JWTs Suck as Session Tokens
-@rdegges on developer.okta.com, 2017
What do we do about JWT?
-Security. Cryptography. Whatever. podcast, 2021

OpenID Connect (OIDC) for Auth
Identity
Provider
🔒Verify

Multi-Factor Authentication (MFA)

Passwordless
password
Password1
Password1!
We like to think we know what we are talking
about, at least Okta hasn't fired us yet…

SAML
⭐ ⭐
App Auth
Security
Patterns HTTP Basic
⭐
Embedded Auth
⭐
OpenID Connect
⭐ ⭐ ⭐ ⭐
MFA
⭐ ⭐ ⭐ ⭐ ⭐
Passwordless
⭐ ⭐ ⭐ ⭐ ⭐
JWT Auth
⭐ ⭐

App Auth Security Patterns
Tired Wired
Apps handling passwords
Stateless to scale
OAuth Implicit Flow
Sensitive data in URL
Let someone else worry about it
Sessions are tried and true
OAuth Auth Code with PKCE
Use headers or the body

03
API Auth
Security
Patterns

HTTP Basic
spring:
cloud:
config:
fail-fast: true
retry:
initial-interval: 1000
max-interval: 2000
max-attempts: 100
uri: http://admin:${jhipster.registry.password}@localhost:8761/config
# name of the config server's property source (file.yml) that we want to use
name: store
profile: prod # profile(s) of the property source
label: main # toggle to switch to a different version stored in git
jhipster:
registry:
password: admin

Tokens
$20

OAuth 2.0
@briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1

OAuth 2.0

OAuth 2.1
https://oauth.net/2.1
Authorization Code + PKCE
Client Credentials
Device Grant

OAuth Client Credentials

API Gateway
API
Gateway
App
App
App
/dogs
/cats
/ﬁsh
{ Rest }
Client

Use API SDKs

Encrypt and Rotate Secrets

RBAC and ACLs
Groups
Admin
User
Help Desk
Privilege
Record : Read
Record : Create
Record : Update
Record : Delete
Users

OAuth 2.1
⭐ ⭐ ⭐ ⭐ ⭐
API Auth
Security
Patterns HTTP Basic
⭐ ⭐
Tokens
⭐ ⭐ ⭐
API SDKs
⭐ ⭐ ⭐ ⭐
Encrypt Secrets
⭐ ⭐ ⭐ ⭐ ⭐
RBAC and ACLs
⭐ ⭐ ⭐ ⭐ ⭐
API Gateway
⭐ ⭐ ⭐ ⭐ ⭐

API Auth Security Patterns
Tired Wired
Build it yourself
Static API Tokens
CORS wildcard
Use existing libraries
Short lived access tokens
Restrict access with CORS

04
Infra Auth
Security
Patterns

CHALLENGE SOLUTION
Linux
Software is Automation
and Automation is
less toil.
-Mark Shuttleworth
Canonical CEO
Larry Ewing

SSH with Keys
https://www.ssh.com/academy/ssh/protocol

Certiﬁcates
CC BY 3.0: EFF.org

SSO for Servers
https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam
Active Directory
Pluggable Authentication Modules (PAM) for Linux
Okta's Advanced Server Access
https://www.redhat.com/sysadmin/pluggable-authentication-modules-pam

Scan Docker Images

Know Your Cloud and Cluster Security
@briandemers / @mraible https://twitter.com/acloudguru/status/1344724013122260993

The 4C's of Cloud Native Security
https://kubernetes.io/docs/concepts/security/overview/

Kubernetes Tips
Kubernetes Tips
Only expose what needs to be public
Scan and update Kubernetes YAML
Check out Kubescape
https://www.infoq.com/podcasts/continuous-delivery-with-kubernetes

Encrypt Kubernetes Secrets
apiVersion: v1
kind: Secret
metadata:
name: registry-secret
namespace: demo
type: Opaque
data:
registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64
encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"

Automation is Key
WSJ

Certiﬁcates
⭐ ⭐ ⭐ ⭐
Infra Auth
Security
Patterns Linux
⭐ ⭐ ⭐ ⭐ ⭐
SSH with Keys
⭐ ⭐ ⭐
Scan Docker Images
⭐ ⭐ ⭐ ⭐ ⭐
Encrypt K8s Secrets
⭐ ⭐ ⭐ ⭐ ⭐
Automate Your Infra
⭐ ⭐ ⭐ ⭐ ⭐
SSO for Servers
⭐ ⭐ ⭐ ⭐ ⭐

Infra Auth Security Patterns
Tired Wired
FROM: some-large-image:1.2.3
Secrets in Images
Shared Credentials
Use minimal images
HashiCorp Vault
Limit Access

05
Action!

Action
How to codify these patterns?
spring
security

Action
How to test for lack of
patterns?
https://implicitdetector.io
Audit Server Access

Action
How to test for vulnerabilities?

What about ?

The OWASP Top 10 really
hasn’t changed all that
much in the last ten years.
-Johnny Xmas (@J0hnnyXm4s)

developer.okta.com/blog
@oktadev

Thanks!
Brian Demers
@briandemers @bdemers
@bdemers
brian.demers@okta.com
Matt Raible
@mraible @mraible
@mraible
matt.raible@okta.com
https://speakerdeck.com/mraible

Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022

More Related Content

Similar to Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022 (20)

More from Matt Raible (20)

Recently uploaded (20)

Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devnexus 2022