In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps. The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them? If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!

1. Lock That Sh*t Down!
Auth Security Patterns or Apps, APIs, and In ra
Brian Demers and Matt Raible
@briandemers / @mraible
September 2, 2021

2. @briandemers / @mraible
Who are we?
Brian Demers
Open Source Developer and Java Champion
Fun acts: likes to snowboard; into 🐝
@bdemers
Matt Raible
Open Source Developer and Java Champion
Fun acts: likes to ski; into classic VWs ✌
@mraible

3. @briandemers / @mraible
Today's A enda What is Auth?
AuthN vs AuthZ
01
App Auth Security Patterns
Web, SPA, Mobile
02
API Auth Security Patterns
Tokens, OAuth, Secrets
03
In ra Auth Security Patterns
Linux, SSH, Docker, Kubernetes
04
Action!
How to implement these patterns
05
@briandemers / @mraible

4. @briandemers / @mraible
01
What is Auth?
@briandemers / @mraible

5. @briandemers / @mraible
Soooo ...
Why should you care?
@briandemers / @mraible

6. A brie history o Auth
@briandemers / @mraible
60s: First
Password
1977:
RSA
1994:
SSL
2006:
SAML 2.0
2012:
OAuth 2.0
2014:
OIDC
2017:
PKCE

7. @briandemers / @mraible
Developer Personas
App Developer
Frontend Developer
Mobile App Developer
Web Developer
API Developer
Java Developer
Backend Developer
Probably likes tests
DevOps
System Administrator
Deployer
Operations
Monitorin
Security
Concerned Consultant
Paranoid Geek
Security over
per ormance
@briandemers / @mraible

8. @briandemers / @mraible
02
App Auth
Security
Patterns
@briandemers / @mraible

9. @briandemers / @mraible
Web vs SPA vs
Mobile App
@briandemers / @mraible

10. @briandemers / @mraible
HTTP Basic
@briandemers / @mraible

11. @briandemers / @mraible
Form-based Authentication
@briandemers / @mraible

12. CHALLENGE SOLUTION
@briandemers / @mraible
SAML
@briandemers / @mraible
SAML is to OIDC as
SOAP is to REST.
-Joël Franusic (@j )

13. @briandemers / @mraible
JWT Authentication
@briandemers / @mraible

14. @briandemers / @mraible
@briandemers / @mraible
Why JWTs Suck as Session Tokens
-@rde es on developer.okta.com, 2017
What do we do about JWT?
-Security. Crypto raphy. Whatever. podcast, 2021

15. @briandemers / @mraible
OpenID Connect (OIDC) or Auth
@briandemers / @mraible
Identity
Provider
🔒Veri y

16. @briandemers / @mraible
Multi-Factor Authentication (MFA)
@briandemers / @mraible

17. Passwordless
password
Password1
Password1!
We like to think we know what we are talking
about, at least Okta hasn't fired us yet…
@briandemers / @mraible

18. @briandemers / @mraible
SAML
⭐ ⭐
App Auth
Security
Patterns HTTP Basic
⭐
Embedded Auth
⭐
OpenID Connect
⭐ ⭐ ⭐ ⭐
MFA
⭐ ⭐ ⭐ ⭐ ⭐
Passwordless
⭐ ⭐ ⭐ ⭐ ⭐
JWT Auth
⭐ ⭐
@briandemers / @mraible

19. @briandemers / @mraible
App Auth Security Patterns
Tired Wired
Apps handlin passwords
Stateless to scale
OAuth Implicit Flow
Sensitive data in URL
Let someone else worry about it
Sessions are tried and true
OAuth Auth Code w/ PKCE
Use headers or the body
@briandemers / @mraible

20. @briandemers / @mraible
03
API Auth
Security
Patterns
@briandemers / @mraible

21. @briandemers / @mraible
HTTP Basic
@briandemers / @mraible
spring:
cloud:
config:
fail-fast: true
retry:
initial-interval: 1000
max-interval: 2000
max-attempts: 100
uri: http://admin:${jhipster.registry.password}@localhost:8761/config
# name of the config server's property source (file.yml) that we want to use
name: store
profile: prod # profile(s) of the property source
label: main # toggle to switch to a different version stored in git
jhipster:
registry:
password: admin

22. @briandemers / @mraible
Tokens
@briandemers / @mraible
$20

23. @briandemers / @mraible
OAuth 2.0
@briandemers / @mraible https://aaronparecki.com/2019/12/12/21/its-time- or-oauth-2-dot-1

24. @briandemers / @mraible
OAuth 2.0
@briandemers / @mraible

25. @briandemers / @mraible
OAuth 2.0
@briandemers / @mraible

26. @briandemers / @mraible
OAuth 2.1
@briandemers / @mraible
https://oauth.net/2.1
Authorization Code + PKCE
Client Credentials
Device Grant

27. @briandemers / @mraible
OAuth Client Credentials
@briandemers / @mraible

28. @briandemers / @mraible
API Gateway
API
Gateway
App
App
App
/do s
/cats
/fish
@briandemers / @mraible
{ Rest }
Client

29. @briandemers / @mraible
Use API SDKs
@briandemers / @mraible

30. @briandemers / @mraible
Encrypt and Rotate Secrets
@briandemers / @mraible

31. @briandemers / @mraible
RBAC and ACLs
@briandemers / @mraible
Groups
Admin
User
Help Desk
Privile e
Record : Read
Record : Create
Record : Update
Record : Delete
Users

32. @briandemers / @mraible
OAuth 2.1
⭐ ⭐ ⭐ ⭐ ⭐
API Auth
Security
Patterns HTTP Basic
⭐ ⭐
Tokens
⭐ ⭐ ⭐
API SDKs
⭐ ⭐ ⭐ ⭐
Encrypt Secrets
⭐ ⭐ ⭐ ⭐ ⭐
RBAC and ACLs
⭐ ⭐ ⭐ ⭐ ⭐
API Gateway
⭐ ⭐ ⭐ ⭐ ⭐
@briandemers / @mraible

33. @briandemers / @mraible
API Auth Security Patterns
Tired Wired
Build it yoursel
Static API Tokens
CORS wildcard
Use existin libraries
Short lived access tokens
Restrict access with CORS
@briandemers / @mraible

34. @briandemers / @mraible
04
In ra Auth
Security
Patterns
@briandemers / @mraible

35. CHALLENGE SOLUTION
@briandemers / @mraible
Linux
@briandemers / @mraible
So tware is Automation
and Automation is
less toil.
-Mark Shuttleworth
Canonical CEO
Larry Ewin

36. @briandemers / @mraible
SSH with Keys
@briandemers / @mraible
https://www.ssh.com/academy/ssh/protocol

37. Certificates
CC BY 3.0: EFF.or
@briandemers / @mraible

38. @briandemers / @mraible
@briandemers / @mraible
SSO or Servers
https://www.redhat.com/sysadmin/plu able-authentication-modules-pam
Active Directory
Plu able Authentication Modules (PAM) or Linux
Okta's Advanced Server Access
https://www.redhat.com/sysadmin/plu able-authentication-modules-pam

39. Scan Docker Ima es
@briandemers / @mraible

40. @briandemers / @mraible
Know Your Cloud and Cluster Security
@briandemers / @mraible https://twitter.com/acloud uru/status/1344724013122260993

41. @briandemers / @mraible
The 4C's o Cloud Native Security
https://kubernetes.io/docs/concepts/security/overview/
@briandemers / @mraible

42. @briandemers / @mraible
Kubernetes Tips
Kubernetes Tips
Only expose what needs to be public
Scan and update Kubernetes YAML
Check out Kubescape
https://www.in oq.com/podcasts/continuous-delivery-with-kubernetes
@briandemers / @mraible

43. @briandemers / @mraible
Encrypt Kubernetes Secrets
@briandemers / @mraible
apiVersion: v1
kind: Secret
metadata:
name: registry-secret
namespace: demo
type: Opaque
data:
registry-admin-password: ZTVmNzU2YWEtMmEyMy00NzE3LTgwOTMtNzcyYTRkOTliZDI4 # base64
encoded "e5f756aa-2a23-4717-8093-772a4d99bd28"

44. @briandemers / @mraible
Automation is Key
@briandemers / @mraible
WSJ

45. @briandemers / @mraible
Certificates
⭐ ⭐ ⭐ ⭐
In ra Auth
Security
Patterns Linux
⭐ ⭐ ⭐ ⭐ ⭐
SSH with Keys
⭐ ⭐ ⭐
Scan Docker Ima es
⭐ ⭐ ⭐ ⭐ ⭐
Encrypt K8s Secrets
⭐ ⭐ ⭐ ⭐ ⭐
Automate Your In ra
⭐ ⭐ ⭐ ⭐ ⭐
SSO or Servers
⭐ ⭐ ⭐ ⭐ ⭐
@briandemers / @mraible

46. @briandemers / @mraible
In ra Auth Security Patterns
Tired Wired
FROM: some-lar e-ima e:1.2.3
Secrets in Ima es
Shared Credentials
Use minimal ima es
HashiCorp Vault
Limit Access
@briandemers / @mraible

47. @briandemers / @mraible
05
Action!
@briandemers / @mraible

48. @briandemers / @mraible
Action
How to codi y these patterns?
@briandemers / @mraible
spring
security

49. @briandemers / @mraible
Action
How to test or lack o
patterns?
@briandemers / @mraible
https://implicitdetector.io
Audit Server Access

50. @briandemers / @mraible
Action
How to test or vulnerabilities?
@briandemers / @mraible

51. @briandemers / @mraible
What about ?
@briandemers / @mraible

52. The OWASP Top 10 really
hasn’t chan ed all that
much in the last ten years.
-Johnny Xmas (@J0hnnyXm4s)
@briandemers / @mraible

53. @briandemers / @mraible
developer.okta.com/blo
@oktadev
@briandemers / @mraible

54. @briandemers / @mraible
Thanks!
Brian Demers
@briandemers @bdemers
@bdemers
brian.demers@okta.com
Matt Raible
@mraible @mraible
@mraible
matt.raible@okta.com
https://speakerdeck.com/mraible

55. developer.okta.com