In this session, you'll learn about recommended patterns for securing your backend APIs, the infrastructure they run on, and your SPAs and mobile apps.
The world is no longer a place where you just need to secure your apps’ UI. You need to pay attention to your dependency pipeline and open source frameworks, too. Once you have the app built, with secure-by-design code, what about the cloud it runs on? Are the servers secure? What about the accounts you use to access them?
If you lock all that sh*t down, how do you codify your solution so you can transport it cloud-to-cloud, or back to on-premises? This session will explore these concepts and many more!
Optimizing AI for immediate response in Smart CCTV
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - SpringOne 2021
1. Lock That Sh*t Down!
Auth Security Patterns or Apps, APIs, and In ra
Brian Demers and Matt Raible
@briandemers / @mraible
September 2, 2021
2. @briandemers / @mraible
Who are we?
Brian Demers
Open Source Developer and Java Champion
Fun acts: likes to snowboard; into 🐝
@bdemers
Matt Raible
Open Source Developer and Java Champion
Fun acts: likes to ski; into classic VWs ✌
@mraible
3. @briandemers / @mraible
Today's A enda What is Auth?
AuthN vs AuthZ
01
App Auth Security Patterns
Web, SPA, Mobile
02
API Auth Security Patterns
Tokens, OAuth, Secrets
03
In ra Auth Security Patterns
Linux, SSH, Docker, Kubernetes
04
Action!
How to implement these patterns
05
@briandemers / @mraible
14. @briandemers / @mraible
@briandemers / @mraible
Why JWTs Suck as Session Tokens
-@rde es on developer.okta.com, 2017
What do we do about JWT?
-Security. Crypto raphy. Whatever. podcast, 2021
19. @briandemers / @mraible
App Auth Security Patterns
Tired Wired
Apps handlin passwords
Stateless to scale
OAuth Implicit Flow
Sensitive data in URL
Let someone else worry about it
Sessions are tried and true
OAuth Auth Code w/ PKCE
Use headers or the body
@briandemers / @mraible
21. @briandemers / @mraible
HTTP Basic
@briandemers / @mraible
spring:
cloud:
config:
fail-fast: true
retry:
initial-interval: 1000
max-interval: 2000
max-attempts: 100
uri: http://admin:${jhipster.registry.password}@localhost:8761/config
# name of the config server's property source (file.yml) that we want to use
name: store
profile: prod # profile(s) of the property source
label: main # toggle to switch to a different version stored in git
jhipster:
registry:
password: admin
31. @briandemers / @mraible
RBAC and ACLs
@briandemers / @mraible
Groups
Admin
User
Help Desk
Privile e
Record : Read
Record : Create
Record : Update
Record : Delete
Users
33. @briandemers / @mraible
API Auth Security Patterns
Tired Wired
Build it yoursel
Static API Tokens
CORS wildcard
Use existin libraries
Short lived access tokens
Restrict access with CORS
@briandemers / @mraible
35. CHALLENGE SOLUTION
@briandemers / @mraible
Linux
@briandemers / @mraible
So tware is Automation
and Automation is
less toil.
-Mark Shuttleworth
Canonical CEO
Larry Ewin
38. @briandemers / @mraible
@briandemers / @mraible
SSO or Servers
https://www.redhat.com/sysadmin/plu able-authentication-modules-pam
Active Directory
Plu able Authentication Modules (PAM) or Linux
Okta's Advanced Server Access
https://www.redhat.com/sysadmin/plu able-authentication-modules-pam
40. @briandemers / @mraible
Know Your Cloud and Cluster Security
@briandemers / @mraible https://twitter.com/acloud uru/status/1344724013122260993
41. @briandemers / @mraible
The 4C's o Cloud Native Security
https://kubernetes.io/docs/concepts/security/overview/
@briandemers / @mraible
42. @briandemers / @mraible
Kubernetes Tips
Kubernetes Tips
Only expose what needs to be public
Scan and update Kubernetes YAML
Check out Kubescape
https://www.in oq.com/podcasts/continuous-delivery-with-kubernetes
@briandemers / @mraible
45. @briandemers / @mraible
Certificates
⭐ ⭐ ⭐ ⭐
In ra Auth
Security
Patterns Linux
⭐ ⭐ ⭐ ⭐ ⭐
SSH with Keys
⭐ ⭐ ⭐
Scan Docker Ima es
⭐ ⭐ ⭐ ⭐ ⭐
Encrypt K8s Secrets
⭐ ⭐ ⭐ ⭐ ⭐
Automate Your In ra
⭐ ⭐ ⭐ ⭐ ⭐
SSO or Servers
⭐ ⭐ ⭐ ⭐ ⭐
@briandemers / @mraible
46. @briandemers / @mraible
In ra Auth Security Patterns
Tired Wired
FROM: some-lar e-ima e:1.2.3
Secrets in Ima es
Shared Credentials
Use minimal ima es
HashiCorp Vault
Limit Access
@briandemers / @mraible