SlideShare ist ein Scribd-Unternehmen logo

ITCamp 2012 - Leonard Abu-Saa - WCF Security

ITCamp
ITCamp
TechnologieBusiness
1 von 16
Downloaden Sie, um offline zu lesen
WCF Security Abu-Saa Leonard, Software Architect Arobs Transilvania Software Blog: http://net-daylight.blogspot.com/ @ itcampro # itcamp12 Premium conference on Microsoft technologies
ITCamp 2012 sponsors Architecture & Best Practices @ itcampro # itcamp12 Premium conference on Microsoft technologies
Agenda Architecture & Best Practices • Overview • Authentication & Authorization • Security Modes • Credential Types • WCF Authentication Service • Custom UserName & Password Authentication • Q&A @ itcampro # itcamp12 Premium conference on Microsoft technologies
Overview Architecture & Best Practices • Online transactions • Do we ignore security ? @ itcampro # itcamp12 Premium conference on Microsoft technologies
Overview – Security fundamentals Architecture & Best Practices • Auditing and Logging • Authentication • Authorization • Configuration Management • Message Protection • Message Validation • Senzitive data • Session Management @ itcampro # itcamp12 Premium conference on Microsoft technologies
Threats, Vulnerabilities and Attacks Architecture & Best Practices • Asset • Threat • Vulnerability • Attack @ itcampro # itcamp12 Premium conference on Microsoft technologies
Authentication != Authorization Architecture & Best Practices • Authentication identifies a user, process • One of the most important aspect of security • We use id daily: ids, user names & passwords, etc. @ itcampro # itcamp12 Premium conference on Microsoft technologies
Authorization Architecture & Best Practices • Verifies what resources can access the itentified party • It happens after authentication • Very close related with Authentication @ itcampro # itcamp12 Premium conference on Microsoft technologies
Authentication in WCF Architecture & Best Practices • None • Basic • NTLM • Windows • Certificate • Username – Custom Provider – SqlMembership Provider • Issued Token @ itcampro # itcamp12 Premium conference on Microsoft technologies
Security Modes Architecture & Best Practices • None – Not recommended • Transport Security – Encrypts the communication channel • Message Security – The message is encrypted @ itcampro # itcamp12 Premium conference on Microsoft technologies
Security Modes - Variations Architecture & Best Practices • Transport Credential Only – Credentials are sent as part of the message but are not encrypted • Transport With Message Credential – Credentials are sent as part of the message and the message protection is done at the transport level @ itcampro # itcamp12 Premium conference on Microsoft technologies
Transport Security Architecture & Best Practices • SSL over HTTP(S)/TCP • Our purpose is to ensure integrity, condidentiality and authentication • Integrity = encryption key • Confidentiality = data encryption • Authentication = credentials • Use a digital certificate to encrypt the channel @ itcampro # itcamp12 Premium conference on Microsoft technologies
Transport Security Architecture & Best Practices • When we use Transport Security ? • Advantages – Better performance – Interoperability • Disadvantages – ‘Point-2-Point’ @ itcampro # itcamp12 Premium conference on Microsoft technologies
Message Security Architecture & Best Practices • When we use Message Security? • Encrypts only the message • Advantages – ‘End-2-End’ security – Independent of the communication protocol • Disadvantages – Lower perfomance compared to transport – Does not support interoperability with older ASMX clients @ itcampro # itcamp12 Premium conference on Microsoft technologies
WCF Authentication Service Architecture & Best Practices • Uses ASP.NET membership to authenticate users • It requires cookies • Can customize user login • Can customize authentication cookie @ itcampro # itcamp12 Premium conference on Microsoft technologies
Q&A @ itcampro # itcamp12 Premium conference on Microsoft technologies

Empfohlen

ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
Mindfire Solutions
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
Cyren, Inc
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social Engineering
Ishan Girdhar
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
Burp suite
Burp suiteBurp suite
Burp suite
Ammar WK
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning Strategies
Pavel Revenkov
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1
Anil Kumar M
 

Empfohlen

ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challengeITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp 2012 - Mihai Nadas - Tackling the single sign-on challenge
ITCamp
 
Paypal-IPN
Paypal-IPNPaypal-IPN
Paypal-IPN
Mindfire Solutions
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
Cyren, Inc
 
Pyscho-Strategies for Social Engineering
Pyscho-Strategies for Social EngineeringPyscho-Strategies for Social Engineering
Pyscho-Strategies for Social Engineering
Ishan Girdhar
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
Burp suite
Burp suiteBurp suite
Burp suite
Ammar WK
 
Windows Azure Versioning Strategies
Windows Azure Versioning StrategiesWindows Azure Versioning Strategies
Windows Azure Versioning Strategies
Pavel Revenkov
 
Wcf security session 1
Wcf security session 1Wcf security session 1
Wcf security session 1
Anil Kumar M
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
n|u - The Open Security Community
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)
Marc Wickenden
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its Security
Mindfire Solutions
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
Rinaldi Rampen
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSec
Ante Gulam
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
Mohammed A. Imran
 
Intro to IronWASP
Intro to IronWASPIntro to IronWASP
Intro to IronWASP
n|u - The Open Security Community
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Lunch Learn - WCF Security
Lunch Learn - WCF SecurityLunch Learn - WCF Security
Lunch Learn - WCF Security
Paul Senatillaka
 
ITCamp 2019 - Stacey M. Jenkins - Protecting your company's data - By psychol...
ITCamp 2019 - Stacey M. Jenkins - Protecting your company's data - By psychol...ITCamp 2019 - Stacey M. Jenkins - Protecting your company's data - By psychol...
ITCamp 2019 - Stacey M. Jenkins - Protecting your company's data - By psychol...
ITCamp
 
ITCamp 2019 - Silviu Niculita - Supercharge your AI efforts with the use of A...
ITCamp 2019 - Silviu Niculita - Supercharge your AI efforts with the use of A...ITCamp 2019 - Silviu Niculita - Supercharge your AI efforts with the use of A...
ITCamp 2019 - Silviu Niculita - Supercharge your AI efforts with the use of A...
ITCamp
 
ITCamp 2019 - Peter Leeson - Managing Skills
ITCamp 2019 - Peter Leeson - Managing SkillsITCamp 2019 - Peter Leeson - Managing Skills
ITCamp 2019 - Peter Leeson - Managing Skills
ITCamp
 
ITCamp 2019 - Mihai Tataran - Governing your Cloud Resources
ITCamp 2019 - Mihai Tataran - Governing your Cloud ResourcesITCamp 2019 - Mihai Tataran - Governing your Cloud Resources
ITCamp 2019 - Mihai Tataran - Governing your Cloud Resources
ITCamp
 
ITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UX
ITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UXITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UX
ITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UX
ITCamp
 
ITCamp 2019 - Florin Coros - Implementing Clean Architecture
ITCamp 2019 - Florin Coros - Implementing Clean ArchitectureITCamp 2019 - Florin Coros - Implementing Clean Architecture
ITCamp 2019 - Florin Coros - Implementing Clean Architecture
ITCamp
 
ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...
ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...
ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...
ITCamp
 
ITCamp 2019 - Florin Flestea - How 3rd Level support experience influenced m...
ITCamp 2019 - Florin Flestea - How 3rd Level support experience influenced m...ITCamp 2019 - Florin Flestea - How 3rd Level support experience influenced m...
ITCamp 2019 - Florin Flestea - How 3rd Level support experience influenced m...
ITCamp
 
ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...
ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...
ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...
ITCamp
 
ITCamp 2019 - Eldert Grootenboer - Cloud Architecture Recipes for The Enterprise
ITCamp 2019 - Eldert Grootenboer - Cloud Architecture Recipes for The EnterpriseITCamp 2019 - Eldert Grootenboer - Cloud Architecture Recipes for The Enterprise
ITCamp 2019 - Eldert Grootenboer - Cloud Architecture Recipes for The Enterprise
ITCamp
 
ITCamp 2019 - Cristiana Fernbach - Blockchain Legal Trends
ITCamp 2019 - Cristiana Fernbach - Blockchain Legal TrendsITCamp 2019 - Cristiana Fernbach - Blockchain Legal Trends
ITCamp 2019 - Cristiana Fernbach - Blockchain Legal Trends
ITCamp
 
ITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data Lake
ITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data LakeITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data Lake
ITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data Lake
ITCamp
 

Weitere ähnliche Inhalte

Andere mochten auch

WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSec
Ante Gulam
 
Lunch Learn - WCF Security
Lunch Learn - WCF SecurityLunch Learn - WCF Security
Lunch Learn - WCF Security
Paul Senatillaka
 

Andere mochten auch (10)

Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)Burp plugin development for java n00bs (44 con)
Burp plugin development for java n00bs (44 con)
 
Basics of WCF and its Security
Basics of WCF and its SecurityBasics of WCF and its Security
Basics of WCF and its Security
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
WCF Security, FSec
WCF Security, FSecWCF Security, FSec
WCF Security, FSec
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Intro to IronWASP
Intro to IronWASPIntro to IronWASP
Intro to IronWASP
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Lunch Learn - WCF Security
Lunch Learn - WCF SecurityLunch Learn - WCF Security
Lunch Learn - WCF Security
 

Mehr von ITCamp

ITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UX
ITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UXITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UX
ITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UX
ITCamp
 
ITCamp 2019 - Florin Coros - Implementing Clean Architecture
ITCamp 2019 - Florin Coros - Implementing Clean ArchitectureITCamp 2019 - Florin Coros - Implementing Clean Architecture
ITCamp 2019 - Florin Coros - Implementing Clean Architecture
ITCamp
 
ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...
ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...
ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...
ITCamp
 
ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...
ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...
ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...
ITCamp
 
ITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AIITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp
 
ITCamp 2019 - Andrea Saltarello - Implementing bots and Alexa skills using Az...
ITCamp 2019 - Andrea Saltarello - Implementing bots and Alexa skills using Az...ITCamp 2019 - Andrea Saltarello - Implementing bots and Alexa skills using Az...
ITCamp 2019 - Andrea Saltarello - Implementing bots and Alexa skills using Az...
ITCamp
 
ITCamp 2019 - Alex Mang - How Far Can Serverless Actually Go Now
ITCamp 2019 - Alex Mang - How Far Can Serverless Actually Go NowITCamp 2019 - Alex Mang - How Far Can Serverless Actually Go Now
ITCamp 2019 - Alex Mang - How Far Can Serverless Actually Go Now
ITCamp
 

Mehr von ITCamp (20)

ITCamp 2019 - Stacey M. Jenkins - Protecting your company's data - By psychol...
ITCamp 2019 - Stacey M. Jenkins - Protecting your company's data - By psychol...ITCamp 2019 - Stacey M. Jenkins - Protecting your company's data - By psychol...
ITCamp 2019 - Stacey M. Jenkins - Protecting your company's data - By psychol...
 
ITCamp 2019 - Silviu Niculita - Supercharge your AI efforts with the use of A...
ITCamp 2019 - Silviu Niculita - Supercharge your AI efforts with the use of A...ITCamp 2019 - Silviu Niculita - Supercharge your AI efforts with the use of A...
ITCamp 2019 - Silviu Niculita - Supercharge your AI efforts with the use of A...
 
ITCamp 2019 - Peter Leeson - Managing Skills
ITCamp 2019 - Peter Leeson - Managing SkillsITCamp 2019 - Peter Leeson - Managing Skills
ITCamp 2019 - Peter Leeson - Managing Skills
 
ITCamp 2019 - Mihai Tataran - Governing your Cloud Resources
ITCamp 2019 - Mihai Tataran - Governing your Cloud ResourcesITCamp 2019 - Mihai Tataran - Governing your Cloud Resources
ITCamp 2019 - Mihai Tataran - Governing your Cloud Resources
 
ITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UX
ITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UXITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UX
ITCamp 2019 - Ivana Milicic - Color - The Shadow Ruler of UX
 
ITCamp 2019 - Florin Coros - Implementing Clean Architecture
ITCamp 2019 - Florin Coros - Implementing Clean ArchitectureITCamp 2019 - Florin Coros - Implementing Clean Architecture
ITCamp 2019 - Florin Coros - Implementing Clean Architecture
 
ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...
ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...
ITCamp 2019 - Florin Loghiade - Azure Kubernetes in Production - Field notes...
 
ITCamp 2019 - Florin Flestea - How 3rd Level support experience influenced m...
ITCamp 2019 - Florin Flestea - How 3rd Level support experience influenced m...ITCamp 2019 - Florin Flestea - How 3rd Level support experience influenced m...
ITCamp 2019 - Florin Flestea - How 3rd Level support experience influenced m...
 
ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...
ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...
ITCamp 2019 - Emil Craciun - RoboRestaurant of the future powered by serverle...
 
ITCamp 2019 - Eldert Grootenboer - Cloud Architecture Recipes for The Enterprise
ITCamp 2019 - Eldert Grootenboer - Cloud Architecture Recipes for The EnterpriseITCamp 2019 - Eldert Grootenboer - Cloud Architecture Recipes for The Enterprise
ITCamp 2019 - Eldert Grootenboer - Cloud Architecture Recipes for The Enterprise
 
ITCamp 2019 - Cristiana Fernbach - Blockchain Legal Trends
ITCamp 2019 - Cristiana Fernbach - Blockchain Legal TrendsITCamp 2019 - Cristiana Fernbach - Blockchain Legal Trends
ITCamp 2019 - Cristiana Fernbach - Blockchain Legal Trends
 
ITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data Lake
ITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data LakeITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data Lake
ITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data Lake
 
ITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AIITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AI
 
ITCamp 2019 - Andrea Saltarello - Modernise your app. The Cloud Story
ITCamp 2019 - Andrea Saltarello - Modernise your app. The Cloud StoryITCamp 2019 - Andrea Saltarello - Modernise your app. The Cloud Story
ITCamp 2019 - Andrea Saltarello - Modernise your app. The Cloud Story
 
ITCamp 2019 - Andrea Saltarello - Implementing bots and Alexa skills using Az...
ITCamp 2019 - Andrea Saltarello - Implementing bots and Alexa skills using Az...ITCamp 2019 - Andrea Saltarello - Implementing bots and Alexa skills using Az...
ITCamp 2019 - Andrea Saltarello - Implementing bots and Alexa skills using Az...
 
ITCamp 2019 - Alex Mang - I'm Confused Should I Orchestrate my Containers on ...
ITCamp 2019 - Alex Mang - I'm Confused Should I Orchestrate my Containers on ...ITCamp 2019 - Alex Mang - I'm Confused Should I Orchestrate my Containers on ...
ITCamp 2019 - Alex Mang - I'm Confused Should I Orchestrate my Containers on ...
 
ITCamp 2019 - Alex Mang - How Far Can Serverless Actually Go Now
ITCamp 2019 - Alex Mang - How Far Can Serverless Actually Go NowITCamp 2019 - Alex Mang - How Far Can Serverless Actually Go Now
ITCamp 2019 - Alex Mang - How Far Can Serverless Actually Go Now
 
ITCamp 2019 - Peter Leeson - Vitruvian Quality
ITCamp 2019 - Peter Leeson - Vitruvian QualityITCamp 2019 - Peter Leeson - Vitruvian Quality
ITCamp 2019 - Peter Leeson - Vitruvian Quality
 
ITCamp 2018 - Ciprian Sorlea - Million Dollars Hello World Application
ITCamp 2018 - Ciprian Sorlea - Million Dollars Hello World ApplicationITCamp 2018 - Ciprian Sorlea - Million Dollars Hello World Application
ITCamp 2018 - Ciprian Sorlea - Million Dollars Hello World Application
 
ITCamp 2018 - Ciprian Sorlea - Enterprise Architectures with TypeScript And F...
ITCamp 2018 - Ciprian Sorlea - Enterprise Architectures with TypeScript And F...ITCamp 2018 - Ciprian Sorlea - Enterprise Architectures with TypeScript And F...
ITCamp 2018 - Ciprian Sorlea - Enterprise Architectures with TypeScript And F...
 

Kürzlich hochgeladen

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Kürzlich hochgeladen (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

ITCamp 2012 - Leonard Abu-Saa - WCF Security

  • 1. WCF Security Abu-Saa Leonard, Software Architect Arobs Transilvania Software Blog: http://net-daylight.blogspot.com/ @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 2. ITCamp 2012 sponsors Architecture & Best Practices @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 3. Agenda Architecture & Best Practices • Overview • Authentication & Authorization • Security Modes • Credential Types • WCF Authentication Service • Custom UserName & Password Authentication • Q&A @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 4. Overview Architecture & Best Practices • Online transactions • Do we ignore security ? @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 5. Overview – Security fundamentals Architecture & Best Practices • Auditing and Logging • Authentication • Authorization • Configuration Management • Message Protection • Message Validation • Senzitive data • Session Management @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 6. Threats, Vulnerabilities and Attacks Architecture & Best Practices • Asset • Threat • Vulnerability • Attack @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 7. Authentication != Authorization Architecture & Best Practices • Authentication identifies a user, process • One of the most important aspect of security • We use id daily: ids, user names & passwords, etc. @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 8. Authorization Architecture & Best Practices • Verifies what resources can access the itentified party • It happens after authentication • Very close related with Authentication @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 9. Authentication in WCF Architecture & Best Practices • None • Basic • NTLM • Windows • Certificate • Username – Custom Provider – SqlMembership Provider • Issued Token @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 10. Security Modes Architecture & Best Practices • None – Not recommended • Transport Security – Encrypts the communication channel • Message Security – The message is encrypted @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 11. Security Modes - Variations Architecture & Best Practices • Transport Credential Only – Credentials are sent as part of the message but are not encrypted • Transport With Message Credential – Credentials are sent as part of the message and the message protection is done at the transport level @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 12. Transport Security Architecture & Best Practices • SSL over HTTP(S)/TCP • Our purpose is to ensure integrity, condidentiality and authentication • Integrity = encryption key • Confidentiality = data encryption • Authentication = credentials • Use a digital certificate to encrypt the channel @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 13. Transport Security Architecture & Best Practices • When we use Transport Security ? • Advantages – Better performance – Interoperability • Disadvantages – ‘Point-2-Point’ @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 14. Message Security Architecture & Best Practices • When we use Message Security? • Encrypts only the message • Advantages – ‘End-2-End’ security – Independent of the communication protocol • Disadvantages – Lower perfomance compared to transport – Does not support interoperability with older ASMX clients @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 15. WCF Authentication Service Architecture & Best Practices • Uses ASP.NET membership to authenticate users • It requires cookies • Can customize user login • Can customize authentication cookie @ itcampro # itcamp12 Premium conference on Microsoft technologies
  • 16. Q&A @ itcampro # itcamp12 Premium conference on Microsoft technologies