SlideShare ist ein Scribd-Unternehmen logo

Security Architecture Consulting - Hiren Shah

NSConclave
NSConclave

In modern age it has become crucial to perform secure architecture review along with regular pentest practice. Application architecture review can be defined as reviewing the current security controls in the application architecture. This helps a user to identify potential security flaws at an early stage and mitigate them before starting the development stage.

Technologie
1 von 31
SecurityArchitecture Consulting- TheNext Stop!
#whoami – Hiren Shah • 25 Years in Business & IT field • President & Mentor of Net Square • LinkedIn: hirens • Twitter: @hiren_sh Business & IT Leader Mixed into One
Security Architecture Consulting - The Next Stop!
1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” Key Drivers and Considerations of today’s Global Banks 2
1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE 2
1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE CLOUD ENABLED MICROSERVICES DRIVEN INTEGRATION APPROACH PERSONALIZATION AND CONTEXTUALIZATION MULTILINGUAL SUPPORT FUTURE PROOF OMNI CHANNEL POLYGLOT PERSISTENCE 2 ADVANTAGES
1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE Stateless Architecture API Management Infrastructure Security Data Security CLOUD ENABLED MICROSERVICES DRIVEN INTEGRATION APPROACH PERSONALIZATION AND CONTEXTUALIZATION MULTILINGUAL SUPPORT FUTURE PROOF OMNI CHANNEL POLYGLOT PERSISTENCE 2 ADVANTAGES SECURITY CHALLENGES
Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on MQ Config-Server Databases Orchestrator 3
Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception MQ Config-Server Databases Orchestrator 3
Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Challenges in System administration on new platforms and Technologies MQ Config-Server Databases Orchestrator 3
Config-Server Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Orchestrator Databases Redis MQ AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Polyglot persistence -How data should be stored? Challenges in System administration on new platforms and Technologies 3
Config-Server Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Orchestrator Databases Redis MQ AngularJS app WAF mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Polyglot persistence -How data should be stored? Challenges in System administration on new platforms and Technologies Limitation of Tools e.g. CoPnCtFaPilantfoermrisationof Messaging layer? 3
4 Build Security Design Patterns
Secured SPA Applications JSON /HTTPS CSS Images Fonts Model (JSON) Angular Framework View Controller (HTML) +Service (TypeScript) Http Interceptor (AUTH) Stateless Microservices Spring Boot + Allied Frameworks Protocol Adaptor (REST/JMS) Application Database OIDC / OAuth Server HTTPS NotificationEngine (SMS / Email) JMS Unstructured Datastore Caching Http Interceptor (AUTH-FILTER) RestController Message Listener Service Model (POJO)DAO JDBC Internal Queues JMS TCP /IP JDBC 4 Security Specs: • jsrsasign v8.0.12 (Javascript library) on client ( https:// www.npmjs.com/package/jsrsasign ); • Java Cryptography Extension (JCE) implementation of Java SE 8 (on server) • Secret Key generation per sessionon • Encryption of sensitive data on client using RSA (2048 bits) public key • MAC computation using HmacSHA512 and secret-key for every request/response Build Security Design Patterns TYPICAL TECHNICAL ARCHITECTURE
Secured SPA Applications JSON /HTTPS CSS Images Fonts Model (JSON) Angular Framework View Controller (HTML) +Service (TypeScript) Http Interceptor (AUTH) Stateless Microservices Spring Boot + Allied Frameworks Protocol Adaptor (REST/JMS) Application Database OIDC / OAuth Server HTTPS NotificationEngine (SMS / Email) JMS Unstructured Datastore Caching Http Interceptor (AUTH-FILTER) RestController Message Listener Service Model (POJO)DAO JDBC Internal Queues JMS TCP /IP JDBC Security Specs: • jsrsasign v8.0.12 (Javascript library) on client ( https:// www.npmjs.com/package/jsrsasign ); • Java Cryptography Extension (JCE) implementation of Java SE 8 (on server) • Secret Key generation per sessionon • Encryption of sensitive data on client using RSA (2048 bits) public key • MAC computation using HmacSHA512 and secret-key for every request/response Build Security Design Patterns 4 Validate design principlese.g. Is the proposed solution tomaintain state in stateless architecture Build patterns of Security Principles e.g. OTT TYPICAL TECHNICAL ARCHITECTURE
The Devil is in the Detail! 5 this.clientSessionId = this.generateRandom(); function generateRandom() { var asciiArray = new Uint32Array([0xFAFBA, 0xAFFBC, 0xFABBD, 0xFFFBA, 0xFAFFE, 0xFADBA, 0xFEFBB, 0xFAFBD]); window.crypto.getRandomValues(asciiArray); return this.padZero(asciiArray); } function padZero(randomNumberArray) { return '0' + randomNumberArray[0] + '0' + randomNumberArray[1] + '0' + randomNumberArray[2] + '0' + randomNumberArray[3] + '0' + randomNumberArray[4] + '0' + randomNumberArray[5] + '0' + randomNumberArray[6] + '0' + randomNumberArray[7]; } New “nonce” header value sent on every Request and validated against Response header value. Also acts as correlation-id to trace & correlate user requests in logs across backend services. Format: (16-digit random per session | 16-digit random per request) var requestId = this.generateRandom(); RequestHeaders[‘nonce’] = this.clientSessionId + '|' + requestId; “state” is unique server session id. Created for tracking conversation of Multi-Factor Login Flow with max. idle/inactivity timeout of short duration (e.g. 5 mins). Format: Base64.getUrlEncoder().withoutPadding().encode( User-Agent | client_id | clientSessionId | UID | UUID.randomUUID().toString() ) LogonUI (AngularClient) Authentication Service End-User 1. InputUserId [nonce]{state,authMethod} CacheServer (Redis) POST/v1/idp/login [nonce]{client_id, userId} HTTP Server https://www.kotak.com/Signin/ generateNonce() //Look-upUserIdand CRN, generateState() validateNonce() put(state,HashMap) Display Fields Relevant for authMethod //BustFrames Reverse Proxy should add standard Security Headers to ALL Responses: Strict-Transport-Security: max-age=599 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Access-Control-Allow-Origin: https://www.abcbank.com FindUID authMethod
Prioritise review of some controls over theothers
These you will get a chance to test thoroughly during Appsec also Controls Testing Goals Authentication Authenticate users before allowing access to any sensitive data or operations. Safeguard user accounts from misuse or unauthorized use. Protect authentication credentials when stored or in transit. Authorization Prevent user access to resources outside their assigned privileges. Restrict functionality to only those resources required to fulfil the task. Input Validation All client side input must be regarded asuntrusted. All input must be validated before being passed to the application logic. Only good and expected input should be allowed. Session Management Protect against session hijacking. Protect against brute forcing. Well-defined login and logout points. Expired sessions cannot be re-used later. Client Protection Assume an untrusted endpoint environment. Assist in application layer endpoint security. Prohibit sensitive data to be stored on the client. Assist in preventing data leaks from the endpoint. Prioritise review of some controls over theothers
a chance totest Controls Testing Goals Authentication Authenticate users before allowing access to any sensitive data or operations. Safeguard user accounts from misuse or unauthorized i Authorizatio use. Protect authenticat transit. Prevent user access privileges. Restrict functionalit y n credentials when stored or in o resources outside their assigned These you will get to only those resources required Session Managemen n t i to fulfil the task. on All client side input All input must be va application logic. Only good and expe Protect against sess Protect against brut Well-defined login a Expired sessions can o t m li c o e n n ust be regarded as untrusted. thoroughly duringdated before being passed to the ted input should be allowed. Appsec also n hijacking. forcing. d logout points. ot be re-used later. Client Protection Assume an untrusted endpoint environment. Assist in application layer endpoint security. Prohibit sensitive data to be stored on the client. Assist in preventing data leaks from the endpoint. Cryptography Appropriate choice and justification of cryptographic algorithms. Well-known and tested cryptography. Detect inadvertent use of cryptography. Logging Input Validati Auditing capabilities independent of any other system audit trails. Events should be labelled appropriately within the log data. Log review. Protected from unauthorized access and tampering. Prioritise review of some controls over theothers
Orchestrator Node NodeNode Container Orchestration Assessment Network Assessment Multiple Instances Infrastructure Virtualization Take a “Holistic” View 7 Extend the coverage to include all aspects of the solution including administration of platforms
8 Process & Policy are not“out-of-scope”!
8 Technical Vulnerability in funds transfer allows unauthorized funds transfer Process & Policy are not“out-of-scope”!
Technical Vulnerability in funds transfer allows unauthorized funds transfer Policy User id for customer identification is a sequential number Process Transfer money to a beneficiary without registration Process & Policy are not“out-of-scope”! Serious security breaches typically manifest because of weakness in process and policy design along with Technicalvulnerabilities 8
9 # Activity 1 Documents Review (Network, Data Flow, etc.) Understand the network and data flow of application with all components part of its ecosystem or any other applications it is trying to connect 2 Inter-Tier Authentication Functionality of the interfaces, encryption used (SSL, TLS, etc.) 3 User Authentication & Authorization Authentication – AD/local authentication; Role based access, master maintenance (maker/checker for important functions) Dormant accounts, how are they managed; Service accounts and related security (interactivelogin disabled) Multifactor authentication – known vulnerabilities Check if software component used for authentication has knownvulnerabilities. 4 Data at Rest Identify how sensitive data stored indatabase 5 Data intransit Reviewing how sensitive data transmitting over communicationchannel 6 Security Review API and Web Services associated with integrations (If applicable) Review the technology (OAuth, JWT, etc.) used for API or Web Service and identify any known vulnerability present or not e.g. no validation of session tokens 7 User Access Management (Provisioning / De-provisioning / Modification) Review how users are provisioned and removed. What is frequency of user access review, is there any documented procedure for the same. Dormant account handling. 8 Password Policy Review the password of application, if not integrated with AD then is it as per Kotak defined password policy. Sometimes, “what client wants”
10 # Activity 9 Multifactor Authentication Review multifactor authentication (Google Authenticator) used in and check for any known vulnerabilities and whether implementation is secure or not. 10 Cryptography Management Review encryption /hashing algorithm used in application, are they as per Kotak defined cryptographicstandard 11 Audit Logging Review logging of sensitive information, identify logging various components (OS, App, DB, etc.) 12 Application deployment process How final compiled code is getting deployed, is there any defined process for the same or app owner can directly push the binaries to production. 13 Backend (Database/ MQ) Tampering for initiating a transaction / updating balances Actually tampering request /files which is used for processing the transaction and review whether it getting executed successfully. Trying to update the same values directly in the backend database and reviewing the execution. 14 Financial transaction flow (STP / Manual) Review the transaction flow and check the controls around it, like checking if there is File Integrity solution for file based transaction system. 15 Identify and Configuration review controls (e.g. WAF, IDS / IPS responsible for application) Identify the technologies used as compensating controls for known vulnerabilities and review configuration / implementation. 16 Data Integrity As a security measure request payload or file is sent with checksum to provide assurance on integrity of the data. Reviewing the same whether it is implemented securely (algorithms used for generating checksum is obsolete ornot). Sometimes, “what client wants”
Document threat scenarios They are your Test Cases while doing Appsec 11
Challenges -Lack of Documentation 12
12 Challenges -Lack of Documentation Give them some Templates…andnudge! You will find manyhere
If done right…. 13
The response is always “Awesome”! 14
Yes! Sometimes it will beDaunting! Thanks! 15

Empfohlen

“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with EverythingDave Hay
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017Vortexbird
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?Tobias Koprowski
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 

Empfohlen

“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with EverythingDave Hay
 
Spring security 2017
Spring security 2017Spring security 2017
Spring security 2017Vortexbird
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-on Simplifying User Access with NetScaler SDX and CA Single Sign-on
Simplifying User Access with NetScaler SDX and CA Single Sign-onCA Technologies
 
Data power v7 update - Ravi Katikala
Data power v7 update - Ravi KatikalaData power v7 update - Ravi Katikala
Data power v7 update - Ravi Katikalafloridawusergroup
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?
InfoTRAMS - Czy platforma Microsoft Azure jest biznoseow bezpieczna?Tobias Koprowski
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-OnFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-On
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-Onelliando dias
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentForgeRock
 
Aerohive-GuestManager
Aerohive-GuestManagerAerohive-GuestManager
Aerohive-GuestManagerppuichaud
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest AccessAltaware, Inc.
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor AuthenticationPortalGuard dba PistolStar, Inc.
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionalityvivekbhat
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The BasicsIshan A B Ambanwela
 
SiteMinder
SiteMinderSiteMinder
SiteMinderInformation Technology
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ system531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ systemRobert Parker
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security AvalancheMichele Leroux Bustamante
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case StudyMohamed Ridha CHEBBI, CISSP
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 

Weitere ähnliche Inhalte

Was ist angesagt?

OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentForgeRock
 
Aerohive-GuestManager
Aerohive-GuestManagerAerohive-GuestManager
Aerohive-GuestManagerppuichaud
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest AccessAltaware, Inc.
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onCraig Dickson
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDGasperi Jerome
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateCraig Wu
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on systemSwati Sinha
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Kenneth Peeples
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionalityvivekbhat
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ system531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ systemRobert Parker
 

Was ist angesagt? (20)

OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration Component
 
Aerohive-GuestManager
Aerohive-GuestManagerAerohive-GuestManager
Aerohive-GuestManager
 
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
CIS14: Consolidating Authorization for API and Web SSO using OpenID Connect
 
Juniper Enterprise Guest Access
Juniper Enterprise Guest AccessJuniper Enterprise Guest Access
Juniper Enterprise Guest Access
 
WSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release WebinarWSO2 Identity Server 5.3.0 - Product Release Webinar
WSO2 Identity Server 5.3.0 - Product Release Webinar
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
Single Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenIDSingle Sign On with OAuth and OpenID
Single Sign On with OAuth and OpenID
 
Workshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederateWorkshop: Advanced Federation Use-Cases with PingFederate
Workshop: Advanced Federation Use-Cases with PingFederate
 
Web Single sign on system
Web Single sign on systemWeb Single sign on system
Web Single sign on system
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
Peeples authentication authorization_services_with_saml_xacml_with_jboss_eap6
 
Windows Azure Security Features And Functionality
Windows Azure Security Features And FunctionalityWindows Azure Security Features And Functionality
Windows Azure Security Features And Functionality
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
 
SiteMinder
SiteMinderSiteMinder
SiteMinder
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ system531: Controlling access to your IBM MQ system
531: Controlling access to your IBM MQ system
 
Security Avalanche
Security AvalancheSecurity Avalanche
Security Avalanche
 
Appsec XSS Case Study
Appsec XSS Case StudyAppsec XSS Case Study
Appsec XSS Case Study
 

Ähnlich wie Security Architecture Consulting - Hiren Shah

SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateway
 
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCFMigrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCFRoy Braam
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allupllangit
 
Microservices on a budget meetup
Microservices on a budget meetupMicroservices on a budget meetup
Microservices on a budget meetupMatthew Reynolds
 
2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathonaaronwso2
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Securityguest2a5a03
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieVMware Tanzu
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...VMware Tanzu
 
Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers! Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers! elangovans
 
Cisco’s Cloud Ready Infrastructure
Cisco’s Cloud Ready InfrastructureCisco’s Cloud Ready Infrastructure
Cisco’s Cloud Ready InfrastructureCisco Canada
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureK.Mohamed Faizal
 

Ähnlich wie Security Architecture Consulting - Hiren Shah (20)

SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2IBM DataPower Gateways - What's new in 2016 v7.5.2
IBM DataPower Gateways - What's new in 2016 v7.5.2
 
Profile_Ahmad2
Profile_Ahmad2Profile_Ahmad2
Profile_Ahmad2
 
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCFMigrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
Migrate a on-prem platform to the public cloud with Java - SpringBoot and PCF
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
Microservices on a budget meetup
Microservices on a budget meetupMicroservices on a budget meetup
Microservices on a budget meetup
 
2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
Adobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES SecurityAdobe PDF and LiveCycle ES Security
Adobe PDF and LiveCycle ES Security
 
Detailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-HamidaDetailed-Resume-Rebai-Hamida
Detailed-Resume-Rebai-Hamida
 
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel LavoieSpring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
Spring Boot & Spring Cloud Apps on Pivotal Application Service - Daniel Lavoie
 
Resume
ResumeResume
Resume
 
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
SpringOne Tour Denver - Spring Boot & Spring Cloud on Pivotal Application Ser...
 
Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven Cawn
 
Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers! Horizontal Scaling for Millions of Customers!
Horizontal Scaling for Millions of Customers!
 
Cisco’s Cloud Ready Infrastructure
Cisco’s Cloud Ready InfrastructureCisco’s Cloud Ready Infrastructure
Cisco’s Cloud Ready Infrastructure
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
 
Predix
PredixPredix
Predix
 

Mehr von NSConclave

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_ConclaveNSConclave
 
Create a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the ExtensionCreate a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the ExtensionNSConclave
 
IOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's ApproachIOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's ApproachNSConclave
 
Debugging Android Native Library
Debugging Android Native LibraryDebugging Android Native Library
Debugging Android Native LibraryNSConclave
 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension DevelopmentNSConclave
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression InjectionNSConclave
 
HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)NSConclave
 
Node.js Deserialization
Node.js DeserializationNode.js Deserialization
Node.js DeserializationNSConclave
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain PolicyNSConclave
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP InjectionNSConclave
 
Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization AttacksNSConclave
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql InjectionNSConclave
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing AdvancedNSConclave
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing BasicsNSConclave
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaNSConclave
 
Lets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit JoshiLets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit JoshiNSConclave
 

Mehr von NSConclave (20)

RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Create a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the ExtensionCreate a Custom Plugin in Burp Suite using the Extension
Create a Custom Plugin in Burp Suite using the Extension
 
IOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's ApproachIOT SECURITY ASSESSMENT Pentester's Approach
IOT SECURITY ASSESSMENT Pentester's Approach
 
Debugging Android Native Library
Debugging Android Native LibraryDebugging Android Native Library
Debugging Android Native Library
 
Burp Suite Extension Development
Burp Suite Extension DevelopmentBurp Suite Extension Development
Burp Suite Extension Development
 
Log Analysis
Log AnalysisLog Analysis
Log Analysis
 
Regular Expression Injection
Regular Expression InjectionRegular Expression Injection
Regular Expression Injection
 
HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)HTML5 Messaging (Post Message)
HTML5 Messaging (Post Message)
 
Node.js Deserialization
Node.js DeserializationNode.js Deserialization
Node.js Deserialization
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain Policy
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP Injection
 
Python Deserialization Attacks
Python Deserialization AttacksPython Deserialization Attacks
Python Deserialization Attacks
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
NoSql Injection
NoSql InjectionNoSql Injection
NoSql Injection
 
Thick Client Testing Advanced
Thick Client Testing AdvancedThick Client Testing Advanced
Thick Client Testing Advanced
 
Thick Client Testing Basics
Thick Client Testing BasicsThick Client Testing Basics
Thick Client Testing Basics
 
Markdown
MarkdownMarkdown
Markdown
 
Docker 101
Docker 101Docker 101
Docker 101
 
OSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan BraganzaOSINT: Open Source Intelligence - Rohan Braganza
OSINT: Open Source Intelligence - Rohan Braganza
 
Lets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit JoshiLets get started with car hacking - Ankit Joshi
Lets get started with car hacking - Ankit Joshi
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 

Security Architecture Consulting - Hiren Shah

  • 2. #whoami – Hiren Shah • 25 Years in Business & IT field • President & Mentor of Net Square • LinkedIn: hirens • Twitter: @hiren_sh Business & IT Leader Mixed into One
  • 4. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” Key Drivers and Considerations of today’s Global Banks 2
  • 5. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE 2
  • 6. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE CLOUD ENABLED MICROSERVICES DRIVEN INTEGRATION APPROACH PERSONALIZATION AND CONTEXTUALIZATION MULTILINGUAL SUPPORT FUTURE PROOF OMNI CHANNEL POLYGLOT PERSISTENCE 2 ADVANTAGES
  • 7. 1. Cross-Selling for Financial And Non-Financial Products 2. Deliver Experience based on Personalisation 3. Support customer segments with different web capabilities 4. Support innovation -agility to implement new features 5. Seamless Experience Across Channels Key Drivers and Considerations of today’s Global Banks “To Provide state-of-the-art customized seamless and uniform User Experience forall customer segments across desktop & mobile web” TYPICAL LOGICAL ARCHITECTURE Stateless Architecture API Management Infrastructure Security Data Security CLOUD ENABLED MICROSERVICES DRIVEN INTEGRATION APPROACH PERSONALIZATION AND CONTEXTUALIZATION MULTILINGUAL SUPPORT FUTURE PROOF OMNI CHANNEL POLYGLOT PERSISTENCE 2 ADVANTAGES SECURITY CHALLENGES
  • 8. Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on MQ Config-Server Databases Orchestrator 3
  • 9. Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception MQ Config-Server Databases Orchestrator 3
  • 10. Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Redis AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Challenges in System administration on new platforms and Technologies MQ Config-Server Databases Orchestrator 3
  • 11. Config-Server Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Orchestrator Databases Redis MQ AngularJS app WAF PCF Platform mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Polyglot persistence -How data should be stored? Challenges in System administration on new platforms and Technologies 3
  • 12. Config-Server Netscaler (LB) Nginx (Reverse Proxy / SLB) Active Directory ADFS Client Browser Nginx Orchestrator Databases Redis MQ AngularJS app WAF mca t t Http Http MicroService A MicroService B Embedded To Embedded Tomca Https Http Http Identifying security holes early on Question the client on Threat perception Polyglot persistence -How data should be stored? Challenges in System administration on new platforms and Technologies Limitation of Tools e.g. CoPnCtFaPilantfoermrisationof Messaging layer? 3
  • 14. Secured SPA Applications JSON /HTTPS CSS Images Fonts Model (JSON) Angular Framework View Controller (HTML) +Service (TypeScript) Http Interceptor (AUTH) Stateless Microservices Spring Boot + Allied Frameworks Protocol Adaptor (REST/JMS) Application Database OIDC / OAuth Server HTTPS NotificationEngine (SMS / Email) JMS Unstructured Datastore Caching Http Interceptor (AUTH-FILTER) RestController Message Listener Service Model (POJO)DAO JDBC Internal Queues JMS TCP /IP JDBC 4 Security Specs: • jsrsasign v8.0.12 (Javascript library) on client ( https:// www.npmjs.com/package/jsrsasign ); • Java Cryptography Extension (JCE) implementation of Java SE 8 (on server) • Secret Key generation per sessionon • Encryption of sensitive data on client using RSA (2048 bits) public key • MAC computation using HmacSHA512 and secret-key for every request/response Build Security Design Patterns TYPICAL TECHNICAL ARCHITECTURE
  • 15. Secured SPA Applications JSON /HTTPS CSS Images Fonts Model (JSON) Angular Framework View Controller (HTML) +Service (TypeScript) Http Interceptor (AUTH) Stateless Microservices Spring Boot + Allied Frameworks Protocol Adaptor (REST/JMS) Application Database OIDC / OAuth Server HTTPS NotificationEngine (SMS / Email) JMS Unstructured Datastore Caching Http Interceptor (AUTH-FILTER) RestController Message Listener Service Model (POJO)DAO JDBC Internal Queues JMS TCP /IP JDBC Security Specs: • jsrsasign v8.0.12 (Javascript library) on client ( https:// www.npmjs.com/package/jsrsasign ); • Java Cryptography Extension (JCE) implementation of Java SE 8 (on server) • Secret Key generation per sessionon • Encryption of sensitive data on client using RSA (2048 bits) public key • MAC computation using HmacSHA512 and secret-key for every request/response Build Security Design Patterns 4 Validate design principlese.g. Is the proposed solution tomaintain state in stateless architecture Build patterns of Security Principles e.g. OTT TYPICAL TECHNICAL ARCHITECTURE
  • 16. The Devil is in the Detail! 5 this.clientSessionId = this.generateRandom(); function generateRandom() { var asciiArray = new Uint32Array([0xFAFBA, 0xAFFBC, 0xFABBD, 0xFFFBA, 0xFAFFE, 0xFADBA, 0xFEFBB, 0xFAFBD]); window.crypto.getRandomValues(asciiArray); return this.padZero(asciiArray); } function padZero(randomNumberArray) { return '0' + randomNumberArray[0] + '0' + randomNumberArray[1] + '0' + randomNumberArray[2] + '0' + randomNumberArray[3] + '0' + randomNumberArray[4] + '0' + randomNumberArray[5] + '0' + randomNumberArray[6] + '0' + randomNumberArray[7]; } New “nonce” header value sent on every Request and validated against Response header value. Also acts as correlation-id to trace & correlate user requests in logs across backend services. Format: (16-digit random per session | 16-digit random per request) var requestId = this.generateRandom(); RequestHeaders[‘nonce’] = this.clientSessionId + '|' + requestId; “state” is unique server session id. Created for tracking conversation of Multi-Factor Login Flow with max. idle/inactivity timeout of short duration (e.g. 5 mins). Format: Base64.getUrlEncoder().withoutPadding().encode( User-Agent | client_id | clientSessionId | UID | UUID.randomUUID().toString() ) LogonUI (AngularClient) Authentication Service End-User 1. InputUserId [nonce]{state,authMethod} CacheServer (Redis) POST/v1/idp/login [nonce]{client_id, userId} HTTP Server https://www.kotak.com/Signin/ generateNonce() //Look-upUserIdand CRN, generateState() validateNonce() put(state,HashMap) Display Fields Relevant for authMethod //BustFrames Reverse Proxy should add standard Security Headers to ALL Responses: Strict-Transport-Security: max-age=599 X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Access-Control-Allow-Origin: https://www.abcbank.com FindUID authMethod
  • 17. Prioritise review of some controls over theothers
  • 18. These you will get a chance to test thoroughly during Appsec also Controls Testing Goals Authentication Authenticate users before allowing access to any sensitive data or operations. Safeguard user accounts from misuse or unauthorized use. Protect authentication credentials when stored or in transit. Authorization Prevent user access to resources outside their assigned privileges. Restrict functionality to only those resources required to fulfil the task. Input Validation All client side input must be regarded asuntrusted. All input must be validated before being passed to the application logic. Only good and expected input should be allowed. Session Management Protect against session hijacking. Protect against brute forcing. Well-defined login and logout points. Expired sessions cannot be re-used later. Client Protection Assume an untrusted endpoint environment. Assist in application layer endpoint security. Prohibit sensitive data to be stored on the client. Assist in preventing data leaks from the endpoint. Prioritise review of some controls over theothers
  • 19. a chance totest Controls Testing Goals Authentication Authenticate users before allowing access to any sensitive data or operations. Safeguard user accounts from misuse or unauthorized i Authorizatio use. Protect authenticat transit. Prevent user access privileges. Restrict functionalit y n credentials when stored or in o resources outside their assigned These you will get to only those resources required Session Managemen n t i to fulfil the task. on All client side input All input must be va application logic. Only good and expe Protect against sess Protect against brut Well-defined login a Expired sessions can o t m li c o e n n ust be regarded as untrusted. thoroughly duringdated before being passed to the ted input should be allowed. Appsec also n hijacking. forcing. d logout points. ot be re-used later. Client Protection Assume an untrusted endpoint environment. Assist in application layer endpoint security. Prohibit sensitive data to be stored on the client. Assist in preventing data leaks from the endpoint. Cryptography Appropriate choice and justification of cryptographic algorithms. Well-known and tested cryptography. Detect inadvertent use of cryptography. Logging Input Validati Auditing capabilities independent of any other system audit trails. Events should be labelled appropriately within the log data. Log review. Protected from unauthorized access and tampering. Prioritise review of some controls over theothers
  • 20. Orchestrator Node NodeNode Container Orchestration Assessment Network Assessment Multiple Instances Infrastructure Virtualization Take a “Holistic” View 7 Extend the coverage to include all aspects of the solution including administration of platforms
  • 21. 8 Process & Policy are not“out-of-scope”!
  • 22. 8 Technical Vulnerability in funds transfer allows unauthorized funds transfer Process & Policy are not“out-of-scope”!
  • 23. Technical Vulnerability in funds transfer allows unauthorized funds transfer Policy User id for customer identification is a sequential number Process Transfer money to a beneficiary without registration Process & Policy are not“out-of-scope”! Serious security breaches typically manifest because of weakness in process and policy design along with Technicalvulnerabilities 8
  • 24. 9 # Activity 1 Documents Review (Network, Data Flow, etc.) Understand the network and data flow of application with all components part of its ecosystem or any other applications it is trying to connect 2 Inter-Tier Authentication Functionality of the interfaces, encryption used (SSL, TLS, etc.) 3 User Authentication & Authorization Authentication – AD/local authentication; Role based access, master maintenance (maker/checker for important functions) Dormant accounts, how are they managed; Service accounts and related security (interactivelogin disabled) Multifactor authentication – known vulnerabilities Check if software component used for authentication has knownvulnerabilities. 4 Data at Rest Identify how sensitive data stored indatabase 5 Data intransit Reviewing how sensitive data transmitting over communicationchannel 6 Security Review API and Web Services associated with integrations (If applicable) Review the technology (OAuth, JWT, etc.) used for API or Web Service and identify any known vulnerability present or not e.g. no validation of session tokens 7 User Access Management (Provisioning / De-provisioning / Modification) Review how users are provisioned and removed. What is frequency of user access review, is there any documented procedure for the same. Dormant account handling. 8 Password Policy Review the password of application, if not integrated with AD then is it as per Kotak defined password policy. Sometimes, “what client wants”
  • 25. 10 # Activity 9 Multifactor Authentication Review multifactor authentication (Google Authenticator) used in and check for any known vulnerabilities and whether implementation is secure or not. 10 Cryptography Management Review encryption /hashing algorithm used in application, are they as per Kotak defined cryptographicstandard 11 Audit Logging Review logging of sensitive information, identify logging various components (OS, App, DB, etc.) 12 Application deployment process How final compiled code is getting deployed, is there any defined process for the same or app owner can directly push the binaries to production. 13 Backend (Database/ MQ) Tampering for initiating a transaction / updating balances Actually tampering request /files which is used for processing the transaction and review whether it getting executed successfully. Trying to update the same values directly in the backend database and reviewing the execution. 14 Financial transaction flow (STP / Manual) Review the transaction flow and check the controls around it, like checking if there is File Integrity solution for file based transaction system. 15 Identify and Configuration review controls (e.g. WAF, IDS / IPS responsible for application) Identify the technologies used as compensating controls for known vulnerabilities and review configuration / implementation. 16 Data Integrity As a security measure request payload or file is sent with checksum to provide assurance on integrity of the data. Reviewing the same whether it is implemented securely (algorithms used for generating checksum is obsolete ornot). Sometimes, “what client wants”
  • 26. Document threat scenarios They are your Test Cases while doing Appsec 11
  • 27. Challenges -Lack of Documentation 12
  • 28. 12 Challenges -Lack of Documentation Give them some Templates…andnudge! You will find manyhere
  • 30. The response is always “Awesome”! 14
  • 31. Yes! Sometimes it will beDaunting! Thanks! 15