SlideShare ist ein Scribd-Unternehmen logo

User management - the next-gen of authentication meetup 27012022

lior mazor
lior mazor

Authentication is evolving. Customers are expecting much more from the user management experience in applications they are using today. Join us virtually for our upcoming "User Management - the next-gen of Authentication" meetup to learn about the secrets of building user management the right way, the secure way.

Technologie
1 von 162
Join Us: https://www.linkedin.com /company/application- security-virtual-meetups QR Link:
Inversion of Control: Security as an Interface
Sagi Rodin ● Developing since I was 15 ● Managed R&D in startups ● Developed a high-scale modern application platform @Check Point ● Founder of Frontegg ● Love smoking beef About Me
Operation System Level End-user → IT → Vendors (Patches)
R&D feature requests End-user → IT → Vendors (Features)
Security is for Enterprise Customers End-user → Tickets → Engineers
What’s Next?
What’s Next?
What’s Next? Security as a User Interface
More than prefer self-served managed apps * According to Frontegg’s self-service survey, 2021
How other modern apps are doing it? Security On Profile Level
How other modern apps are doing it? Workspace Level Team Management
How other modern apps are doing it? Security Policy
How other modern apps are doing it? Domain Control
How other modern apps are doing it? Custom Roles and Permissions
How other modern apps are doing it? API Key Management
What’s there to control? Personal Security Settings Organizational Security Policy (Passwords, MFA, Account Lockout) Device Management Enterprise SSO Custom Roles and Permissions API Token Management Webhooks Data privacy management
The Guidelines
Support Multi-tenancy by Design Basic - Flat Hierarchy based Granular settings Many-to-many user association Allow hybrid deployments per tenant
Support Multi-tenancy by Design
Build Abstract Level Roles Enforcement Enforce permissions not roles Enforce on frontend, backend and data layer Don’t assume you know your customers
Create an Admin Portal Product Infrastructure Allow teams to deploy configuration screens Allow customization of Admin Portal Allow roles enforcement on Admin Portal For Dev Team Convenience
What did we have so far? Evolution in Products, Security and the Connection between the two How this is handled within modern apps What do we want to expose The three Rules of building a self-serve ready app
Thank You Questions? I’m Sagi Ping me sagi@frontegg.com
© 2021 Pagaya. FOR INTERNAL USE ONLY. Confidential Yaniv Toledano, Global CISO & IT 2022 Data Protection – IaaS, SaaS and in between
© 2021 Pagaya. FOR INTERNAL USE ONLY. Pagaya is a financial technology company that deploys sophisticated data science, machine learning and AI technology to drive better results. Partners utilize Pagaya’s centralized AI and data network to evaluate their customers’ applications in real time. Pagaya believes this solution measures risk and predicts behavior more accurately than legacy approaches, and Pagaya’s performance continuously improves as more information flows through its network. 29 Bank FinTech Dealership Broker Asset Investors Customers
© 2021 Pagaya. FOR INTERNAL USE ONLY. Intro 30 • 18+ years of experience in the cyber security world • Experienced cyber security manager cross-wide global enterprises • Provided consultation for a wide range of companies & domains: Comcast (US), T-Mobile (US), Rabobank (NL), Clalit Health Insurance (IL) and others. • 8200 IDF veteran • Holding 3 patents in the risk management and privacy domains. Yaniv Toledano
© 2021 Pagaya. FOR INTERNAL USE ONLY. 31 World’s Biggest Data Breaches & Hacks (Oct 2021)
© 2021 Pagaya. FOR INTERNAL USE ONLY. © 2021 Pagaya. CONFIDENTIAL. Data is the new Currency… 32 or the new Oil, Gold.. What ever..
© 2021 Pagaya. FOR INTERNAL USE ONLY. • Do you know what are your threats?!?? Great start! • Are you able to identify your assets? Really? And what about your data flows? • So.. What now?? Lets run with technology and protect.. Secure.. Control.. and put some DLP alike?!? • How are you partners in the process? Do you have any? (Never walk alone..) • Start Rolling… Starting Point…
© 2021 Pagaya. FOR INTERNAL USE ONLY. © 2021 Pagaya. CONFIDENTIAL. How to Engage.. Just a thought.. 34
© 2021 Pagaya. FOR INTERNAL USE ONLY. My suggestion… (Data Lifecycle) Discovery Access Control Prevent Exfiltration Encrypt • Tokenize, anonymize and what ever does the job.. • Encryption of container/storage/bucket is not enough. Step 1 Step 2 Step 4 Step 3 Its not the same as before (http/s, FTP, DLP, USB)… API‫׳‬s, Lambda‫׳‬s, Serverless computing and more.. • Least Privilege approach • Monitor access • Periodic access review • Not focus on human only • Stale • Learn your eco system • Continuously assess • Map your flows • Classify • Generate hierarchy • Generate accountability Strive for a data security posture management (other words, govern!) What can be really cool?
© 2021 Pagaya. FOR INTERNAL USE ONLY. © 2021 Pagaya. CONFIDENTIAL. Discovery Stage Points of Reference 36
© 2021 Pagaya. FOR INTERNAL USE ONLY. 37 5 Focus Points (Partial) Understand compliance / Legal obligations 05 Consult with compliance and relevant teams to learn your obligations for protection, access, audit trail, retention & deletion Data Catalog is a must – build one (excel is a good start) Discover your data assets / objects and use Tech to support you 01 Craft a continuous measure to discover your entire stack, allow to build data types and always know where your data is… 03 Define data owner, Data stewards and what every cool taxonomy you can think of 02 Define data flows and make friends in the way… (Data, Devops, Engineering, Legal) Build a baseline to manage your data! Cause you wont be happy when the customer/audit/regulator will come Document, maintain, be happy No Data Owner = No accountability No Stewards = No real understanding of how data is consumed and how to drive access control No Data Flow = No idea of what needs to be protected & which systems store/run it.. Topic What Should I DO Why? 04
© 2021 Pagaya. FOR INTERNAL USE ONLY. Data Management – R&R 38
© 2021 Pagaya. FOR INTERNAL USE ONLY. © 2021 Pagaya. CONFIDENTIAL. Data Security 39
© 2021 Pagaya. FOR INTERNAL USE ONLY. What Data Security is all About – The Threats & Considerations... Data Exfiltration Insider Threat Secure Posture (Bucket encrypted, asset exposed externally..) Retention violation Data manipulation (by mistake, insider threat) Unmanaged/ungoverned access Unauthorized access Shadow IT Over privileged API‫׳‬s DevOps are much faster – scale… Stale data – more damage…
© 2021 Pagaya. FOR INTERNAL USE ONLY. What Data Security is all About – What Should I Think about.. How do I manage permission and access to data Data leakage prevention on all relevant resources Tokenization, encryption & anonymization.. What ever it takes Data security posture is key Periodic access control review Secure Posture (Bucket encrypted, asset exposed externally..) Do I provision access to my cloud assets via my IDE? Do I allow access to my cloud assets directly? Via VDI? Did I map my API‫׳‬s and know what traffic? Is it right? No?!? SSPM to ensure proper access control to SaaS apps Audit trail on SaaS apps CASB or other – detect apps… Stale data scanning 3rd party access to Data… Data transfer
© 2021 Pagaya. FOR INTERNAL USE ONLY. © 2021 Pagaya. CONFIDENTIAL. From a data lifecycle view… 42
© 2021 Pagaya. FOR INTERNAL USE ONLY. Data Protection controls must be implemented across the data lifecycle to protect sensitive data as it’s collected, stored, used, shared, and destroyed. Data Protection within the environment through the data lifecycle • Data discovery and catalog data sources. • Inventory of data – generate a comprehensive list of pertinent data elements, where it is located and what type of data it is. • Classification of data based on sensitivity and access, and tag data to identify access levels. • RBAC rules to determine who should have access to data. • Enforcing protection of data in motion using secure protocols (e.g., SFTP, TLS 1.2+) • Encryption of data at rest for on- premise and Cloud instances. • Storage integrity and availability between cloud instances/regions/ availability zones. • Encryption key management (e.g., Vault or external EKM). • Masking/tokenization in non-production environments • Adequacy of network bandwidth • Schedule/Timeframe for data transfer. • Enforcing protection of transfers using secure protocols (e.g., SFTP, TLS 1.2+) • Post-transfer data integrity check (validate no errors or data loss during transfer process.) • Security and integrity measures on Cloud platform, such as key repository, strong encryption. • DLP measures • Determine when source data is redundant or extraneous and can be securely removed • Monitor and security remove files from SFTP transfer zones • Verify data integrity (check for data corruption, repair, restore from backups if necessary) • Verify that data is properly retained, and that no unauthorized data has been inadvertently saved. Data Lifecycle Collection Storage Usage and Sharing Retention and Archival Discover & Classify Data Security Monitor & Enforce Capabilities
© 2021 Pagaya. FOR INTERNAL USE ONLY. 44 Thank you Q&A
Michael Furman Security Architect, Tufin OWASP Top 10 - 2021 What's New
What will we cover today? • Who is OWASP? • What is OWASP Top 10? • OWASP Top 10 – Overview and What's New
About Me • >14 yr. in application security • >9 yr. with Tufin – Lead Security Architect • www.linkedin.com/in/furmanmichael/ • Blog https://ultimatesecurity.pro/ • Twitter @ultimatesecpro • I like to travel, read books and listen to music
About ●Market Leader in Security Policy Automation ●Tufin is used by >2000 enterprises  To segment networks and connect applications  On-prem networks, firewalls, cloud and K8S ●We are the Security Policy Company!
Who is OWASP? • Worldwide not-for-profit organization • Founded in 2001 • OWASP - Open Web Application Security Project • Mission is to make the software security visible.
OWASP Top 10 • Most successful OWASP Project https://owasp.org/Top10/ • Ten most critical web application security flaws • De facto application security standard • Released every 3 - 4 years • First released in 2004 • Current - 2021
OWASP Top 10 - 2021 • A01 Broken Access Control • A02 Cryptographic Failures • A03 Injection • A04 Insecure Design • A05 Security Misconfiguration • A06 Vulnerable and Outdated Components • A07 Identification and Authentication Failures • A08 Software and Data Integrity Failures • A09 Security Logging and Monitoring Failures • A10 Server Side Request Forgery (SSRF)
OWASP Top 10 - 2017 • A1 Injection • A2 Broken Authentication • A3 Sensitive Data Exposure • A4 XML External Entities • A5 Broken Access Control • A6 Security Misconfiguration • A7 Cross-Site Scripting (XSS) • A8 Insecure Deserialization • A9 Using Components with Known Vulnerabilities • A10 Insufficient Logging & Monitoring
What happened to …? • Broken Access Control • Cross-Site Scripting (XSS) • XML External Entities (XXE) • Insecure Deserialization
They are still here • A03 Injection • Cross-Site Scripting (XSS) • A05 Security Misconfiguration • XML External Entities • A08 Software and Data Integrity Failures • Insecure Deserialization
And even more … • A03 Injection • Cross-Site Scripting (XSS) • A04 Insecure Design • A05 Security Misconfiguration • XML External Entities • A08 Software and Data Integrity Failures • Insecure Deserialization • A10 Server Side Request Forgery (SSRF)
What can I do?
A01: Broken Access Control • Moved up from fifth position • Elevation of privilege or Privilege Escalation • Acting as an admin when logged in as a user • Acting as a user without being logged in • Viewing or editing someone else's account • IDOR - Insecure Direct Object References • Cross-Origin Resource Sharing (CORS) misconfiguration • Allows API access from unauthorized/untrusted origins
A01: Example 1 • Application provides the service: • Attacker browses to target URLs: https://example.com/app/getappInfo https://example.com/app/admin_getappInfo https://example.com/app/getadminappInfo
A01: Example 2 • Unverified parameters to access: • Attacker modifies the parameter: pstmt.setString(1, request.getParameter(“account")); ResultSet results = pstmt.executeQuery( ); https://example.com/app/accountInfo?account=notmyaccount
A01: How to Prevent • Default behavior: deny access to resources – Except for public resources • Implement access control mechanisms – On the server side – All requests • Minimize CORS usage
A01: Example 1 • Validate access on each request and prevent access for unauthorized users. • Annotation example: // implementation of getadminappInfo if (“a user has admin access”) { // return admin app Info } else { // authorization error } @PreAuthorize("hasPermision(‘admin’)") // implementation of getadminappInfo { // return admin app Info }
A01: Example 2 • Verify ownership / access: pstmt.setString(1, request.getParameter("account")); if (“a user has access to account”) { ResultSet results = pstmt.executeQuery( ); } else { // authorization error }
A02: Cryptographic Failures • Previously known as “A3 Sensitive Data Exposure” – a broad symptom rather than a root cause • Sensitive data is transmitted or stored in clear text • Deprecated or weak cryptographic algorithms in use • Default crypto keys in use – proper key management or rotation missing
A02: How to Prevent • Encrypt all sensitive data at rest • Encrypt all data in transit • Use TLS 1.2 or above • Use HTTP Strict Transport Security (HSTS) • Use up-to-date and strong standard algorithms and protocols • Use proper key management
A03: Injection • Slid down from first position • Was the first one since OWASP Top Ten - 2010 • User input is not validated, filtered, or sanitized by the application • User input is directly used or concatenated • SQL injection • OS Command Injection
A03: Example • User input is directly used in the SQL call: String query = "SELECT * FROM accounts WHERE custID=‘” + request.getParameter("id") + "'";
A03: How to Prevent • Do not pass user input directly to executable statements • Prepared Statements • Parameterized Queries • Hibernate
A03: Example • Use PreparedStatement: String id = request.getParameter("id"); String query = "SELECT * FROM accounts WHERE custID = ? "; PreparedStatement pstmt = connection.prepareStatement( id ); pstmt.setInt( 1, id); ResultSet results = pstmt.executeQuery( );
A03: Don’t Forget About XSS • Attackers can execute scripts in a victim’s browser
A03: How to Prevent XSS • Input validation for user input • Whitelist patterns • Encode output
A04: Insecure Design • A new category • Pushing "shift-left“ approach • A secure design can still have insecure implementation • An insecure design cannot be fixed by an implementation Implementation Requirements Design Verification Release
A04: How to Implement • Threat modeling • Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/ • Secure Development Lifecycle (SDL) https://ultimatesecurity.pro/post/sdl-meetup/
A05: Security Misconfiguration • Missing security hardening • Unnecessary features are enabled or installed • Unnecessary ports • Services • Accounts • Default accounts • Default passwords
A05: How to Prevent • Apply security hardening • CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/ • Close unnecessary ports • Disable unnecessary services • Remove default accounts • Change default passwords
A05: What About XXE? • Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
A05: How to Prevent XXE • Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet 'XXE Prevention’. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet • For additional details see the presentation: https://ultimatesecurity.pro/post/xxe-meetup/
A06: Vulnerable and Outdated Components • Software is vulnerable, unsupported, or out of date • Apache Log4j (Log4Shell) Vulnerabilities
A06: How to Prevent • Update software periodically • Use Software Composition Analysis (SCA) tools • Free or commercial tools • OWASP Dependency-Check free tool https://owasp.org/www-project-dependency-check/
A07: Identification and Authentication Failures • Slid down from the second position • Previously known as Broken Authentication • Missing brute force protection • Missing multi-factor authentication • Using default, weak, or well-known passwords • Password1 or "admin/admin" • Reusing session identifier after successful login • Exposing session identifier in the URL
A07: How to Prevent • Implement brute force protection • Implement multi-factor authentication • Change default credentials • Implement password complexity • Rotate Session IDs after successful login
A08: Software and Data Integrity Failures • New category • Software and data integrity failures that does not protect against integrity violations • SolarWinds 2020 Attack
A08: How to Prevent • Use digital signatures to verify software • Ensure you consume trusted repositories
A08: Remember Insecure Deserialization? • Serialization is the process of translating data structures or object state into a format that can be stored or transmitted and reconstructed later (deserialization) • Insecure Deserialization - an attacker changes the object between serialization and deserialization
A08: How to Prevent Insecure Deserialization • Don't accept serialized objects from untrusted sources
A09: Security Logging and Monitoring Failures • Insufficient logging • Logins • Failed logins • High-value transactions • Logs are only stored locally
A09: How to Prevent • Log important events with sufficient user context • Username • Client IP • Time
A10: Server Side Request Forgery (SSRF) • New category • A web application is fetching a remote resource without validating the user-supplied URL http://host/getImage?url=http://10.0.0.1 http://10.0.0.1 Response Response from http://10.0.0.1
A10: Example 1 • Application provides the getImage service: // getImage implementation String imageUrl = request.getParameter(“url")); URL URL = new URL(imageUrl); InputStream is = url.openStream(); OutputStream os = response.getOutputStream(); // copy is to os and return a response
A10: SSRF CVEs • CVE-2021-44224 • High Severity Apache HTTP Server CVE • CVE-2021-26715 • Critical Severity MITREid OpenID Connect Server CVE
A10: How to Prevent • Sanitize and validate all client-supplied input data • Validate URL Components • URL schema, port, and destination • Do not send raw responses to clients
A10: Example 1 • Validate URL Components: // getImage implementation String imageUrl = request.getParameter(“url")); URL url = new URL(imageUrl); // validate URL schema, port, and destination
Take always • Understand OWASP Top Ten • Implement the recommendations
Thank you! • Contact me – www.linkedin.com/in/furmanmichael/ – https://ultimatesecurity.pro/ – @ultimatesecpro Questions?
API access is broken this is how you fix it
About Me Tuba player Obsessed over football Listening to Classical music and metal (depends on code he is writing)
Let’s talk numbers
The 3 questions every API developer should ask
Who am I?
Where do I belong?
What can you do?
What’s an API access made of?
“Is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.” What is authentication wikipedia
Let me know who you are first! Trying to access a resource?
Let’s fix some stuff
Broken: API Authentication WHO ARE YOU?
Broken: session management Exposes session identifier in the URL. Reuse session identifier after successful login. Does not correctly invalidate Session IDs.
Hey, What’s wrong here? Your session is floating on URLS!
Fixing session management Use a server-side, secure, built-in session manager Session identifier should not be in the URL, be securely stored, Invalidate sessions after logout, idle, and absolute timeouts
Fixing session management
Thinking of re-inventing the wheel???
Session management fixed!
const axios = require('axios').default; const url = 'https://api.attacked-company.com/login'; const commonPasswords = downloadCommonPasswords(); var idx = 0; while (true) { try { const { accessToken } = await axios.post(url, { email: 'john@doe.com', password: commonPasswords[idx++] }); takeoverAccount(accessToken); } catch (e) { console.log('could not authentication with that password. Will try with the next one'); } } Hey, What is that code doing?
Broken: automated attacks
Fixing automated attacks Public APIS (Login, Signup, Reset password ETC) - Recaptcha (v3) - DDOS protected with IP based filtering Authenticated APIs should be rate limited - Limit or increasingly delay failed login - Log failures and alerts - Prepare to block sessions
Fixing automated attacks Rate limits based on API type
Fixing automated attacks LOG EVERYTHING !!!
Log everything - What are we looking for? IP addresses / Forwarded Origin / Referer Headers / Cookies User agents
Fixing automated attacks Failed logins? This is what you should do - Implement user lockout mechanisms - Start delaying failed attempts - be careful not to create a denial of service scenario Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
Verify your users identity (JWT vs Session tokens)
Building distributed application? Well...
Verify your users identity (JWT vs Session tokens)
Bottom line? Building a modern application? Use JWT (hybrid modes works as well)
Don’t leave your users behind... Authentication has evolved. Your APIs should support this as well
Broken: basic authentication
Fixing broken basic authentication Switch to passwordless MFA everywhere SSO whenever possible Require Re-authentication for Sensitive Features¶
Broken: API context
Broken API context Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests. Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)
Fixing broken API context Pass context from JWT to microservices via Reverse Proxy headers
Fixing broken API context DON’T forget to remove incoming headers before proxying to remove the risk of header tampering
Fixing broken API context Try to avoid query/route params for REST API If you are using query/route params for REST API: - Use guards (!)
API context fixed!
Broken: API authorization
Common issues Elevation of privilege - Acting as a user without being logged in - Acting as an admin when logged in as a user
Accessing non-privileged entities Accessing a private Github repository Accessing repository of a different team on the same organization Accessing hidden features Accessing features out of my subscription plan
Elevation of privilege - Common Techniques Technique 1: Access Token Manipulation. Technique 2: Non authenticated access Technique 3: Access Token Manipulation. Technique 4: Account Manipulation
The authorization pyramid
Fixing API authorization Except for public resources, deny by default. Implement access control mechanisms once and re-use them throughout the application, including minimizing Cross-Origin Resource Sharing (CORS) usage. Model access controls should enforce record ownership rather than accepting that the user can create, read, update, or delete any record. Unique application business limit requirements should be enforced by domain models.
The old way
Put the data on the JWT Enforce on the server side Decode and validate on the frontend side
But what happens with entities? How do you handle hierarchical entities? How do you handle Feature Flags?
Can’t we put them on the JWT as well?
The Policy As Code way
Summarizing
Questions
Thank You Questions?
• Thank You! • Questions? • To be continued… Join Us: https://www.linkedin.com/company/ap plication-security-virtual-meetups

Empfohlen

Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
lior mazor
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
centralohioissa
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa
 
Securing The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StorySecuring The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's Story
CloudLock
 
Vulnerability Testing Services Case Study
Vulnerability Testing Services Case StudyVulnerability Testing Services Case Study
Vulnerability Testing Services Case Study
Nandita Nityanandam
 
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
Priyanka Aash
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019
Advanced Technology Consulting (ATC)
 

Empfohlen

Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
lior mazor
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
centralohioissa
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa
 
Securing The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's StorySecuring The Reality of Multiple Cloud Apps: Pandora's Story
Securing The Reality of Multiple Cloud Apps: Pandora's Story
CloudLock
 
Vulnerability Testing Services Case Study
Vulnerability Testing Services Case StudyVulnerability Testing Services Case Study
Vulnerability Testing Services Case Study
Nandita Nityanandam
 
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to Reality
Priyanka Aash
 
SD-WAN - comSpark 2019
SD-WAN - comSpark 2019SD-WAN - comSpark 2019
SD-WAN - comSpark 2019
Advanced Technology Consulting (ATC)
 
Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloud
centralohioissa
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
PECB
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
Denise Bailey
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon (SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon
Priyanka Aash
 
Office365 security in depth
Office365 security in depthOffice365 security in depth
Office365 security in depth
Alberto Pascual
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
YouAttestSlideshare
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & Access
Ivan Dwyer
 
Securing Your Cloud Applications
Securing Your Cloud ApplicationsSecuring Your Cloud Applications
Securing Your Cloud Applications
IBM Security
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
Guido Marchetti
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
Okta-Inc
 
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
Micro Focus
 
#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and security#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and security
Micro Focus
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecurity
nathan-axonius
 
The Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the CurveThe Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the Curve
AlgoSec
 
NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explained
rtp2009
 
BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
UL Transaction Security
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 

Weitere ähnliche Inhalte

Was ist angesagt?

Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 

Was ist angesagt? (20)

Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloud
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture[Round table] zeroing in on zero trust architecture
[Round table] zeroing in on zero trust architecture
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon (SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon
 
Office365 security in depth
Office365 security in depthOffice365 security in depth
Office365 security in depth
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
 
Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...Micro segmentation and zero trust for security and compliance - Guardicore an...
Micro segmentation and zero trust for security and compliance - Guardicore an...
 
How Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & AccessHow Zero Trust Changes Identity & Access
How Zero Trust Changes Identity & Access
 
Securing Your Cloud Applications
Securing Your Cloud ApplicationsSecuring Your Cloud Applications
Securing Your Cloud Applications
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORKZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
 
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
 
#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and security#MFSummit2016 Secure: Introduction to identity, access and security
#MFSummit2016 Secure: Introduction to identity, access and security
 
The 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for CybersecurityThe 1st Step to Zero Trust: Asset Management for Cybersecurity
The 1st Step to Zero Trust: Asset Management for Cybersecurity
 
The Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the CurveThe Security Policy Management Maturity Model: How to Move Up the Curve
The Security Policy Management Maturity Model: How to Move Up the Curve
 
NIST Zero Trust Explained
NIST Zero Trust ExplainedNIST Zero Trust Explained
NIST Zero Trust Explained
 

Ähnlich wie User management - the next-gen of authentication meetup 27012022

Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
DataWorks Summit
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
AppSense
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Norm Barber
 

Ähnlich wie User management - the next-gen of authentication meetup 27012022 (20)

BREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAPBREACHED: Data Centric Security for SAP
BREACHED: Data Centric Security for SAP
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
 
Explore Top Data Loss Prevention Tools | Fortify with DLP Software
Explore Top Data Loss Prevention Tools | Fortify with DLP SoftwareExplore Top Data Loss Prevention Tools | Fortify with DLP Software
Explore Top Data Loss Prevention Tools | Fortify with DLP Software
 
Security and Compliance with SharePoint and Office 365
Security and Compliance with SharePoint and Office 365Security and Compliance with SharePoint and Office 365
Security and Compliance with SharePoint and Office 365
 
Microsoft 365 | Modern workplace
Microsoft 365 | Modern workplaceMicrosoft 365 | Modern workplace
Microsoft 365 | Modern workplace
 
DSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
DSS.LV - Principles Of Data Protection - March2015 By Arturs FilatovsDSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
DSS.LV - Principles Of Data Protection - March2015 By Arturs Filatovs
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control Protect your Database with Data Masking & Enforced Version Control
Protect your Database with Data Masking & Enforced Version Control
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI Compliance
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
Protecting endpoints from targeted attacks
Protecting endpoints from targeted attacksProtecting endpoints from targeted attacks
Protecting endpoints from targeted attacks
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
 
Empired Convergence 2017 - Keeping Pace, Staying Safe in the Digital World
Empired Convergence 2017 - Keeping Pace, Staying Safe in the Digital WorldEmpired Convergence 2017 - Keeping Pace, Staying Safe in the Digital World
Empired Convergence 2017 - Keeping Pace, Staying Safe in the Digital World
 
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - SanitizedMigrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
Migrating Critical Applications To The Cloud - ISACA Seattle - Sanitized
 
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedMigrating Critical Applications to the Cloud - isaca seattle - sanitized
Migrating Critical Applications to the Cloud - isaca seattle - sanitized
 
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud ProvidersDon’t Just Trust Cloud Providers - How To Audit Cloud Providers
Don’t Just Trust Cloud Providers - How To Audit Cloud Providers
 

Mehr von lior mazor

The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
lior mazor
 

Mehr von lior mazor (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 
Application security meetup 02032021
Application security meetup 02032021Application security meetup 02032021
Application security meetup 02032021
 

Kürzlich hochgeladen

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Kürzlich hochgeladen (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

User management - the next-gen of authentication meetup 27012022

  • 3. Sagi Rodin ● Developing since I was 15 ● Managed R&D in startups ● Developed a high-scale modern application platform @Check Point ● Founder of Frontegg ● Love smoking beef About Me
  • 4.
  • 5. Operation System Level End-user → IT → Vendors (Patches)
  • 6.
  • 7. R&D feature requests End-user → IT → Vendors (Features)
  • 8.
  • 9. Security is for Enterprise Customers End-user → Tickets → Engineers
  • 12. What’s Next? Security as a User Interface
  • 13. More than prefer self-served managed apps * According to Frontegg’s self-service survey, 2021
  • 14. How other modern apps are doing it? Security On Profile Level
  • 15. How other modern apps are doing it? Workspace Level Team Management
  • 16. How other modern apps are doing it? Security Policy
  • 17. How other modern apps are doing it? Domain Control
  • 18. How other modern apps are doing it? Custom Roles and Permissions
  • 19. How other modern apps are doing it? API Key Management
  • 20. What’s there to control? Personal Security Settings Organizational Security Policy (Passwords, MFA, Account Lockout) Device Management Enterprise SSO Custom Roles and Permissions API Token Management Webhooks Data privacy management
  • 22. Support Multi-tenancy by Design Basic - Flat Hierarchy based Granular settings Many-to-many user association Allow hybrid deployments per tenant
  • 24. Build Abstract Level Roles Enforcement Enforce permissions not roles Enforce on frontend, backend and data layer Don’t assume you know your customers
  • 25. Create an Admin Portal Product Infrastructure Allow teams to deploy configuration screens Allow customization of Admin Portal Allow roles enforcement on Admin Portal For Dev Team Convenience
  • 26. What did we have so far? Evolution in Products, Security and the Connection between the two How this is handled within modern apps What do we want to expose The three Rules of building a self-serve ready app
  • 27. Thank You Questions? I’m Sagi Ping me sagi@frontegg.com
  • 28. © 2021 Pagaya. FOR INTERNAL USE ONLY. Confidential Yaniv Toledano, Global CISO & IT 2022 Data Protection – IaaS, SaaS and in between
  • 29. © 2021 Pagaya. FOR INTERNAL USE ONLY. Pagaya is a financial technology company that deploys sophisticated data science, machine learning and AI technology to drive better results. Partners utilize Pagaya’s centralized AI and data network to evaluate their customers’ applications in real time. Pagaya believes this solution measures risk and predicts behavior more accurately than legacy approaches, and Pagaya’s performance continuously improves as more information flows through its network. 29 Bank FinTech Dealership Broker Asset Investors Customers
  • 30. © 2021 Pagaya. FOR INTERNAL USE ONLY. Intro 30 • 18+ years of experience in the cyber security world • Experienced cyber security manager cross-wide global enterprises • Provided consultation for a wide range of companies & domains: Comcast (US), T-Mobile (US), Rabobank (NL), Clalit Health Insurance (IL) and others. • 8200 IDF veteran • Holding 3 patents in the risk management and privacy domains. Yaniv Toledano
  • 31. © 2021 Pagaya. FOR INTERNAL USE ONLY. 31 World’s Biggest Data Breaches & Hacks (Oct 2021)
  • 32. © 2021 Pagaya. FOR INTERNAL USE ONLY. © 2021 Pagaya. CONFIDENTIAL. Data is the new Currency… 32 or the new Oil, Gold.. What ever..
  • 33. © 2021 Pagaya. FOR INTERNAL USE ONLY. • Do you know what are your threats?!?? Great start! • Are you able to identify your assets? Really? And what about your data flows? • So.. What now?? Lets run with technology and protect.. Secure.. Control.. and put some DLP alike?!? • How are you partners in the process? Do you have any? (Never walk alone..) • Start Rolling… Starting Point…
  • 34. © 2021 Pagaya. FOR INTERNAL USE ONLY. © 2021 Pagaya. CONFIDENTIAL. How to Engage.. Just a thought.. 34
  • 35. © 2021 Pagaya. FOR INTERNAL USE ONLY. My suggestion… (Data Lifecycle) Discovery Access Control Prevent Exfiltration Encrypt • Tokenize, anonymize and what ever does the job.. • Encryption of container/storage/bucket is not enough. Step 1 Step 2 Step 4 Step 3 Its not the same as before (http/s, FTP, DLP, USB)… API‫׳‬s, Lambda‫׳‬s, Serverless computing and more.. • Least Privilege approach • Monitor access • Periodic access review • Not focus on human only • Stale • Learn your eco system • Continuously assess • Map your flows • Classify • Generate hierarchy • Generate accountability Strive for a data security posture management (other words, govern!) What can be really cool?
  • 36. © 2021 Pagaya. FOR INTERNAL USE ONLY. © 2021 Pagaya. CONFIDENTIAL. Discovery Stage Points of Reference 36
  • 37. © 2021 Pagaya. FOR INTERNAL USE ONLY. 37 5 Focus Points (Partial) Understand compliance / Legal obligations 05 Consult with compliance and relevant teams to learn your obligations for protection, access, audit trail, retention & deletion Data Catalog is a must – build one (excel is a good start) Discover your data assets / objects and use Tech to support you 01 Craft a continuous measure to discover your entire stack, allow to build data types and always know where your data is… 03 Define data owner, Data stewards and what every cool taxonomy you can think of 02 Define data flows and make friends in the way… (Data, Devops, Engineering, Legal) Build a baseline to manage your data! Cause you wont be happy when the customer/audit/regulator will come Document, maintain, be happy No Data Owner = No accountability No Stewards = No real understanding of how data is consumed and how to drive access control No Data Flow = No idea of what needs to be protected & which systems store/run it.. Topic What Should I DO Why? 04
  • 38. © 2021 Pagaya. FOR INTERNAL USE ONLY. Data Management – R&R 38
  • 39. © 2021 Pagaya. FOR INTERNAL USE ONLY. © 2021 Pagaya. CONFIDENTIAL. Data Security 39
  • 40. © 2021 Pagaya. FOR INTERNAL USE ONLY. What Data Security is all About – The Threats & Considerations... Data Exfiltration Insider Threat Secure Posture (Bucket encrypted, asset exposed externally..) Retention violation Data manipulation (by mistake, insider threat) Unmanaged/ungoverned access Unauthorized access Shadow IT Over privileged API‫׳‬s DevOps are much faster – scale… Stale data – more damage…
  • 41. © 2021 Pagaya. FOR INTERNAL USE ONLY. What Data Security is all About – What Should I Think about.. How do I manage permission and access to data Data leakage prevention on all relevant resources Tokenization, encryption & anonymization.. What ever it takes Data security posture is key Periodic access control review Secure Posture (Bucket encrypted, asset exposed externally..) Do I provision access to my cloud assets via my IDE? Do I allow access to my cloud assets directly? Via VDI? Did I map my API‫׳‬s and know what traffic? Is it right? No?!? SSPM to ensure proper access control to SaaS apps Audit trail on SaaS apps CASB or other – detect apps… Stale data scanning 3rd party access to Data… Data transfer
  • 42. © 2021 Pagaya. FOR INTERNAL USE ONLY. © 2021 Pagaya. CONFIDENTIAL. From a data lifecycle view… 42
  • 43. © 2021 Pagaya. FOR INTERNAL USE ONLY. Data Protection controls must be implemented across the data lifecycle to protect sensitive data as it’s collected, stored, used, shared, and destroyed. Data Protection within the environment through the data lifecycle • Data discovery and catalog data sources. • Inventory of data – generate a comprehensive list of pertinent data elements, where it is located and what type of data it is. • Classification of data based on sensitivity and access, and tag data to identify access levels. • RBAC rules to determine who should have access to data. • Enforcing protection of data in motion using secure protocols (e.g., SFTP, TLS 1.2+) • Encryption of data at rest for on- premise and Cloud instances. • Storage integrity and availability between cloud instances/regions/ availability zones. • Encryption key management (e.g., Vault or external EKM). • Masking/tokenization in non-production environments • Adequacy of network bandwidth • Schedule/Timeframe for data transfer. • Enforcing protection of transfers using secure protocols (e.g., SFTP, TLS 1.2+) • Post-transfer data integrity check (validate no errors or data loss during transfer process.) • Security and integrity measures on Cloud platform, such as key repository, strong encryption. • DLP measures • Determine when source data is redundant or extraneous and can be securely removed • Monitor and security remove files from SFTP transfer zones • Verify data integrity (check for data corruption, repair, restore from backups if necessary) • Verify that data is properly retained, and that no unauthorized data has been inadvertently saved. Data Lifecycle Collection Storage Usage and Sharing Retention and Archival Discover & Classify Data Security Monitor & Enforce Capabilities
  • 44. © 2021 Pagaya. FOR INTERNAL USE ONLY. 44 Thank you Q&A
  • 45. Michael Furman Security Architect, Tufin OWASP Top 10 - 2021 What's New
  • 46. What will we cover today? • Who is OWASP? • What is OWASP Top 10? • OWASP Top 10 – Overview and What's New
  • 47. About Me • >14 yr. in application security • >9 yr. with Tufin – Lead Security Architect • www.linkedin.com/in/furmanmichael/ • Blog https://ultimatesecurity.pro/ • Twitter @ultimatesecpro • I like to travel, read books and listen to music
  • 48. About ●Market Leader in Security Policy Automation ●Tufin is used by >2000 enterprises  To segment networks and connect applications  On-prem networks, firewalls, cloud and K8S ●We are the Security Policy Company!
  • 49. Who is OWASP? • Worldwide not-for-profit organization • Founded in 2001 • OWASP - Open Web Application Security Project • Mission is to make the software security visible.
  • 50. OWASP Top 10 • Most successful OWASP Project https://owasp.org/Top10/ • Ten most critical web application security flaws • De facto application security standard • Released every 3 - 4 years • First released in 2004 • Current - 2021
  • 51. OWASP Top 10 - 2021 • A01 Broken Access Control • A02 Cryptographic Failures • A03 Injection • A04 Insecure Design • A05 Security Misconfiguration • A06 Vulnerable and Outdated Components • A07 Identification and Authentication Failures • A08 Software and Data Integrity Failures • A09 Security Logging and Monitoring Failures • A10 Server Side Request Forgery (SSRF)
  • 52. OWASP Top 10 - 2017 • A1 Injection • A2 Broken Authentication • A3 Sensitive Data Exposure • A4 XML External Entities • A5 Broken Access Control • A6 Security Misconfiguration • A7 Cross-Site Scripting (XSS) • A8 Insecure Deserialization • A9 Using Components with Known Vulnerabilities • A10 Insufficient Logging & Monitoring
  • 53. What happened to …? • Broken Access Control • Cross-Site Scripting (XSS) • XML External Entities (XXE) • Insecure Deserialization
  • 54. They are still here • A03 Injection • Cross-Site Scripting (XSS) • A05 Security Misconfiguration • XML External Entities • A08 Software and Data Integrity Failures • Insecure Deserialization
  • 55. And even more … • A03 Injection • Cross-Site Scripting (XSS) • A04 Insecure Design • A05 Security Misconfiguration • XML External Entities • A08 Software and Data Integrity Failures • Insecure Deserialization • A10 Server Side Request Forgery (SSRF)
  • 56.
  • 57. What can I do?
  • 58. A01: Broken Access Control • Moved up from fifth position • Elevation of privilege or Privilege Escalation • Acting as an admin when logged in as a user • Acting as a user without being logged in • Viewing or editing someone else's account • IDOR - Insecure Direct Object References • Cross-Origin Resource Sharing (CORS) misconfiguration • Allows API access from unauthorized/untrusted origins
  • 59. A01: Example 1 • Application provides the service: • Attacker browses to target URLs: https://example.com/app/getappInfo https://example.com/app/admin_getappInfo https://example.com/app/getadminappInfo
  • 60. A01: Example 2 • Unverified parameters to access: • Attacker modifies the parameter: pstmt.setString(1, request.getParameter(“account")); ResultSet results = pstmt.executeQuery( ); https://example.com/app/accountInfo?account=notmyaccount
  • 61. A01: How to Prevent • Default behavior: deny access to resources – Except for public resources • Implement access control mechanisms – On the server side – All requests • Minimize CORS usage
  • 62. A01: Example 1 • Validate access on each request and prevent access for unauthorized users. • Annotation example: // implementation of getadminappInfo if (“a user has admin access”) { // return admin app Info } else { // authorization error } @PreAuthorize("hasPermision(‘admin’)") // implementation of getadminappInfo { // return admin app Info }
  • 63. A01: Example 2 • Verify ownership / access: pstmt.setString(1, request.getParameter("account")); if (“a user has access to account”) { ResultSet results = pstmt.executeQuery( ); } else { // authorization error }
  • 64. A02: Cryptographic Failures • Previously known as “A3 Sensitive Data Exposure” – a broad symptom rather than a root cause • Sensitive data is transmitted or stored in clear text • Deprecated or weak cryptographic algorithms in use • Default crypto keys in use – proper key management or rotation missing
  • 65. A02: How to Prevent • Encrypt all sensitive data at rest • Encrypt all data in transit • Use TLS 1.2 or above • Use HTTP Strict Transport Security (HSTS) • Use up-to-date and strong standard algorithms and protocols • Use proper key management
  • 66. A03: Injection • Slid down from first position • Was the first one since OWASP Top Ten - 2010 • User input is not validated, filtered, or sanitized by the application • User input is directly used or concatenated • SQL injection • OS Command Injection
  • 67. A03: Example • User input is directly used in the SQL call: String query = "SELECT * FROM accounts WHERE custID=‘” + request.getParameter("id") + "'";
  • 68. A03: How to Prevent • Do not pass user input directly to executable statements • Prepared Statements • Parameterized Queries • Hibernate
  • 69. A03: Example • Use PreparedStatement: String id = request.getParameter("id"); String query = "SELECT * FROM accounts WHERE custID = ? "; PreparedStatement pstmt = connection.prepareStatement( id ); pstmt.setInt( 1, id); ResultSet results = pstmt.executeQuery( );
  • 70. A03: Don’t Forget About XSS • Attackers can execute scripts in a victim’s browser
  • 71. A03: How to Prevent XSS • Input validation for user input • Whitelist patterns • Encode output
  • 72. A04: Insecure Design • A new category • Pushing "shift-left“ approach • A secure design can still have insecure implementation • An insecure design cannot be fixed by an implementation Implementation Requirements Design Verification Release
  • 73. A04: How to Implement • Threat modeling • Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/ • Secure Development Lifecycle (SDL) https://ultimatesecurity.pro/post/sdl-meetup/
  • 74. A05: Security Misconfiguration • Missing security hardening • Unnecessary features are enabled or installed • Unnecessary ports • Services • Accounts • Default accounts • Default passwords
  • 75. A05: How to Prevent • Apply security hardening • CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/ • Close unnecessary ports • Disable unnecessary services • Remove default accounts • Change default passwords
  • 76. A05: What About XXE? • Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
  • 77. A05: How to Prevent XXE • Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet 'XXE Prevention’. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet • For additional details see the presentation: https://ultimatesecurity.pro/post/xxe-meetup/
  • 78. A06: Vulnerable and Outdated Components • Software is vulnerable, unsupported, or out of date • Apache Log4j (Log4Shell) Vulnerabilities
  • 79. A06: How to Prevent • Update software periodically • Use Software Composition Analysis (SCA) tools • Free or commercial tools • OWASP Dependency-Check free tool https://owasp.org/www-project-dependency-check/
  • 80. A07: Identification and Authentication Failures • Slid down from the second position • Previously known as Broken Authentication • Missing brute force protection • Missing multi-factor authentication • Using default, weak, or well-known passwords • Password1 or "admin/admin" • Reusing session identifier after successful login • Exposing session identifier in the URL
  • 81. A07: How to Prevent • Implement brute force protection • Implement multi-factor authentication • Change default credentials • Implement password complexity • Rotate Session IDs after successful login
  • 82. A08: Software and Data Integrity Failures • New category • Software and data integrity failures that does not protect against integrity violations • SolarWinds 2020 Attack
  • 83. A08: How to Prevent • Use digital signatures to verify software • Ensure you consume trusted repositories
  • 84. A08: Remember Insecure Deserialization? • Serialization is the process of translating data structures or object state into a format that can be stored or transmitted and reconstructed later (deserialization) • Insecure Deserialization - an attacker changes the object between serialization and deserialization
  • 85. A08: How to Prevent Insecure Deserialization • Don't accept serialized objects from untrusted sources
  • 86. A09: Security Logging and Monitoring Failures • Insufficient logging • Logins • Failed logins • High-value transactions • Logs are only stored locally
  • 87. A09: How to Prevent • Log important events with sufficient user context • Username • Client IP • Time
  • 88. A10: Server Side Request Forgery (SSRF) • New category • A web application is fetching a remote resource without validating the user-supplied URL http://host/getImage?url=http://10.0.0.1 http://10.0.0.1 Response Response from http://10.0.0.1
  • 89. A10: Example 1 • Application provides the getImage service: // getImage implementation String imageUrl = request.getParameter(“url")); URL URL = new URL(imageUrl); InputStream is = url.openStream(); OutputStream os = response.getOutputStream(); // copy is to os and return a response
  • 90. A10: SSRF CVEs • CVE-2021-44224 • High Severity Apache HTTP Server CVE • CVE-2021-26715 • Critical Severity MITREid OpenID Connect Server CVE
  • 91. A10: How to Prevent • Sanitize and validate all client-supplied input data • Validate URL Components • URL schema, port, and destination • Do not send raw responses to clients
  • 92. A10: Example 1 • Validate URL Components: // getImage implementation String imageUrl = request.getParameter(“url")); URL url = new URL(imageUrl); // validate URL schema, port, and destination
  • 93. Take always • Understand OWASP Top Ten • Implement the recommendations
  • 94. Thank you! • Contact me – www.linkedin.com/in/furmanmichael/ – https://ultimatesecurity.pro/ – @ultimatesecpro Questions?
  • 95. API access is broken this is how you fix it
  • 96. About Me Tuba player Obsessed over football Listening to Classical music and metal (depends on code he is writing)
  • 98.
  • 99. The 3 questions every API developer should ask
  • 101. Where do I belong?
  • 102. What can you do?
  • 103. What’s an API access made of?
  • 104. “Is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity.It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.” What is authentication wikipedia
  • 105. Let me know who you are first! Trying to access a resource?
  • 108. Broken: session management Exposes session identifier in the URL. Reuse session identifier after successful login. Does not correctly invalidate Session IDs.
  • 109. Hey, What’s wrong here? Your session is floating on URLS!
  • 110. Fixing session management Use a server-side, secure, built-in session manager Session identifier should not be in the URL, be securely stored, Invalidate sessions after logout, idle, and absolute timeouts
  • 112. Thinking of re-inventing the wheel???
  • 113.
  • 114.
  • 116. const axios = require('axios').default; const url = 'https://api.attacked-company.com/login'; const commonPasswords = downloadCommonPasswords(); var idx = 0; while (true) { try { const { accessToken } = await axios.post(url, { email: 'john@doe.com', password: commonPasswords[idx++] }); takeoverAccount(accessToken); } catch (e) { console.log('could not authentication with that password. Will try with the next one'); } } Hey, What is that code doing?
  • 118. Fixing automated attacks Public APIS (Login, Signup, Reset password ETC) - Recaptcha (v3) - DDOS protected with IP based filtering Authenticated APIs should be rate limited - Limit or increasingly delay failed login - Log failures and alerts - Prepare to block sessions
  • 119. Fixing automated attacks Rate limits based on API type
  • 120. Fixing automated attacks LOG EVERYTHING !!!
  • 121. Log everything - What are we looking for? IP addresses / Forwarded Origin / Referer Headers / Cookies User agents
  • 122. Fixing automated attacks Failed logins? This is what you should do - Implement user lockout mechanisms - Start delaying failed attempts - be careful not to create a denial of service scenario Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
  • 123. Verify your users identity (JWT vs Session tokens)
  • 125.
  • 126.
  • 127. Verify your users identity (JWT vs Session tokens)
  • 128. Bottom line? Building a modern application? Use JWT (hybrid modes works as well)
  • 129. Don’t leave your users behind... Authentication has evolved. Your APIs should support this as well
  • 131. Fixing broken basic authentication Switch to passwordless MFA everywhere SSO whenever possible Require Re-authentication for Sensitive Features¶
  • 133.
  • 134.
  • 135. Broken API context Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests. Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)
  • 136.
  • 137.
  • 138.
  • 139. Fixing broken API context Pass context from JWT to microservices via Reverse Proxy headers
  • 140. Fixing broken API context DON’T forget to remove incoming headers before proxying to remove the risk of header tampering
  • 141. Fixing broken API context Try to avoid query/route params for REST API If you are using query/route params for REST API: - Use guards (!)
  • 142.
  • 143.
  • 146. Common issues Elevation of privilege - Acting as a user without being logged in - Acting as an admin when logged in as a user
  • 147. Accessing non-privileged entities Accessing a private Github repository Accessing repository of a different team on the same organization Accessing hidden features Accessing features out of my subscription plan
  • 148. Elevation of privilege - Common Techniques Technique 1: Access Token Manipulation. Technique 2: Non authenticated access Technique 3: Access Token Manipulation. Technique 4: Account Manipulation
  • 150. Fixing API authorization Except for public resources, deny by default. Implement access control mechanisms once and re-use them throughout the application, including minimizing Cross-Origin Resource Sharing (CORS) usage. Model access controls should enforce record ownership rather than accepting that the user can create, read, update, or delete any record. Unique application business limit requirements should be enforced by domain models.
  • 152. Put the data on the JWT Enforce on the server side Decode and validate on the frontend side
  • 153. But what happens with entities? How do you handle hierarchical entities? How do you handle Feature Flags?
  • 154. Can’t we put them on the JWT as well?
  • 155.
  • 156.
  • 157. The Policy As Code way
  • 158.
  • 162. • Thank You! • Questions? • To be continued… Join Us: https://www.linkedin.com/company/ap plication-security-virtual-meetups