Over 30 years, the term Open Source has been gaining momentum and it is at its peak right now, with all tech giants shifting focus into open source. In contrast, you don’t see a lot of penetration in open source IAM, this is largely due to the uncertainty and doubts around the topic. Register here for an in-depth explanation of facts and fiction in this space.
View the on-demand webinar: https://wso2.com/library/webinars/open-source-value-benefits-risks/
3. 3
Product leader in LC: Access
Management and Federation
Innovation leader in LC: CIAM
Overall in LC: Identity API platforms
● Fully Open Source
(Apache 2.0 open source license)
● Inherent extensibility for building
tailor-made IAM platform
● 500+m identities managed worldwide
● 200+ production customers globally
and 500+ educational institutes
● 24*7 support for the production
customers
● Globally operating - main offices in
USA, UK, Germany, Brazil, Australia, and
Sri Lanka
About WSO2 Identity Server
4. ● Identity Federation and SSO
⦿ Federated access to web / mobile apps across multiple trust domains
⦿ Support open identity standards (OIDC, SAML)
⦿ Facilitates single sign on
● Identity Bridging
⦿ Exchange of ID attributes and Auth decisions between heterogeneous identity systems
● Adaptive and Strong Authentication
⦿ Enables applications to secure access with MFA based on context, risk, and identity attributes.
● Account management and Identity Provisioning
⦿ allows identity admins to manage users / groups with automated provisioning and approval
workflows across multiple heterogeneous user stores.
Identity Server - Capabilities
4
5. ● Access Controls
⦿ Controls access to apps in login flow with fine-grained access control policies
⦿ Acts as a policy decision point for third party applications
● APIs and Microservices security
⦿ Secures access to APIs and Microservices based on open standards
● Privacy
⦿ Adheres to privacy by design and privacy by default principle
⦿ Follows industry standards and regulations with consent lifecycle management, data security
● Identity Analytics
⦿ Provides admins insights re: authentication, concurrent sessions, and anomalous login patterns.
Identity Server - Capabilities
5
7. ● IBM buys Red Hat for USD 34 billion
● Clouds run on open source
● Clouds, Kubernetes, and containers
● Microsoft is an open-source company
Open Source is Winning the Market
7
8. ● IAM is a cornerstone in any digital transformation project
● Once you implement an IAM infrastructure, switching costs are high
● Inflexible proprietary software licenses result in high capital expenditure
(CapEx)
● Open source + open standards frees you from vendor lock-in
● Open(ness) makes you more secure compared to a complete closed box
● Unique business needs require extensibility and deployment flexibility
● Speed time to market
Why Open Source for IAM?
8
9. ● Security and Compliance
● Enterprise readiness
● Level of support
● Lack of internal skills
Risks that Prevent Open-Source Adoption
9
10. ● "Security is not a priority for open-source
projects"
● "Open-source developers don't have
secure-coding knowledge"
● "Open-source products aren't compliant with
security standards"
● "Code being open attracts more attacks"
10
Security Fears of Open Source
11. "It takes years of hard work to build a good reputation but just one
vulnerability and a few minutes to destroy it all!"
"The more we wait to incorporate security, the more challenging it
becomes, and more cost it will incur"
"Invest in building and nurturing a security culture. That will safeguard our
reputation and our customers'"
Security Mindset @ WSO2
13. Security Culture @ WSO2
● Dedicated Security and Compliance Team.
● Security champions in all the teams that
work closely with the central security
team.
● Well-defined processes and guidelines to
do security correctly.
● Regular trainings and security awareness
sessions.
● In-house Capture the Flag (CTF) and other
challenges to make security interesting
and to help think like hackers.
● Road map: Rewards for identifying security
vulnerabilities and taking initiatives.
13
Image Source:
https://insights.sei.cmu.edu/insider-threat/2018/10/is-compliance-compromising-y
our-information-security-culture.html
14. The Security & Compliance Team’s Role
14
Train
Engineers
Provide
Security
Guidelines
Security
Research and
Innovation
Define
Security
Policies and
Procedures
Maintain
Security
Community
Relationships
Develop New
Security Tools
Integrate with
External
Security Tools
Security
Evangelism
15. 15
Defining the Security Best Practices
https://wso2.com/technical-reports/wso2-secure-engineering-guidelines
16. 16
Design
Review
● Mandatory design review.
● Software Architects and Security Leads of the
respective product domains must attend.
● Design is evaluated from different perspectives,
against different threat categories (STRIDE).
● WSO2 Secure Engineering Guidelines and
WSO2 Threat Modelling Guidelines act as the
references.
Securing the SDLC: Designing
S
T
R
I
D
E
Secure Engineering Guide Threat Modelling Guide
17. 17
Design
Review
Developer
Self- Review
● WSO2 Security Engineering Guideline is used
as reference
● Find Security Bugs (Spotbugs plugin) and
OWASP ZAP are used by developer for self
evaluation.
● Validated by pull request template.
● New third-party libraries need approval, and
security checks needs to be done by OWASP
Dependency Check.
Securing the SDLC: Implementing
Secure Engineering Guide Find Security Bugs OWASP ZAP OWASP Dependency Check
18. 18
Design
Review
Developer
Self- Review
Code
Review
● Mandatory code review before merging.
● One or more Security Leads of the respective product domains must review.
● WSO2 Secure Engineering Guideline is used as the reference.
● Verify implementation of security controls defined in design.
Securing the SDLC: Merging
Secure Engineering Guide
19. 19
Release candidate goes through three types of
security checks:
● Static Code Analysis using Veracode
● Dynamic Analysis using Qualys
● Third-party Dependency Analysis using OWASP
Dependency Track and Clair
Design
Review
Developer
Self- Review
Code
Review
Pre - Release
Checks
Securing the SDLC: Releasing
Veracode Qualys OWASP Dependency Track Clair
20. Securing the SDLC: The Big Picture
20
Product Release Process
Static
Analysis
Dynamic
Analysis
Third-party
Dependency
Analysis
WSO2
Secure
Engineering
Guidelines National Vulnerability
Database
Scan Report
Repository
WSO2
Vulnerability
Management
System
Security Leads
https://docs.wso2.com/display/Security/WSO2+Secure+Software+Development+Process
22. . Receive
. Evaluate
. Fix
. Backport / Frontport
. Customer Announcement
. Public Announcement
. Acknowledgement
security@wso2.com, Support Portal, Internal testing
True Positive? Impact analysis (CVSS Calculation)
Change code / config. Merge to dev branch
Versions within the porting policy
Usually monthly. If critical, immediately
4 weeks after the Customer Announcement
List in public Acknowledgement page
22
Vulnerability Management Process
Product Team Security Team
https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Management+Process
25. ● Serious attacks are driven not by how easy it
is to attack, but by the value of what will be
gained.
● Most closed-source binaries can be
decompiled to view the code (unless
obfuscated).
● Static scanners can find vulnerabilities by
just scanning the binary.
● The application’s execution flow can be seen
by using reverse engineering techniques.
25
Does Open Code Attract More Attacks?
Image Source: https://www.bbc.com/news/uk-39260174
26. 26
● There are many black-box security testing tools, and the code being closed
is not a concern for those.
● A malicious person willing to put in the effort to learn open-source code
would do the same for figuring out the execution flow of a closed-source
application.
● Some closed-source vendors (and their customers) have a false sense of
security because their code is not open. This might ultimately delay
vulnerability mitigation.
● Being open source means having more non-malicious people looking out
for vulnerabilities, and ultimately mitigating those faster.
Does Open Code Attract More Attacks?
27. ● "Security is not a priority for open-source projects"
● "Open-source developers don't have secure-coding
knowledge"
● "Open-source products aren't compliant with
security standards"
● "Code being open attracts more attacks"
27
[Revisit] Security Fears of Open Source
29. What is Enterprise Open Source?
Open source softwares that are
tested, hardened, and supported
for enterprise use
29
30. Enterprise Open Source vs. Open Source
30
Open Source Enterprise Open Source
Open Source Yes Yes
Support Community
Freemium
/Community
Training and Certifications No Yes
Partner Network No Yes
Enterprise Features / Readiness Average High
Predictable and Long Lifecycle No Supported
Security & Incident Management Reactive Proactive
32. WSO2 Identity Server as an Enterprise Open-Source IAM
32
Leader in the KuppingerCole Leadership
Compass for Identity API Platforms, Q3 2019
33. Open-Source IAM Options
33
Gluu Keycloak MidPoint Shibboleth Soffid Syncope
WSO2 Identity
Server
IGA
Login
SSO
Fine Grained
Authorization
API Security
Provisioning
Adaptive
Authentication