SlideShare ist ein Scribd-Unternehmen logo

Open source iam value, benefits, and risks

WSO2
WSO2

Over 30 years, the term Open Source has been gaining momentum and it is at its peak right now, with all tech giants shifting focus into open source. In contrast, you don’t see a lot of penetration in open source IAM, this is largely due to the uncertainty and doubts around the topic. Register here for an in-depth explanation of facts and fiction in this space. View the on-demand webinar: https://wso2.com/library/webinars/open-source-value-benefits-risks/

Technologie
1 von 35
Downloaden Sie, um offline zu lesen
Open-Source IAM: Value, Benefits, and Risks July 8, 2020
Hello! Dulanja Liyanage Ishara Karunarathna isharak@wso2.com dulanja@wso2.com
3 Product leader in LC: Access Management and Federation Innovation leader in LC: CIAM Overall in LC: Identity API platforms ● Fully Open Source (Apache 2.0 open source license) ● Inherent extensibility for building tailor-made IAM platform ● 500+m identities managed worldwide ● 200+ production customers globally and 500+ educational institutes ● 24*7 support for the production customers ● Globally operating - main offices in USA, UK, Germany, Brazil, Australia, and Sri Lanka About WSO2 Identity Server
● Identity Federation and SSO ⦿ Federated access to web / mobile apps across multiple trust domains ⦿ Support open identity standards (OIDC, SAML) ⦿ Facilitates single sign on ● Identity Bridging ⦿ Exchange of ID attributes and Auth decisions between heterogeneous identity systems ● Adaptive and Strong Authentication ⦿ Enables applications to secure access with MFA based on context, risk, and identity attributes. ● Account management and Identity Provisioning ⦿ allows identity admins to manage users / groups with automated provisioning and approval workflows across multiple heterogeneous user stores. Identity Server - Capabilities 4
● Access Controls ⦿ Controls access to apps in login flow with fine-grained access control policies ⦿ Acts as a policy decision point for third party applications ● APIs and Microservices security ⦿ Secures access to APIs and Microservices based on open standards ● Privacy ⦿ Adheres to privacy by design and privacy by default principle ⦿ Follows industry standards and regulations with consent lifecycle management, data security ● Identity Analytics ⦿ Provides admins insights re: authentication, concurrent sessions, and anomalous login patterns. Identity Server - Capabilities 5
Open-Source, Value, Benefits, and Risks
● IBM buys Red Hat for USD 34 billion ● Clouds run on open source ● Clouds, Kubernetes, and containers ● Microsoft is an open-source company Open Source is Winning the Market 7
● IAM is a cornerstone in any digital transformation project ● Once you implement an IAM infrastructure, switching costs are high ● Inflexible proprietary software licenses result in high capital expenditure (CapEx) ● Open source + open standards frees you from vendor lock-in ● Open(ness) makes you more secure compared to a complete closed box ● Unique business needs require extensibility and deployment flexibility ● Speed time to market Why Open Source for IAM? 8
● Security and Compliance ● Enterprise readiness ● Level of support ● Lack of internal skills Risks that Prevent Open-Source Adoption 9
● "Security is not a priority for open-source projects" ● "Open-source developers don't have secure-coding knowledge" ● "Open-source products aren't compliant with security standards" ● "Code being open attracts more attacks" 10 Security Fears of Open Source
"It takes years of hard work to build a good reputation but just one vulnerability and a few minutes to destroy it all!" "The more we wait to incorporate security, the more challenging it becomes, and more cost it will incur" "Invest in building and nurturing a security culture. That will safeguard our reputation and our customers'" Security Mindset @ WSO2
12 Image Source: https://www.cottageblogger.com/the-things-we-forget-being-proactive-and-not-reactive/
Security Culture @ WSO2 ● Dedicated Security and Compliance Team. ● Security champions in all the teams that work closely with the central security team. ● Well-defined processes and guidelines to do security correctly. ● Regular trainings and security awareness sessions. ● In-house Capture the Flag (CTF) and other challenges to make security interesting and to help think like hackers. ● Road map: Rewards for identifying security vulnerabilities and taking initiatives. 13 Image Source: https://insights.sei.cmu.edu/insider-threat/2018/10/is-compliance-compromising-y our-information-security-culture.html
The Security & Compliance Team’s Role 14 Train Engineers Provide Security Guidelines Security Research and Innovation Define Security Policies and Procedures Maintain Security Community Relationships Develop New Security Tools Integrate with External Security Tools Security Evangelism
15 Defining the Security Best Practices https://wso2.com/technical-reports/wso2-secure-engineering-guidelines
16 Design Review ● Mandatory design review. ● Software Architects and Security Leads of the respective product domains must attend. ● Design is evaluated from different perspectives, against different threat categories (STRIDE). ● WSO2 Secure Engineering Guidelines and WSO2 Threat Modelling Guidelines act as the references. Securing the SDLC: Designing S T R I D E Secure Engineering Guide Threat Modelling Guide
17 Design Review Developer Self- Review ● WSO2 Security Engineering Guideline is used as reference ● Find Security Bugs (Spotbugs plugin) and OWASP ZAP are used by developer for self evaluation. ● Validated by pull request template. ● New third-party libraries need approval, and security checks needs to be done by OWASP Dependency Check. Securing the SDLC: Implementing Secure Engineering Guide Find Security Bugs OWASP ZAP OWASP Dependency Check
18 Design Review Developer Self- Review Code Review ● Mandatory code review before merging. ● One or more Security Leads of the respective product domains must review. ● WSO2 Secure Engineering Guideline is used as the reference. ● Verify implementation of security controls defined in design. Securing the SDLC: Merging Secure Engineering Guide
19 Release candidate goes through three types of security checks: ● Static Code Analysis using Veracode ● Dynamic Analysis using Qualys ● Third-party Dependency Analysis using OWASP Dependency Track and Clair Design Review Developer Self- Review Code Review Pre - Release Checks Securing the SDLC: Releasing Veracode Qualys OWASP Dependency Track Clair
Securing the SDLC: The Big Picture 20 Product Release Process Static Analysis Dynamic Analysis Third-party Dependency Analysis WSO2 Secure Engineering Guidelines National Vulnerability Database Scan Report Repository WSO2 Vulnerability Management System Security Leads https://docs.wso2.com/display/Security/WSO2+Secure+Software+Development+Process
21 Securing the Deployment https://is.docs.wso2.com/en/latest/administer/security-guidelines-for-production-deployment/
. Receive . Evaluate . Fix . Backport / Frontport . Customer Announcement . Public Announcement . Acknowledgement security@wso2.com, Support Portal, Internal testing True Positive? Impact analysis (CVSS Calculation) Change code / config. Merge to dev branch Versions within the porting policy Usually monthly. If critical, immediately 4 weeks after the Customer Announcement List in public Acknowledgement page 22 Vulnerability Management Process Product Team Security Team https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Management+Process
23 Acquired/Adapted Developed Security Tools @ WSO2 Security Scan Manager Security Issue Manager Security Announcement Manager
24 wso2.com/security Secure Software Development Process Vulnerability Management Process Secure Engineering & Deployment Guidelines
● Serious attacks are driven not by how easy it is to attack, but by the value of what will be gained. ● Most closed-source binaries can be decompiled to view the code (unless obfuscated). ● Static scanners can find vulnerabilities by just scanning the binary. ● The application’s execution flow can be seen by using reverse engineering techniques. 25 Does Open Code Attract More Attacks? Image Source: https://www.bbc.com/news/uk-39260174
26 ● There are many black-box security testing tools, and the code being closed is not a concern for those. ● A malicious person willing to put in the effort to learn open-source code would do the same for figuring out the execution flow of a closed-source application. ● Some closed-source vendors (and their customers) have a false sense of security because their code is not open. This might ultimately delay vulnerability mitigation. ● Being open source means having more non-malicious people looking out for vulnerabilities, and ultimately mitigating those faster. Does Open Code Attract More Attacks?
● "Security is not a priority for open-source projects" ● "Open-source developers don't have secure-coding knowledge" ● "Open-source products aren't compliant with security standards" ● "Code being open attracts more attacks" 27 [Revisit] Security Fears of Open Source
28
What is Enterprise Open Source? Open source softwares that are tested, hardened, and supported for enterprise use 29
Enterprise Open Source vs. Open Source 30 Open Source Enterprise Open Source Open Source Yes Yes Support Community Freemium /Community Training and Certifications No Yes Partner Network No Yes Enterprise Features / Readiness Average High Predictable and Long Lifecycle No Supported Security & Incident Management Reactive Proactive
Benefits of Enterprise Open-Source IAM 31
WSO2 Identity Server as an Enterprise Open-Source IAM 32 Leader in the KuppingerCole Leadership Compass for Identity API Platforms, Q3 2019
Open-Source IAM Options 33 Gluu Keycloak MidPoint Shibboleth Soffid Syncope WSO2 Identity Server IGA Login SSO Fine Grained Authorization API Security Provisioning Adaptive Authentication
Question Time! 34
Thanks!

Empfohlen

[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
 
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and UmrahHow WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and UmrahWSO2
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesPrabath Siriwardena
 
How to Choose an Integration Platform Vendor for Your Business
How to Choose an Integration Platform Vendor for Your BusinessHow to Choose an Integration Platform Vendor for Your Business
How to Choose an Integration Platform Vendor for Your BusinessWSO2
 
Identity Server on Azure: A Reference Architecture
Identity Server on Azure: A Reference ArchitectureIdentity Server on Azure: A Reference Architecture
Identity Server on Azure: A Reference ArchitectureWSO2
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1WSO2
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API ManagerWSO2
 

Empfohlen

[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
 
How WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and UmrahHow WSO2 API Manager Supports the Ministry of Hajj and Umrah
How WSO2 API Manager Supports the Ministry of Hajj and UmrahWSO2
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesPrabath Siriwardena
 
How to Choose an Integration Platform Vendor for Your Business
How to Choose an Integration Platform Vendor for Your BusinessHow to Choose an Integration Platform Vendor for Your Business
How to Choose an Integration Platform Vendor for Your BusinessWSO2
 
Identity Server on Azure: A Reference Architecture
Identity Server on Azure: A Reference ArchitectureIdentity Server on Azure: A Reference Architecture
Identity Server on Azure: A Reference ArchitectureWSO2
 
42Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.142Crunch Security Audit for WSO2 API Manager 3.1
42Crunch Security Audit for WSO2 API Manager 3.1WSO2
 
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager
[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API ManagerWSO2
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
Identity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsIdentity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsWSO2
 
Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...
Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...
Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...WSO2
 
API-first Integration for Microservices
API-first Integration for MicroservicesAPI-first Integration for Microservices
API-first Integration for MicroservicesWSO2
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...
[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...
[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...WSO2
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveWSO2
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview Edgar Silva
 
Migrate to the Latest WSO2 Micro Integrator to Unlock All-new Features
Migrate to the Latest WSO2 Micro Integrator to Unlock All-new FeaturesMigrate to the Latest WSO2 Micro Integrator to Unlock All-new Features
Migrate to the Latest WSO2 Micro Integrator to Unlock All-new FeaturesWSO2
 
Moving Data Efficiently with Real-Time Streaming
Moving Data Efficiently with Real-Time StreamingMoving Data Efficiently with Real-Time Streaming
Moving Data Efficiently with Real-Time StreamingWSO2
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...WSO2
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OpenIDFoundation
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OpenIDFoundation
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredWSO2
 
Message based microservices architectures driven with docker
Message based microservices architectures driven with dockerMessage based microservices architectures driven with docker
Message based microservices architectures driven with dockerDocker, Inc.
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...MikeLeszcz
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data SheetJon Lundquist
 

Weitere ähnliche Inhalte

Was ist angesagt?

Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
Identity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsIdentity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsWSO2
 
Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...
Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...
Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...WSO2
 
API-first Integration for Microservices
API-first Integration for MicroservicesAPI-first Integration for Microservices
API-first Integration for MicroservicesWSO2
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...
[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...
[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...WSO2
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveWSO2
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview Edgar Silva
 
Migrate to the Latest WSO2 Micro Integrator to Unlock All-new Features
Migrate to the Latest WSO2 Micro Integrator to Unlock All-new FeaturesMigrate to the Latest WSO2 Micro Integrator to Unlock All-new Features
Migrate to the Latest WSO2 Micro Integrator to Unlock All-new FeaturesWSO2
 
Moving Data Efficiently with Real-Time Streaming
Moving Data Efficiently with Real-Time StreamingMoving Data Efficiently with Real-Time Streaming
Moving Data Efficiently with Real-Time StreamingWSO2
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...WSO2
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OpenIDFoundation
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OpenIDFoundation
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredWSO2
 
Message based microservices architectures driven with docker
Message based microservices architectures driven with dockerMessage based microservices architectures driven with docker
Message based microservices architectures driven with dockerDocker, Inc.
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?ForgeRock
 
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...MikeLeszcz
 

Was ist angesagt? (20)

Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
Identity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsIdentity Hub’s Role in Social Logins
Identity Hub’s Role in Social Logins
 
Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...
Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...
Extending WSO2 API Manager's Key Management Capabilities - WSO2 API Manager C...
 
API-first Integration for Microservices
API-first Integration for MicroservicesAPI-first Integration for Microservices
API-first Integration for Microservices
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...
[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...
[WSO2 Summit Sydney 2019] Emerging Architecture Patterns: API-centric and Cel...
 
OBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep DiveOBIE Directory Integration - A Technical Deep Dive
OBIE Directory Integration - A Technical Deep Dive
 
WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview WSO2 API Manager 2.0 - Overview
WSO2 API Manager 2.0 - Overview
 
Migrate to the Latest WSO2 Micro Integrator to Unlock All-new Features
Migrate to the Latest WSO2 Micro Integrator to Unlock All-new FeaturesMigrate to the Latest WSO2 Micro Integrator to Unlock All-new Features
Migrate to the Latest WSO2 Micro Integrator to Unlock All-new Features
 
Moving Data Efficiently with Real-Time Streaming
Moving Data Efficiently with Real-Time StreamingMoving Data Efficiently with Real-Time Streaming
Moving Data Efficiently with Real-Time Streaming
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product Overview
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Browser Changes Impacting Iden...
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
OIDF Workshop at Verizon Media -- 9/30/2019 -- Continuous Access Evaluation P...
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions Answered
 
Message based microservices architectures driven with docker
Message based microservices architectures driven with dockerMessage based microservices architectures driven with docker
Message based microservices architectures driven with docker
 
Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?Identity Management with the ForgeRock Identity Platform - So What’s New?
Identity Management with the ForgeRock Identity Platform - So What’s New?
 
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
OpenID Foundation's Risk Incident and Sharing Communication (RISC) Work Group...
 

Ähnlich wie Open source iam value, benefits, and risks

Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!Shelly Megan
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security Rogue Wave Software
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...WSO2
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsLabSharegroup
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetessparkfabrik
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg Tunde Ogunkoya
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdfKunjJoshi14
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsSynopsys Software Integrity Group
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 

Ähnlich wie Open source iam value, benefits, and risks (20)

Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Coverity Data Sheet
Coverity Data SheetCoverity Data Sheet
Coverity Data Sheet
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!React commonest security flaws and remedial measures!
React commonest security flaws and remedial measures!
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
[2021 Somos Summit] - Rethinking Identity Access Management and The Rise of t...
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on KubernetesKCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
KCD Italy 2023 - Secure Software Supply chain for OCI Artifact on Kubernetes
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 

Mehr von WSO2

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in ChoreoWSO2
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023WSO2
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzureWSO2
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfWSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in MinutesWSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityWSO2
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfWSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoWSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsWSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital BusinessesWSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)WSO2
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformationWSO2
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesWSO2
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready BankWSO2
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native DeploymentWSO2
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”WSO2
 

Mehr von WSO2 (20)

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in Choreo
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on Azure
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdf
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking Experiences
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready Bank
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
 

Kürzlich hochgeladen

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Kürzlich hochgeladen (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Open source iam value, benefits, and risks

  • 1. Open-Source IAM: Value, Benefits, and Risks July 8, 2020
  • 3. 3 Product leader in LC: Access Management and Federation Innovation leader in LC: CIAM Overall in LC: Identity API platforms ● Fully Open Source (Apache 2.0 open source license) ● Inherent extensibility for building tailor-made IAM platform ● 500+m identities managed worldwide ● 200+ production customers globally and 500+ educational institutes ● 24*7 support for the production customers ● Globally operating - main offices in USA, UK, Germany, Brazil, Australia, and Sri Lanka About WSO2 Identity Server
  • 4. ● Identity Federation and SSO ⦿ Federated access to web / mobile apps across multiple trust domains ⦿ Support open identity standards (OIDC, SAML) ⦿ Facilitates single sign on ● Identity Bridging ⦿ Exchange of ID attributes and Auth decisions between heterogeneous identity systems ● Adaptive and Strong Authentication ⦿ Enables applications to secure access with MFA based on context, risk, and identity attributes. ● Account management and Identity Provisioning ⦿ allows identity admins to manage users / groups with automated provisioning and approval workflows across multiple heterogeneous user stores. Identity Server - Capabilities 4
  • 5. ● Access Controls ⦿ Controls access to apps in login flow with fine-grained access control policies ⦿ Acts as a policy decision point for third party applications ● APIs and Microservices security ⦿ Secures access to APIs and Microservices based on open standards ● Privacy ⦿ Adheres to privacy by design and privacy by default principle ⦿ Follows industry standards and regulations with consent lifecycle management, data security ● Identity Analytics ⦿ Provides admins insights re: authentication, concurrent sessions, and anomalous login patterns. Identity Server - Capabilities 5
  • 7. ● IBM buys Red Hat for USD 34 billion ● Clouds run on open source ● Clouds, Kubernetes, and containers ● Microsoft is an open-source company Open Source is Winning the Market 7
  • 8. ● IAM is a cornerstone in any digital transformation project ● Once you implement an IAM infrastructure, switching costs are high ● Inflexible proprietary software licenses result in high capital expenditure (CapEx) ● Open source + open standards frees you from vendor lock-in ● Open(ness) makes you more secure compared to a complete closed box ● Unique business needs require extensibility and deployment flexibility ● Speed time to market Why Open Source for IAM? 8
  • 9. ● Security and Compliance ● Enterprise readiness ● Level of support ● Lack of internal skills Risks that Prevent Open-Source Adoption 9
  • 10. ● "Security is not a priority for open-source projects" ● "Open-source developers don't have secure-coding knowledge" ● "Open-source products aren't compliant with security standards" ● "Code being open attracts more attacks" 10 Security Fears of Open Source
  • 11. "It takes years of hard work to build a good reputation but just one vulnerability and a few minutes to destroy it all!" "The more we wait to incorporate security, the more challenging it becomes, and more cost it will incur" "Invest in building and nurturing a security culture. That will safeguard our reputation and our customers'" Security Mindset @ WSO2
  • 13. Security Culture @ WSO2 ● Dedicated Security and Compliance Team. ● Security champions in all the teams that work closely with the central security team. ● Well-defined processes and guidelines to do security correctly. ● Regular trainings and security awareness sessions. ● In-house Capture the Flag (CTF) and other challenges to make security interesting and to help think like hackers. ● Road map: Rewards for identifying security vulnerabilities and taking initiatives. 13 Image Source: https://insights.sei.cmu.edu/insider-threat/2018/10/is-compliance-compromising-y our-information-security-culture.html
  • 14. The Security & Compliance Team’s Role 14 Train Engineers Provide Security Guidelines Security Research and Innovation Define Security Policies and Procedures Maintain Security Community Relationships Develop New Security Tools Integrate with External Security Tools Security Evangelism
  • 15. 15 Defining the Security Best Practices https://wso2.com/technical-reports/wso2-secure-engineering-guidelines
  • 16. 16 Design Review ● Mandatory design review. ● Software Architects and Security Leads of the respective product domains must attend. ● Design is evaluated from different perspectives, against different threat categories (STRIDE). ● WSO2 Secure Engineering Guidelines and WSO2 Threat Modelling Guidelines act as the references. Securing the SDLC: Designing S T R I D E Secure Engineering Guide Threat Modelling Guide
  • 17. 17 Design Review Developer Self- Review ● WSO2 Security Engineering Guideline is used as reference ● Find Security Bugs (Spotbugs plugin) and OWASP ZAP are used by developer for self evaluation. ● Validated by pull request template. ● New third-party libraries need approval, and security checks needs to be done by OWASP Dependency Check. Securing the SDLC: Implementing Secure Engineering Guide Find Security Bugs OWASP ZAP OWASP Dependency Check
  • 18. 18 Design Review Developer Self- Review Code Review ● Mandatory code review before merging. ● One or more Security Leads of the respective product domains must review. ● WSO2 Secure Engineering Guideline is used as the reference. ● Verify implementation of security controls defined in design. Securing the SDLC: Merging Secure Engineering Guide
  • 19. 19 Release candidate goes through three types of security checks: ● Static Code Analysis using Veracode ● Dynamic Analysis using Qualys ● Third-party Dependency Analysis using OWASP Dependency Track and Clair Design Review Developer Self- Review Code Review Pre - Release Checks Securing the SDLC: Releasing Veracode Qualys OWASP Dependency Track Clair
  • 20. Securing the SDLC: The Big Picture 20 Product Release Process Static Analysis Dynamic Analysis Third-party Dependency Analysis WSO2 Secure Engineering Guidelines National Vulnerability Database Scan Report Repository WSO2 Vulnerability Management System Security Leads https://docs.wso2.com/display/Security/WSO2+Secure+Software+Development+Process
  • 22. . Receive . Evaluate . Fix . Backport / Frontport . Customer Announcement . Public Announcement . Acknowledgement security@wso2.com, Support Portal, Internal testing True Positive? Impact analysis (CVSS Calculation) Change code / config. Merge to dev branch Versions within the porting policy Usually monthly. If critical, immediately 4 weeks after the Customer Announcement List in public Acknowledgement page 22 Vulnerability Management Process Product Team Security Team https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Management+Process
  • 23. 23 Acquired/Adapted Developed Security Tools @ WSO2 Security Scan Manager Security Issue Manager Security Announcement Manager
  • 24. 24 wso2.com/security Secure Software Development Process Vulnerability Management Process Secure Engineering & Deployment Guidelines
  • 25. ● Serious attacks are driven not by how easy it is to attack, but by the value of what will be gained. ● Most closed-source binaries can be decompiled to view the code (unless obfuscated). ● Static scanners can find vulnerabilities by just scanning the binary. ● The application’s execution flow can be seen by using reverse engineering techniques. 25 Does Open Code Attract More Attacks? Image Source: https://www.bbc.com/news/uk-39260174
  • 26. 26 ● There are many black-box security testing tools, and the code being closed is not a concern for those. ● A malicious person willing to put in the effort to learn open-source code would do the same for figuring out the execution flow of a closed-source application. ● Some closed-source vendors (and their customers) have a false sense of security because their code is not open. This might ultimately delay vulnerability mitigation. ● Being open source means having more non-malicious people looking out for vulnerabilities, and ultimately mitigating those faster. Does Open Code Attract More Attacks?
  • 27. ● "Security is not a priority for open-source projects" ● "Open-source developers don't have secure-coding knowledge" ● "Open-source products aren't compliant with security standards" ● "Code being open attracts more attacks" 27 [Revisit] Security Fears of Open Source
  • 28. 28
  • 29. What is Enterprise Open Source? Open source softwares that are tested, hardened, and supported for enterprise use 29
  • 30. Enterprise Open Source vs. Open Source 30 Open Source Enterprise Open Source Open Source Yes Yes Support Community Freemium /Community Training and Certifications No Yes Partner Network No Yes Enterprise Features / Readiness Average High Predictable and Long Lifecycle No Supported Security & Incident Management Reactive Proactive
  • 31. Benefits of Enterprise Open-Source IAM 31
  • 32. WSO2 Identity Server as an Enterprise Open-Source IAM 32 Leader in the KuppingerCole Leadership Compass for Identity API Platforms, Q3 2019
  • 33. Open-Source IAM Options 33 Gluu Keycloak MidPoint Shibboleth Soffid Syncope WSO2 Identity Server IGA Login SSO Fine Grained Authorization API Security Provisioning Adaptive Authentication