SlideShare a Scribd company logo

Blibli Web Application Security Policy Enforcement Point

SARCCOM, profile picture
SARCCOM

The document outlines the enforcement of web application security at Blibli, led by Yudhi Karunia Surtan, highlighting the importance of software security against malicious attacks. It details the IT department's architecture, including the use of microservices and issues related to user roles and security. Solutions include a centralized user repository and the use of technologies like Spring Security and Apereo CAS for authentication and authorization.

Software
Related topics:
Software Architecture
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Blibli Web Application Security Policy Enforcement Point Presented by Yudhi Karunia Surtan
Introduction 2 Yudhi Karunia Surtan Work Code Name : Jon Email : yudhi.k.surtan@gdn-commerce.com Competition Achievement : – Hackathon Bandung 2012, Soft-layer challenge 1st winner. Professional Experience : 12 Years Skill Concentration : Performance And Security Title : Senior Principal Software Development Engineer
Software Security?? 3 Software security is an idea implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks. Security is necessary to provide integrity, authentication and availability.
Our Session Overview • Blibli IT Department Facts • Blibli Enterprise Architecture Overview • Architecture Advantages vs Disadvantages (Security) • Solution • Chosen Technology Overview • How To Combine All Technologies Together • Authentication And Authorization Architecture • Behind The Great Idea • What We at Blibli.com Achieved • What We at Blibli.com Learned 4
Blibli IT Department Facts 5 • > 80 Micro Services (UI and API) for both internal and external customers • > 100 Developers • > 20 Teams • 3 Weeks Release Cycle • < 500 ms Application response time goal (Soft Agreement) • < 4 seconds end user response time
Micro Services Blibli Enterprise Architecture Overview 6 UI B-1 UI A-1 UI B-2 LB LB UI A-1 LB LB API A-1 API A-2 API B-1 API B-2
The Advantages of Architecture • Independent Team and development cycle • Rapid Software Development • Each Microservices maintain their own data • Problem and bug isolation 7
The Disadvantages of Architecture (Security) • Is one user role will be the same across all the UI ? • Are the user duplicated across all the UI ? • How each application will check the role ? • Is that possible to change the role during the runtime ? • Is the user should login every time they change the UI service? • Etc… (Anyone saw problems from previous slide?) 8
Solution • Make an UI Framework which provide the abstraction for authentication and authorization without explicit declaration during development. • Centralize the user repository for easy maintainability purpose • Single Sign On and Single Sign Off features • Developer create roles by functionality point of view, business user will mapping it with their role name 9
Chosen Technology Overview 10 • Spring Security A Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications • Apereo CAS The Central Authentication Service project, more commonly referred to as CAS is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. • Apache Fortress A standards-based access management system, written in Java, that provides role-based access control, delegated administration and password policy services with LDAP.
Combine All the technologies 11 • Apereo CAS will Act as the provider for Single Sign On and Off • Apache Fortress Will Provide Authorization and Whitelist of Security Policies • Spring Security as the main development framework for put the logic authentication and authorization mechanism • Create a templating project, so developer can easily setup their project using those template
Authentication and Authorization Architecture 12 UI Service API Service CAS FortressLDAP Delegate Authentication RESTFul User Http Request
Behind the great idea There are also another problems : 1. How developer should not statically type the roles in their codes, especially in their javascript/presentation layer for hiding a button 2. How to cut the response by roles, unnecessary information need to be hide from other role 13
What We at Blibli Achieved 14 • Decouple business and application logic from security authorization • More productive and predictive software • User Roles Security and Easy Maintainability • Single user repository for all internal application
What We at Blibli.com learned 15
Any Questions? 16
THANK YOU 17

More Related Content

PPTX
Managing Security in Agile Culture
SARCCOM
 
PDF
Telco Business & Technology
SARCCOM
 
PDF
Architecting for Hyper Growth and Great Engineering Culture
ifnu bima
 
PDF
Implement OpenSAMM on blibli.com
SARCCOM
 
PDF
The Evolution of Software for a Startup
SARCCOM
 
PPTX
tantangan menjadi developer di abad 21
DicodingEvent
 
PDF
[WSO2Con EU 2017] Resilience Patterns with Ballerina
WSO2
 
PPTX
The DevOps Journey
Micro Focus
 
Managing Security in Agile Culture
SARCCOM
 
Telco Business & Technology
SARCCOM
 
Architecting for Hyper Growth and Great Engineering Culture
ifnu bima
 
Implement OpenSAMM on blibli.com
SARCCOM
 
The Evolution of Software for a Startup
SARCCOM
 
tantangan menjadi developer di abad 21
DicodingEvent
 
[WSO2Con EU 2017] Resilience Patterns with Ballerina
WSO2
 
The DevOps Journey
Micro Focus
 

What's hot (20)

PDF
Micro Focus Filr - #MFSummit2017
Micro Focus
 
PPTX
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
PDF
Nicolas destor pres_f5agility2018
Nicolas Destor
 
PPTX
OReilly Software Architecture Conference: Architecture as code - objective m...
PaulaPaulSlides
 
PDF
Connect Bridge - Basic intoduction deck
Gregor Vogrin
 
PDF
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 
PPT
BlackDuck Suite
jeff cheng
 
PPTX
Agile software security assurance
Ollie Whitehouse
 
PDF
Don't Let Open Source be the Deal Breaker In Your M&A
Black Duck by Synopsys
 
PDF
Training Webinar: Fitting OutSystems applications into Enterprise Architecture
OutSystems
 
PDF
What's New In Entando 6 (And Why Your Developers Will Love It)
Entando
 
PPTX
Building a Mobile Security Program
Denim Group
 
PPT
FLIGHT Amsterdam Presentation - From Protex to Hub
Black Duck by Synopsys
 
PPTX
Do you need microservices architecture?
Manu Pk
 
PPTX
Enable DevSecOps using JIRA Software
AUGNYC
 
PDF
Windows 7 v/ Kristian Svantorp Microsoft
guestb7fda43
 
PPTX
DevOps Security: A New Paradigm
Tripwire
 
PPTX
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
PDF
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
WSO2
 
PPTX
Digital Product Security
SoftServe
 
Micro Focus Filr - #MFSummit2017
Micro Focus
 
Static Application Security Testing Strategies for Automation and Continuous ...
Kevin Fealey
 
Nicolas destor pres_f5agility2018
Nicolas Destor
 
OReilly Software Architecture Conference: Architecture as code - objective m...
PaulaPaulSlides
 
Connect Bridge - Basic intoduction deck
Gregor Vogrin
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 
BlackDuck Suite
jeff cheng
 
Agile software security assurance
Ollie Whitehouse
 
Don't Let Open Source be the Deal Breaker In Your M&A
Black Duck by Synopsys
 
Training Webinar: Fitting OutSystems applications into Enterprise Architecture
OutSystems
 
What's New In Entando 6 (And Why Your Developers Will Love It)
Entando
 
Building a Mobile Security Program
Denim Group
 
FLIGHT Amsterdam Presentation - From Protex to Hub
Black Duck by Synopsys
 
Do you need microservices architecture?
Manu Pk
 
Enable DevSecOps using JIRA Software
AUGNYC
 
Windows 7 v/ Kristian Svantorp Microsoft
guestb7fda43
 
DevOps Security: A New Paradigm
Tripwire
 
Programming languages and techniques for today’s embedded andIoT world
Rogue Wave Software
 
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
WSO2
 
Digital Product Security
SoftServe
 
Ad

Similar to Blibli Web Application Security Policy Enforcement Point (20)

PDF
Profile_Ahmad2
Mohammad Owais Ahmad
 
PPTX
The user s identities
Giuliano Latini
 
PDF
Abhishek latest
kumar Abhishek
 
PDF
7. oracle iam11g+strategyodrom
Doina Draganescu
 
PDF
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Revelation Technologies
 
PPT
2011 NASA Open Source Summit - Forge.mil
NASA Open Government Initiative
 
DOC
Subhajit_Das_Resume_2015
Subhajit Das
 
DOC
Subhajit das resume_2015
Subhajit Das
 
DOC
BadesahebKBichu
Badesaheb Bichu
 
DOC
kowsalyamanickam_resume_OIM
Kowsalya Manickam
 
DOC
Surya_CV
Surya Pal
 
DOC
Resume_Dhiren
Dhirendra Singh Rawa Dhiren.Rawat2020
 
PPTX
Introduction-to-the-Waterfall-Model.pptx
AsadBaig49
 
PPTX
ABC’s Proposal
Randhir Singh
 
DOC
Resume_Dhiren
Dhirendra Singh Rawa Dhiren.Rawat2020
 
PPTX
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
APPSeCONNECT
 
PDF
Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men
 
DOC
Alpana_Srivastava
Alpana Srivastava
 
DOC
5.10 years Expetience in Asp.net with MVC
prashant zope
 
DOC
Malli Resume_30 Jun 2012
mallikarjun ch
 
Profile_Ahmad2
Mohammad Owais Ahmad
 
The user s identities
Giuliano Latini
 
Abhishek latest
kumar Abhishek
 
7. oracle iam11g+strategyodrom
Doina Draganescu
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Revelation Technologies
 
2011 NASA Open Source Summit - Forge.mil
NASA Open Government Initiative
 
Subhajit_Das_Resume_2015
Subhajit Das
 
Subhajit das resume_2015
Subhajit Das
 
BadesahebKBichu
Badesaheb Bichu
 
kowsalyamanickam_resume_OIM
Kowsalya Manickam
 
Surya_CV
Surya Pal
 
Resume_Dhiren
Dhirendra Singh Rawa Dhiren.Rawat2020
 
Introduction-to-the-Waterfall-Model.pptx
AsadBaig49
 
ABC’s Proposal
Randhir Singh
 
Resume_Dhiren
Dhirendra Singh Rawa Dhiren.Rawat2020
 
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
APPSeCONNECT
 
Wise Men Oracle Mobility Webinar- 11-December-2014
Wise Men
 
Alpana_Srivastava
Alpana Srivastava
 
5.10 years Expetience in Asp.net with MVC
prashant zope
 
Malli Resume_30 Jun 2012
mallikarjun ch
 
Ad

More from SARCCOM (18)

PDF
Week 3 Deep Learning And POS Tagging Hands-On
SARCCOM
 
PDF
Week 2 Sentiment Analysis Using Machine Learning
SARCCOM
 
PDF
Week 1 Natural Language Processing Introduction
SARCCOM
 
PDF
The Secret of Most Wanted Geek
SARCCOM
 
PDF
Fundamental of Machine Learning
SARCCOM
 
PDF
Data Warehousing Tools on Data Ecosystem
SARCCOM
 
PDF
Startup Engineering Culture
SARCCOM
 
PDF
Menggapai Paripurna Rekayasa
SARCCOM
 
PPTX
Requirement Gathering Jump Start
SARCCOM
 
PDF
Legacy code - Taming The Beast
SARCCOM
 
PPTX
The Role of IT Architect in Enterprise Company (Garuda Indonesia)
SARCCOM
 
PDF
The Role of IT Architect in Startup Company
SARCCOM
 
PDF
Architecting for Huper Growth and Great Engineering Culture
SARCCOM
 
PPTX
Software Architecture Introduction
SARCCOM
 
PPTX
Software Architecture Fundamentals Part-1 Architecture soft skill
SARCCOM
 
PDF
Best Practice In Software Development
SARCCOM
 
PPTX
Is your code SOLID enough?
SARCCOM
 
PPTX
How to work with us? We are Gen Y!
SARCCOM
 
Week 3 Deep Learning And POS Tagging Hands-On
SARCCOM
 
Week 2 Sentiment Analysis Using Machine Learning
SARCCOM
 
Week 1 Natural Language Processing Introduction
SARCCOM
 
The Secret of Most Wanted Geek
SARCCOM
 
Fundamental of Machine Learning
SARCCOM
 
Data Warehousing Tools on Data Ecosystem
SARCCOM
 
Startup Engineering Culture
SARCCOM
 
Menggapai Paripurna Rekayasa
SARCCOM
 
Requirement Gathering Jump Start
SARCCOM
 
Legacy code - Taming The Beast
SARCCOM
 
The Role of IT Architect in Enterprise Company (Garuda Indonesia)
SARCCOM
 
The Role of IT Architect in Startup Company
SARCCOM
 
Architecting for Huper Growth and Great Engineering Culture
SARCCOM
 
Software Architecture Introduction
SARCCOM
 
Software Architecture Fundamentals Part-1 Architecture soft skill
SARCCOM
 
Best Practice In Software Development
SARCCOM
 
Is your code SOLID enough?
SARCCOM
 
How to work with us? We are Gen Y!
SARCCOM
 

Recently uploaded (20)

PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Introduction Database Management System for Course Database
ReinertYosua
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
AI in Product Development-omnex systems
omnex systems
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Introduction to Artificial Intelligence
lohedi9363
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
System and Network Administraation Chapter 3
jaramharo
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 

Blibli Web Application Security Policy Enforcement Point

  • 1. Blibli Web Application Security Policy Enforcement Point Presented by Yudhi Karunia Surtan
  • 2. Introduction 2 Yudhi Karunia Surtan Work Code Name : Jon Email : yudhi.k.surtan@gdn-commerce.com Competition Achievement : – Hackathon Bandung 2012, Soft-layer challenge 1st winner. Professional Experience : 12 Years Skill Concentration : Performance And Security Title : Senior Principal Software Development Engineer
  • 3. Software Security?? 3 Software security is an idea implemented to protect software against malicious attack and other hacker risks so that the software continues to function correctly under such potential risks. Security is necessary to provide integrity, authentication and availability.
  • 4. Our Session Overview • Blibli IT Department Facts • Blibli Enterprise Architecture Overview • Architecture Advantages vs Disadvantages (Security) • Solution • Chosen Technology Overview • How To Combine All Technologies Together • Authentication And Authorization Architecture • Behind The Great Idea • What We at Blibli.com Achieved • What We at Blibli.com Learned 4
  • 5. Blibli IT Department Facts 5 • > 80 Micro Services (UI and API) for both internal and external customers • > 100 Developers • > 20 Teams • 3 Weeks Release Cycle • < 500 ms Application response time goal (Soft Agreement) • < 4 seconds end user response time
  • 6. Micro Services Blibli Enterprise Architecture Overview 6 UI B-1 UI A-1 UI B-2 LB LB UI A-1 LB LB API A-1 API A-2 API B-1 API B-2
  • 7. The Advantages of Architecture • Independent Team and development cycle • Rapid Software Development • Each Microservices maintain their own data • Problem and bug isolation 7
  • 8. The Disadvantages of Architecture (Security) • Is one user role will be the same across all the UI ? • Are the user duplicated across all the UI ? • How each application will check the role ? • Is that possible to change the role during the runtime ? • Is the user should login every time they change the UI service? • Etc… (Anyone saw problems from previous slide?) 8
  • 9. Solution • Make an UI Framework which provide the abstraction for authentication and authorization without explicit declaration during development. • Centralize the user repository for easy maintainability purpose • Single Sign On and Single Sign Off features • Developer create roles by functionality point of view, business user will mapping it with their role name 9
  • 10. Chosen Technology Overview 10 • Spring Security A Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications • Apereo CAS The Central Authentication Service project, more commonly referred to as CAS is an authentication system originally created by Yale University to provide a trusted way for an application to authenticate a user. • Apache Fortress A standards-based access management system, written in Java, that provides role-based access control, delegated administration and password policy services with LDAP.
  • 11. Combine All the technologies 11 • Apereo CAS will Act as the provider for Single Sign On and Off • Apache Fortress Will Provide Authorization and Whitelist of Security Policies • Spring Security as the main development framework for put the logic authentication and authorization mechanism • Create a templating project, so developer can easily setup their project using those template
  • 12. Authentication and Authorization Architecture 12 UI Service API Service CAS FortressLDAP Delegate Authentication RESTFul User Http Request
  • 13. Behind the great idea There are also another problems : 1. How developer should not statically type the roles in their codes, especially in their javascript/presentation layer for hiding a button 2. How to cut the response by roles, unnecessary information need to be hide from other role 13
  • 14. What We at Blibli Achieved 14 • Decouple business and application logic from security authorization • More productive and predictive software • User Roles Security and Easy Maintainability • Single user repository for all internal application
  • 15. What We at Blibli.com learned 15