User management - the next-gen of authentication meetup 27012022

Join Us:
https://www.linkedin.com
/company/application-
security-virtual-meetups
QR Link:

Inversion of Control:
Security as an Interface

Sagi Rodin
● Developing since I was 15
● Managed R&D in startups
● Developed a high-scale modern
application platform @Check Point
● Founder of Frontegg
● Love smoking beef
About Me

Operation System Level
End-user → IT → Vendors (Patches)

R&D feature requests
End-user → IT → Vendors (Features)

Security is for
Enterprise Customers
End-user → Tickets → Engineers

What’s Next? Security as a User Interface

More
than
prefer self-served
managed apps
* According to Frontegg’s self-service survey, 2021

How other modern apps
are doing it?
Security
On
Profile Level

are doing it?
Workspace
Level
Team
Management

are doing it?
Security
Policy

are doing it?
Domain
Control

are doing it?
Custom
Roles and
Permissions

are doing it?
API Key
Management

What’s there to control?
Personal Security Settings
Organizational Security Policy (Passwords, MFA, Account Lockout)
Device Management
Enterprise SSO
Custom Roles and Permissions
API Token Management
Webhooks
Data privacy management

Support Multi-tenancy by Design
Basic - Flat
Hierarchy based
Granular settings
Many-to-many user
association
Allow hybrid deployments
per tenant

Support Multi-tenancy by Design

Build Abstract Level Roles Enforcement
Enforce permissions not roles
Enforce on frontend, backend and data layer
Don’t assume you know your customers

Create an Admin Portal Product Infrastructure
Allow teams to deploy
configuration screens
Allow customization of
Admin Portal
Allow roles enforcement on
Admin Portal
For Dev Team Convenience

What did we have so far?
Evolution in Products, Security and the Connection
between the two
How this is handled within modern apps
What do we want to expose
The three Rules of building a self-serve ready app

Thank You
Questions?
I’m Sagi
Ping me
sagi@frontegg.com

© 2021 Pagaya. FOR INTERNAL USE ONLY. Confidential
Yaniv Toledano, Global CISO & IT
2022
Data Protection – IaaS, SaaS and in between

© 2021 Pagaya. FOR INTERNAL USE ONLY.
Pagaya is a financial technology
company that deploys
sophisticated data science,
machine learning and AI
technology to
drive better results.
Partners utilize Pagaya’s centralized AI and data
network to evaluate their customers’ applications in
real time. Pagaya believes this solution measures risk
and predicts behavior more accurately than legacy
approaches, and Pagaya’s performance continuously
improves as more information flows through its
network.
29
Bank FinTech Dealership Broker
Asset
Investors
Customers

Intro
30
• 18+ years of experience in the cyber security world
• Experienced cyber security manager cross-wide global enterprises
• Provided consultation for a wide range of companies & domains: Comcast (US),
T-Mobile (US), Rabobank (NL), Clalit Health Insurance (IL) and others.
• 8200 IDF veteran
• Holding 3 patents in the risk management and privacy domains.
Yaniv Toledano

© 2021 Pagaya. FOR INTERNAL USE ONLY. 31
World’s Biggest Data Breaches & Hacks (Oct 2021)

© 2021 Pagaya. CONFIDENTIAL.
Data is the new Currency…
32
or the new Oil, Gold.. What ever..

• Do you know what are your threats?!?? Great start!
• Are you able to identify your assets? Really? And what about your data flows?
• So.. What now?? Lets run with technology and protect.. Secure.. Control.. and put some
DLP alike?!?
• How are you partners in the process? Do you have any? (Never walk alone..)
• Start Rolling…
Starting Point…

How to Engage.. Just a thought..
34

My suggestion… (Data Lifecycle)
Discovery Access Control
Prevent
Exfiltration
Encrypt
• Tokenize, anonymize and
what ever does the job..
• Encryption of
container/storage/bucket
is not enough.
Step 1 Step 2 Step 4
Step 3
Its not the same as
before (http/s, FTP, DLP,
USB)… API‫׳‬s, Lambda‫׳‬s,
Serverless computing
and more..
• Least Privilege approach
• Monitor access
• Periodic access review
• Not focus on human only
• Stale
• Learn your eco system
• Continuously assess
• Map your flows
• Classify
• Generate hierarchy
• Generate accountability
Strive for a data security posture management (other words, govern!)
What can be really cool?

Discovery Stage
Points of Reference
36

37
5 Focus Points (Partial)
Understand compliance / Legal
obligations
05
Consult with compliance and relevant teams to
learn your obligations for protection, access, audit
trail, retention & deletion
Data Catalog is a must – build one (excel is a good
start)
Discover your data assets / objects
and use Tech to support you
01
Craft a continuous measure to discover your
entire stack, allow to build data types and always
know where your data is…
03 Define data owner, Data stewards and what every
cool taxonomy you can think of
02 Define data flows and make friends in the way…
(Data, Devops, Engineering, Legal)
Build a baseline to manage your
data!
Cause you wont be happy when the
customer/audit/regulator will come
Document, maintain, be happy
No Data Owner = No accountability
No Stewards = No real understanding of
how data is consumed and how to drive
access control
No Data Flow = No idea of what needs to
be protected & which systems store/run
it..
Topic What Should I DO Why?
04

Data Management – R&R
38

Data Security
39

What Data Security is all About – The Threats & Considerations...
Data Exfiltration Insider Threat
Secure Posture
(Bucket encrypted, asset
exposed externally..)
Retention violation Data manipulation (by mistake, insider threat)
Unmanaged/ungoverned access
Unauthorized access
Shadow IT Over privileged API‫׳‬s
DevOps are much faster
– scale…
Stale data – more
damage…

What Data Security is all About – What Should I Think about..
How do I manage permission and access to data
Data leakage prevention on all
relevant resources
Tokenization, encryption & anonymization.. What ever it takes
Data security posture is key
Periodic access control review
Secure Posture
(Bucket encrypted, asset
exposed externally..)
Do I provision access to my cloud
assets via my IDE?
Do I allow access to my cloud assets
directly? Via VDI?
Did I map my API‫׳‬s and know what traffic? Is it right?
No?!?
SSPM to ensure proper
access control to SaaS apps
Audit trail on SaaS apps
CASB or other – detect apps…
Stale data scanning
3rd party access to
Data…
Data transfer

From a data lifecycle view…
42

Data Protection controls must be implemented across the data lifecycle to protect sensitive data as it’s collected, stored, used, shared, and destroyed.
Data Protection within the environment through the data lifecycle
• Data discovery and catalog data
sources.
• Inventory of data – generate a
comprehensive list of pertinent data
elements, where it is located and what
type of data it is.
• Classification of data based on sensitivity
and access, and tag data to identify
access levels.
• RBAC rules to determine who should
have access to data.
• Enforcing protection of data in motion
using secure protocols (e.g., SFTP, TLS
1.2+)
• Encryption of data at rest for on-
premise and Cloud instances.
• Storage integrity and availability
between cloud instances/regions/
availability zones.
• Encryption key management (e.g.,
Vault or external EKM).
• Masking/tokenization in non-production
environments
• Adequacy of network bandwidth
• Schedule/Timeframe for data
transfer.
• Enforcing protection of transfers using
secure protocols (e.g., SFTP, TLS
1.2+)
• Post-transfer data integrity check
(validate no errors or data loss during
transfer process.)
• Security and integrity measures on
Cloud platform, such as key repository,
strong encryption.
• DLP measures
• Determine when source data is
redundant or extraneous and can be
securely removed
• Monitor and security remove files
from SFTP transfer zones
• Verify data integrity (check for data
corruption, repair, restore from
backups if necessary)
• Verify that data is properly retained,
and that no unauthorized data has
been inadvertently saved.
Data Lifecycle
Collection Storage Usage and Sharing Retention and Archival
Discover & Classify
Data Security
Monitor & Enforce
Capabilities

© 2021 Pagaya. FOR INTERNAL USE ONLY. 44
Thank you
Q&A

Michael Furman
Security Architect, Tufin
OWASP Top 10 - 2021
What's New

What will we cover today?
• Who is OWASP?
• What is OWASP Top 10?
• OWASP Top 10 – Overview and What's New

About Me
• >14 yr. in application security
• >9 yr. with Tufin – Lead Security Architect
• www.linkedin.com/in/furmanmichael/
• Blog https://ultimatesecurity.pro/
• Twitter @ultimatesecpro
• I like to travel, read books and listen to music

About
●Market Leader in Security Policy Automation
●Tufin is used by >2000 enterprises
 To segment networks and connect applications
 On-prem networks, firewalls, cloud and K8S
●We are the Security Policy Company!

Who is OWASP?
• Worldwide not-for-profit organization
• Founded in 2001
• OWASP - Open Web Application Security Project
• Mission is to make the software security visible.

OWASP Top 10
• Most successful OWASP Project
https://owasp.org/Top10/
• Ten most critical web application security flaws
• De facto application security standard
• Released every 3 - 4 years
• First released in 2004
• Current - 2021

OWASP Top 10 - 2021
• A01 Broken Access Control
• A02 Cryptographic Failures
• A03 Injection
• A04 Insecure Design
• A05 Security Misconfiguration
• A06 Vulnerable and Outdated Components
• A07 Identification and Authentication Failures
• A08 Software and Data Integrity Failures
• A09 Security Logging and Monitoring Failures
• A10 Server Side Request Forgery (SSRF)

OWASP Top 10 - 2017
• A1 Injection
• A2 Broken Authentication
• A3 Sensitive Data Exposure
• A4 XML External Entities
• A5 Broken Access Control
• A7 Cross-Site Scripting (XSS)
• A8 Insecure Deserialization
• A9 Using Components with Known Vulnerabilities
• A10 Insufficient Logging & Monitoring

What happened to …?
• Broken Access Control
• Cross-Site Scripting (XSS)
• XML External Entities (XXE)
• Insecure Deserialization

They are still here
• A03 Injection
• XML External Entities

And even more …
• A03 Injection
• A04 Insecure Design
• XML External Entities
• A10 Server Side Request Forgery (SSRF)

A01: Broken Access Control
• Moved up from fifth position
• Elevation of privilege or Privilege Escalation
• Acting as an admin when logged in as a user
• Acting as a user without being logged in
• Viewing or editing someone else's account
• IDOR - Insecure Direct Object References
• Cross-Origin Resource Sharing (CORS) misconfiguration
• Allows API access from unauthorized/untrusted origins

A01: Example 1
• Application provides the service:
• Attacker browses to target URLs:
https://example.com/app/getappInfo
https://example.com/app/admin_getappInfo
https://example.com/app/getadminappInfo

A01: Example 2
• Unverified parameters to access:
• Attacker modifies the parameter:
pstmt.setString(1, request.getParameter(“account"));
ResultSet results = pstmt.executeQuery( );
https://example.com/app/accountInfo?account=notmyaccount

A01: How to Prevent
• Default behavior: deny access to resources
– Except for public resources
• Implement access control mechanisms
– On the server side
– All requests
• Minimize CORS usage

A01: Example 1
• Validate access on each request and prevent access for unauthorized users.
• Annotation example:
// implementation of getadminappInfo
if (“a user has admin access”) {
// return admin app Info
} else {
// authorization error
}
@PreAuthorize("hasPermision(‘admin’)")
// implementation of getadminappInfo
{
// return admin app Info
}

A01: Example 2
• Verify ownership / access:
pstmt.setString(1, request.getParameter("account"));
if (“a user has access to account”) {
} else {
// authorization error
}

A02: Cryptographic Failures
• Previously known as “A3 Sensitive Data Exposure”
– a broad symptom rather than a root cause
• Sensitive data is transmitted or stored in clear text
• Deprecated or weak cryptographic algorithms in use
• Default crypto keys in use
– proper key management or rotation missing

A02: How to Prevent
• Encrypt all sensitive data at rest
• Encrypt all data in transit
• Use TLS 1.2 or above
• Use HTTP Strict Transport Security (HSTS)
• Use up-to-date and strong standard algorithms and protocols
• Use proper key management

A03: Injection
• Slid down from first position
• Was the first one since OWASP Top Ten - 2010
• User input is not validated, filtered, or sanitized by the application
• User input is directly used or concatenated
• SQL injection
• OS Command Injection

A03: Example
• User input is directly used in the SQL call:
String query = "SELECT * FROM accounts
WHERE custID=‘” + request.getParameter("id") + "'";

A03: How to Prevent
• Do not pass user input directly to executable statements
• Prepared Statements
• Parameterized Queries
• Hibernate

A03: Example
• Use PreparedStatement:
String id = request.getParameter("id");
String query = "SELECT * FROM accounts WHERE custID = ? ";
PreparedStatement pstmt = connection.prepareStatement( id );
pstmt.setInt( 1, id);

A03: Don’t Forget About XSS
• Attackers can execute scripts in a victim’s browser

A03: How to Prevent XSS
• Input validation for user input
• Whitelist patterns
• Encode output

A04: Insecure Design
• A new category
• Pushing "shift-left“ approach
• A secure design can still have insecure implementation
• An insecure design cannot be fixed by an implementation
Implementation
Requirements Design Verification Release

A04: How to Implement
• Threat modeling
• Threat Modeling Manifesto
https://www.threatmodelingmanifesto.org/
• Secure Development Lifecycle (SDL)
https://ultimatesecurity.pro/post/sdl-meetup/

A05: Security Misconfiguration
• Missing security hardening
• Unnecessary features are enabled or installed
• Unnecessary ports
• Services
• Accounts
• Default accounts
• Default passwords

A05: How to Prevent
• Apply security hardening
• CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/
• Close unnecessary ports
• Disable unnecessary services
• Remove default accounts
• Change default passwords

A05: What About XXE?
• Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML
document
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

A05: How to Prevent XXE
• Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet
'XXE Prevention’.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
• For additional details see the presentation:
https://ultimatesecurity.pro/post/xxe-meetup/

A06: Vulnerable and Outdated Components
• Software is vulnerable, unsupported, or out of date
• Apache Log4j (Log4Shell) Vulnerabilities

A06: How to Prevent
• Update software periodically
• Use Software Composition Analysis (SCA) tools
• Free or commercial tools
• OWASP Dependency-Check free tool
https://owasp.org/www-project-dependency-check/

A07: Identification and Authentication Failures
• Slid down from the second position
• Previously known as Broken Authentication
• Missing brute force protection
• Missing multi-factor authentication
• Using default, weak, or well-known passwords
• Password1 or "admin/admin"
• Reusing session identifier after successful login
• Exposing session identifier in the URL

A07: How to Prevent
• Implement brute force protection
• Implement multi-factor authentication
• Change default credentials
• Implement password complexity
• Rotate Session IDs after successful login

A08: Software and Data Integrity Failures
• New category
• Software and data integrity failures that does not protect against integrity violations
• SolarWinds 2020 Attack

A08: How to Prevent
• Use digital signatures to verify software
• Ensure you consume trusted repositories

A08: Remember Insecure Deserialization?
• Serialization is the process of translating data structures or object state into a format that can be stored or
transmitted and reconstructed later (deserialization)
• Insecure Deserialization - an attacker changes the object between serialization and deserialization

A08: How to Prevent Insecure Deserialization
• Don't accept serialized objects from untrusted sources

A09: Security Logging and Monitoring Failures
• Insufficient logging
• Logins
• Failed logins
• High-value transactions
• Logs are only stored locally

A09: How to Prevent
• Log important events with sufficient user context
• Username
• Client IP
• Time

A10: Server Side Request Forgery (SSRF)
• New category
• A web application is fetching a remote resource without validating the user-supplied URL
http://host/getImage?url=http://10.0.0.1 http://10.0.0.1
Response
Response from http://10.0.0.1

A10: Example 1
• Application provides the getImage service:
// getImage implementation
String imageUrl = request.getParameter(“url"));
URL URL = new URL(imageUrl);
InputStream is = url.openStream();
OutputStream os = response.getOutputStream();
// copy is to os and return a response

A10: SSRF CVEs
• CVE-2021-44224
• High Severity Apache HTTP Server CVE
• CVE-2021-26715
• Critical Severity MITREid OpenID Connect Server CVE

A10: How to Prevent
• Sanitize and validate all client-supplied input data
• Validate URL Components
• URL schema, port, and destination
• Do not send raw responses to clients

A10: Example 1
• Validate URL Components:
// getImage implementation
String imageUrl = request.getParameter(“url"));
URL url = new URL(imageUrl);
// validate URL schema, port, and destination

Take always
• Understand OWASP Top Ten
• Implement the recommendations

Thank you!
• Contact me
– www.linkedin.com/in/furmanmichael/
– https://ultimatesecurity.pro/
– @ultimatesecpro
Questions?

API access
is broken
this is how you fix it

About Me
Tuba player
Obsessed over football
Listening to Classical music and
metal (depends on code he is
writing)

The 3 questions every API
developer should ask

What’s an API access made of?

“Is the act of proving an assertion, such as the identity of
a computer system user. In contrast with identification, the
act of indicating a person or thing's identity, authentication
is the process of verifying that identity.It might involve
validating personal identity documents, verifying the
authenticity of a website with a digital certificate,
determining the age of an artifact by carbon dating, or
ensuring that a product or document is not counterfeit.”
What is authentication
wikipedia

Let me know who you
are first!
Trying to access
a resource?

Broken:
API Authentication
WHO ARE YOU?

Broken: session management
Exposes session identifier in the URL.
Reuse session identifier after successful login.
Does not correctly invalidate Session IDs.

Hey, What’s
wrong here?
Your session is
floating on URLS!

Fixing session management
Use a server-side, secure, built-in session manager
Session identifier should not be in the URL, be securely stored,
Invalidate sessions after logout, idle, and absolute timeouts

Thinking of re-inventing the wheel???

Fixing automated attacks
Public APIS (Login, Signup, Reset password ETC)
- Recaptcha (v3)
- DDOS protected with IP based filtering
Authenticated APIs should be rate limited
- Limit or increasingly delay failed login
- Log failures and alerts
- Prepare to block sessions

Rate limits based
on API type

LOG EVERYTHING !!!

Log everything - What are we looking for?
IP addresses / Forwarded
Origin / Referer
Headers / Cookies
User agents

Failed logins? This is what you should do
- Implement user lockout mechanisms
- Start delaying failed attempts
- be careful not to create a denial of service scenario
Log all failures and alert administrators when credential stuffing, brute
force, or other attacks are detected.

Verify your users identity (JWT vs Session
tokens)

Building distributed application?
Well...

Verify your users identity (JWT vs Session tokens)

Bottom line?
Building a modern application?
Use JWT (hybrid modes works as well)

Don’t leave your users behind...
Authentication has evolved. Your APIs should
support this as well

Fixing broken basic authentication
Switch to passwordless
MFA everywhere
SSO whenever possible
Require Re-authentication for Sensitive Features¶

Broken API context
Bypassing access control checks by modifying the URL (parameter
tampering or force browsing), internal application state, or the HTML
page, or by using an attack tool modifying API requests.
Permitting viewing or editing someone else's account, by providing its
unique identifier (insecure direct object references)

Fixing broken API context
Pass context from JWT to microservices via Reverse Proxy headers

DON’T forget to remove incoming headers before proxying to
remove the risk of header tampering

Try to avoid query/route params for REST API
If you are using query/route params for REST API:
- Use guards (!)

Common issues
Elevation of privilege
- Acting as a user without being logged in
- Acting as an admin when logged in as a user

Accessing non-privileged entities
Accessing a private Github repository
Accessing repository of a different team on the same organization
Accessing hidden features
Accessing features out of my subscription plan

Elevation of privilege - Common Techniques
Technique 1: Access Token Manipulation.
Technique 2: Non authenticated access
Technique 3: Access Token Manipulation.
Technique 4: Account Manipulation

Fixing API authorization
Except for public resources, deny by default.
Implement access control mechanisms once and re-use them throughout the
application, including minimizing Cross-Origin Resource Sharing (CORS) usage.
Model access controls should enforce record ownership rather than accepting that
the user can create, read, update, or delete any record.
Unique application business limit requirements should be enforced by domain
models.

Put the data on the JWT
Enforce on the server side
Decode and validate on the
frontend side

But what happens with entities?
How do you handle hierarchical entities?
How do you handle Feature Flags?

Can’t we put them on the JWT as well?

• Thank You!
• Questions?
• To be continued…
Join Us:
https://www.linkedin.com/company/ap
plication-security-virtual-meetups

User management - the next-gen of authentication meetup 27012022

More Related Content

What's hot (20)

Similar to User management - the next-gen of authentication meetup 27012022 (20)

More from lior mazor (20)

Recently uploaded (20)

User management - the next-gen of authentication meetup 27012022