Security

Security

Basic concepts

  • Confidentiality
  • Integrity
  • Availability
  • Non-repudiation
  • Identification & Authentication
  • Authorization (Access Control)

Security

Confidentiality

  • Only authorized parties can access the information

It can be achieved by:

  • Encryption (TLS, VPN, ...)
  • Access Control (Identification, Authentication, Authorization)
  • Anonymization (GDPR)

Security

Integrity

  • The information is not altered

It can be achieved by:

  • Hashing
  • Digital Signature

Security

Availability

  • The information is available when needed

It can be achieved by:

  • Redundancy
  • Load balancing
  • Disaster recovery plan
  • Backup
  • ...

Security

Non-repudiation

  • The information cannot be denied

It can be achieved by:

  • Digital Signature
  • Timestamping
  • ...

Security

Identification & Authentication

  • Identification: Who are you?
  • Authentication: Prove it!

It can be achieved by:

  • Login / Password
  • API Key
  • JWT Token
  • 2FA
  • Biometrics
  • ...

Security

Authorization (Access Control)

  • What are you allowed to do?
  • What are you allowed to access?
  • What are you allowed to modify?
  • What are you allowed to delete?
  • ...

It can be achieved by:

  • Role-based access control (RBAC)
  • Attribute-based access control (ABAC)
  • ...

Security

Threats

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of service
  • Elevation of privilege
  • ...

Security

101

Don't implement security yourself if there are opensource libraries and services maintained by security experts.
(Unless your REALLY know what you are doing)
When in doubt, read the NIST documentation.

Security

Identity & Access Management (IAM)

At scale, we often use a dedicated service to manage users, roles, permissions, ...

  • Centralized management of users, roles, permissions, ...
  • Single Sign-On (SSO)
  • OAuth2
  • OpenID Connect (OIDC)
  • SAML
  • ...

Security

IAM: OAuth2 & OpenID Connect (OIDC)

Oauth2 is an authorization framework that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf.
OpenID Connect is an identity layer on top of OAuth2.

Security

Session

  • Generate Safe Session Identifiers
  • Don't Expose Session Identifiers
  • Protect Your Cookies with their attributes: Domain, Path, HttpOnly, and Secure.

Security

Authorization

  • Always check the user's permissions on the backend. (Don't rely on the frontend to hide buttons)
  • Deny by Default. Principle of least privilege.
  • Authorize Actions on Resources. (Don't just check if the user is authenticated)

Security

RBAC (Role-Based Access Control)

  • Assign roles to users
  • Assign permissions to roles

Security

An example: Keycloak

  • Open Source Identity and Access Management
  • OAuth2 & OpenID Connect (OIDC)
  • SAML
  • LDAP
  • ...

Security

An example: Keycloak

To deploy Keyloak locally, we can use Docker:

docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:22.0.5 start-dev

Follow the Keycloak getting started: https://www.keycloak.org/getting-started/getting-started-docker and create:

  • a realm
  • a client with authentication method "confidential"
  • a user

Assignment

Secure the API you created in the previous assignment with Keycloak.