Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Insecure Prabath Siriwardena, WSO2 Twitter

Published byMarvin Stevenson Modified over 9 years ago

Similar presentations

Presentation on theme: "Securing Insecure Prabath Siriwardena, WSO2 Twitter"— Presentation transcript:

1 Securing Insecure Prabath Siriwardena, WSO2 Twitter : @prabath

2 About the presenter (@prabath) 7+ years at WSO2 Member of OASIS Identity Metasystem Interoperability (IMI) TC,OASIS eXtensible Access Control Markup Language (XACML) TC, OASIS Security Services (SAML) TC, OASIS Identity in the Cloud TC and OASIS Cloud Authorization (CloudAuthZ) TC Blog: http://blog.facilelogin.comhttp://blog.facilelogin.com Books:

3 Perception

4

5

6 Correctness

7 C-I- A ConfidentialityIntegrityAvailability Correctness

8 The Weakest Link

9 Insider Attacks

10 Defense In Depth

11 Threat Modeling

12 Pattern 01 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application passes logged in user’s identifier to the backend APIs and retrieves data related to the user.

13

14

15 Pattern 02 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user.

16

17

18 Pattern 03 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.

19

20 Pattern 04 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. All the users are in a Windows domain and once they are logged into their workstations – they should not be asked to provide credentials at any point for any other application.

21

22 Pattern 05 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees as well as employees from trusted partners via multiple web applications. All the internal user data are stored in an Active Directory and all the web applications are connected to a SAML 2.0 Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.

23

24 Pattern 06 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall. All the user data are stored in an Active Directory and all the web applications are connected to an OpenID Connect Identity Provider to authenticate users. The web applications need to access backend APIs on behalf of the logged in user.

25

26 Pattern 07 Problem Statement A medium-scale enterprise in the finance industry needs to expose an API to its customers through a mobile application. One major requirement is that all the API calls should support non-repudiation.

27

28 Pattern 08 Problem Statement A medium-scale enterprise that sells bottled water has a RESTful API (Water API), which can be used to update the amount of water consumed by a registered user. These APIs should be accessed by any registered user via any client application - could be an android app, an iOS app or even a web application. The company only provides APIs and anyone can develop client applications to consume those. All the user data are stored in an Active Directory. Client applications should not be able to access the API directly and query about users. Only registered users can access the API – and they also should not be able to see other users information. At the same time for each update by the user – the Water API must also update user’s health care record maintained at the MyHealth.org. The user also has a user record at MyHealth.org and it too exposes an API (MyHealth API). The Water API has to call MyHealth API to update user record, on be half of the user.

29

30 Pattern 09 Problem Statement A large-scale enterprise has a set of RESTful APIs. The APIs are hosted in different departments and each department runs its own OAuth authorization server due to vendor incompatibilities in different deployments. These APIs should only be accessed by company employees via multiple web applications while they are behind the company firewall – irrespective of the department they belong to. All the user data are stored in a centralized Active Directory and all the web applications are connected to a centralized OAuth Authorization Server (also supports OpenID Connect) to authenticate users. The web applications need to access backend APIs on behalf of the logged in user. These APIs may come from different departments – having their own authorization servers. The company also has a centralized OAuth authorization server and an employee having an access token from the centralized authorization server must be able to access any API hosted in any department.

31

32 Pattern 10 Problem Statement A global organization has APIs and API clients distributed across different regions. Each region operates independent from each other. Currently both the clients and the APIs are non-secured. Need to secure the APIs without doing any changes either at the API end or at the client end.

33

34 Pattern 11 Problem Statement A company wants to expose an API to its own employees. But the user credentials must not ever go over the wire.

35 Pattern 12 Problem Statement A medium-scale enterprise has a limited number of RESTful APIs. These APIs should only be accessed by company employees via a single web application while they are behind the company firewall. All the user data are stored in an Active Directory and the web application is connected to it to authenticate users. The web application needs to access the backend APIs on behalf of the logged in user. The backend API must authorize the user.

36

37 Contact us !

Download ppt "Securing Insecure Prabath Siriwardena, WSO2 Twitter"

Similar presentations

Attie Naude 14 May 2013 Windows Azure Mobile Services.

Attie Naude 14 May 2013 Windows Azure Mobile Services.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
Virtualization and Cloud Computing

Virtualization and Cloud Computing
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio

Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Confidential FullArmor Corp. 2015 Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.

Confidential FullArmor Corp Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

Practical Steps to Secure your APIs for Mobile Mark O’Neill VP Innovation, Axway.

Similar presentations

Ads by Google