Prairie.Code() Sessions tagged security

Secure by Design

As an industry we stand no chance against modern threats with our currently development process and mindset. In this session we’ll learn how good design drives security and can help mitigate some vulnerability to outside threats. This includes putting security at the forefront when designing an application by ensuring dependencies are up to date, performing server side validation and sanitation for all inputs, and running checks against our repository regularly, if not on every pull request.

Speaker

Matt Busche

Matt Busche

Consultant, Nationwide Insurance

Securing Java Microservices with Java JWT

Abstract

Micah will take you on a token based journey. The talk covers what tokens are, looking at cryptographically signed tokens, using the JJWT library to create JWTs, mitigating CSRF attacks using JWTs and establishing trust between microservices using JWTs. Some slides and lots of code.

Description

"Microservices are awesome, but they're not free" - Les Hazlewood, CTO Stormpath

This is a popular talk that I gave during my motorcycle road trip up and down the east coast. While I work for Stormpath, there are no Stormpath dependencies in the code. It's an example that uses Spring Boot with Spring Security and the open-source JJWT.

In the first part of the talk, I introduce JWTs and their utility by replacing the default CSRF functionality in Spring Security with a custom one that uses JWT. It demonstrates how, in addition to doing a "dumb" equals match for the submitted token and the one on record, a JWT can be inspected for expiration. This makes it so that you can have a form, protected by CSRF, that must be submitted within a certain period of time.

In the second part of the talk, I have a Spring Boot microservices example. I run two instances of the example and demonstrate how they initially do not trust signed JWT messages between each other. I then discuss how to establish trust between these microservices (by registering the public keys of each with each other) and then show how they now will trust messages. Finally, I talk about and demonstrate a more modern approach to microservices using Kafka messaging as the backbone rather than HTTP.

Here's a blog post I wrote on the subject as well.

Speaker

Micah Silverman

Micah Silverman

Senior Developer Advocate, Okta

Conceptualizing OAuth, OpenID and Implementation of the Identity Server.

In dealing with web security, the most common thing for a developer is to think like an attacker while writing his/her code.

For everyone, the standard of development is not bound to just deploy and fix the bugs, but to ensure every developer understands these concepts and helps his/her team for building a better and secure product.

This presentation will start with using some good secured services like OAuth and OpenId based IdentityServer, and understanding how to call it via our application.

Have You Adapted Your AppSec?

In the ever-evolving, fast-paced development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories, stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. David will talk through the various solutions using his experiences to help build security into the development process.

Speaker

David Lindner

David Lindner

Director, Application Security, Contrast Security