g uarding your applications
DESCRIPTION
g uarding your applications. Koen Vanderloock [email protected]. Koen Vanderloock?. 9 years experience as Java developer The last 3 years working on security @ Cegeka Leader of the Security Competence Center @ Cegeka SIMBA founder. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/1.jpg)
The OWASP Foundationhttp://www.owasp.org
guarding your applicationsKoen Vanderloock
![Page 2: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/2.jpg)
Koen Vanderloock?
• 9 years experience as Java developer• The last 3 years working on security @ Cegeka • Leader of the Security Competence Center @ Cegeka• SIMBA founder
![Page 3: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/3.jpg)
3
Identification Authentication Authorization Manager users & rights
User Access Management (UAM)
Security Integration Module for Business Applications
![Page 4: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/4.jpg)
Why another UAM Tool ?Large Java Project• 5 years of agile development• 2 week releases• 4 applications• 8 big customers• Secured by Sun Access Manager
4
![Page 5: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/5.jpg)
Why another UAM Tool ?Problems with Sun Access Manager• Configuration nightmare• No clue what’s going on• Management of users/rights
disaster
5
![Page 6: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/6.jpg)
Create it ourself ?
6
Other UAM vendors ?
![Page 7: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/7.jpg)
Why another UAM Tool ?
7
Other UAM vendors • CA Siteminder• OpenSSO = AM• JOSSO
![Page 8: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/8.jpg)
Why another UAM Tool ?
8
Create it ourself• Use it for each Java project• Make it customizable• See what’s going on• Easy management
![Page 9: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/9.jpg)
What can SIMBA do ?• Authentication• Single Sign-On• Role Based Access Control• Authorization• Session Management• User Management
9
![Page 10: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/10.jpg)
Authentication
10
RMI/HTTP
WS/HTTP
10
SIMBA filter
SIMBA Enabled
Your applications
SIMBAAuthentication
Service
WebservicesEntry Point
AuthenticationChain
WS LoginChainSIMBA WS
Handler
![Page 11: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/11.jpg)
SIMBA Enabled
Single Sign-On
11
11
SIMBA filterSIMBA Manager
Your applications
…
SSO Token stored in cookie
![Page 12: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/12.jpg)
Role Based Access Control
12
![Page 13: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/13.jpg)
RBAC in SIMBA
13
Policy(Permission)
Role
1..*
1..*
URL Rule Resource Rule
1..* 1..*
![Page 14: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/14.jpg)
Example RBAC
14
Visitor
URL Rule: Access Zoo
Resource Rule: View animals READ
Resource Rule: Feeding READ
![Page 15: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/15.jpg)
Example RBAC
15
URL Rule: Access Zoo
Resource Rule: View animals READ
Resource Rule: Feeding WRITE
Groundkeeper
![Page 16: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/16.jpg)
Authorization
16
RMI/HTTP
16
Your application (SIMBA Enabled)
Your service
SIMBA
Authorization Service
Security aspect / Delegate
URL Rule Check
Resource Rule Check
(READ, WRITE access)
![Page 17: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/17.jpg)
Session management
17
Overview user sessions
Auto expire sessions
Manually terminate
sessions
![Page 18: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/18.jpg)
User management• Overview of users, roles, policies• Relations between concept• Creation of user & adding correct
rights• Set user inactive• Unblock user• Reset password to the default
18
![Page 19: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/19.jpg)
SIMBA advantages• It’s easy• Chains• It’s lightweight• Caching• Audit logging• User overview• Centralized / distributed deployment
19
![Page 20: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/20.jpg)
SIMBA is easy, but …
![Page 21: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/21.jpg)
SIMBA is easy, but …
Simbaframework
Simba-specific-your project Your application
Customized for your application
![Page 22: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/22.jpg)
Choose your armor
![Page 23: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/23.jpg)
Command and Chains
Webservice entranceWebpage entrance
![Page 24: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/24.jpg)
Authentication chain
Command and Chains
Validate ParametersUser Active
Jaas Login
Account Blocked
Password Expired
Create Session
Session chain Enter Application
Is Credential ?
Check Session
Check Client IP
Logout
URL Rule Check
Incoming request
![Page 25: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/25.jpg)
Command and ChainsThe first request
![Page 26: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/26.jpg)
Command and ChainsThe login request
![Page 27: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/27.jpg)
Command and ChainsThe logged-in request
![Page 28: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/28.jpg)
Webservice chain
Command and Chains
Validate ParametersUser Active
Jaas Login
…
Your security check
Command
Chain• Collection of
commands• Mostly entry
point
• Security check
![Page 29: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/29.jpg)
It’s lightweight• Your own chains = only what you need
• Deploy it on your application server
• Extra features as SAML, E-ID, biometrics, … = extra jars
![Page 30: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/30.jpg)
Caching
Server 1
Simba service
Simba manager
Simba service
Simba manager
Server 2
SIMBA Topic
1. Refresh cache
2. Publish event 3. Clean cache 3. Clean cache
![Page 31: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/31.jpg)
Audit logging• Each Command: success /
error• Each authorization request• Integrity check (HMAC –
SHA1)• Archiving job
![Page 32: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/32.jpg)
Give me an overview !
![Page 33: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/33.jpg)
Give me an overview !
![Page 34: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/34.jpg)
One big tiger,…
Application DB
Server 1
Server 2
SIMBAService
Manager
Application
Application
![Page 35: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/35.jpg)
or a pack ?
Application
Application Application DB
Server 1
Server 2
SIMBAService
Manager
SIMBAService
Manager
![Page 36: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/36.jpg)
Distributed deployment
• Multiple instances of your security• Security doesn’t go down• You can always access the manager• You don’t lose your security session
Advantages
![Page 37: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/37.jpg)
Future SIMBA’s
37
• SAML support• E-ID support• Advanced RBAC (hierarchy,
contraints,…)• SIMBA Filter (Request parameters,
Request headers,X509 certificates)• Manager: add/remove roles, policies• Documentation: SIMBA Threat model• Release about every 6 months
![Page 38: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/38.jpg)
Interested ?
38
More information: • OWASP SIMBA Project• simbasecurity.org• Mail to [email protected]
![Page 39: g uarding your applications](https://reader036.vdocuments.mx/reader036/viewer/2022062520/56815d4c550346895dcb54be/html5/thumbnails/39.jpg)
Questions ?
39
Thanks to: