The OWASP Foundation guarding your applications Koen Vanderloock

Slides:



Advertisements
Similar presentations
Suchin Rengan Principal Technical Architect Salesforce.com
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies
Don’t Let Anybody Slip into Your Network! Using the Login People Multi-Factor Authentication Server Means No Tokens, No OTP, No SMS, No Certificates MICROSOFT.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Online Security Tuesday April 8, 2003 Maxence Crossley.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Identity and Access Management
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
DB-19: OpenEdge® Authentication Without the _User Table
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Hands-On Microsoft Windows Server 2008
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
IT und TK Training Check Point Authentication Methods A short comparison.
Eric Westfall – Indiana University James Bennett – Indiana University ADMINISTERING A PRODUCTION KUALI RICE INFRASTRUCTURE.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Phone: Mega AS Consulting Ltd © 2007  CAT – the problem & the solution  Using the CAT - Administrator  Mega.
Using Spring Security and CAS JA-SIG Summer Conference Denver, CO June 24 – 27, 2007.
Shibboleth 2.0 IdP Training: Authentication January, 2009.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Authority of Information Technology Application National Center of Digital Signature Authentication Ninh Binh, June 25, 2010.
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
NT4 SP4 Security Jack Schmidt - Fermilab
Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.
Qaforum Security Structure. What’s SSO Single sign-on (SSO) is mechanism whereby a single action of user authentication and authorization can permit a.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Module 5: Managing Content. Overview Publishing Content Executing Reports Creating Cached Instances Creating Snapshots and Report History Creating Subscriptions.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Munix Bus WiFi Authentication, Log Management, Internet Security, Content Filter & VPN Service Internet Gateway & Business Intelligence
Ask the Experts – Building Login-Based Sites in AEM
Module Overview Installing and Configuring a Network Policy Server
Radius, LDAP, Radius used in Authenticating Users
Introduction to SQL Server 2000 Security
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
What’s changed in the Shibboleth 1.2 Origin
AD FS Installation Active Directory Federation Services (AD FS) 7.1
Presentation transcript:

The OWASP Foundation guarding your applications Koen Vanderloock

Koen Vanderloock? 9 years experience as Java developer The last 3 years working on Cegeka Leader of the Security Competence Cegeka SIMBA founder

3 Identification Authentication Authorization Manager users & rights User Access Management (UAM) Security Integration Module for Business Applications

Why another UAM Tool ? Large Java Project 5 years of agile development 2 week releases 4 applications 8 big customers Secured by Sun Access Manager 4

Why another UAM Tool ? Problems with Sun Access Manager Configuration nightmare No clue what’s going on Management of users/rights disaster 5

Create it ourself ? 6 Other UAM vendors ?

Why another UAM Tool ? 7 Other UAM vendors CA Siteminder OpenSSO = AM JOSSO

Why another UAM Tool ? 8 Create it ourself Use it for each Java project Make it customizable See what’s going on Easy management

What can SIMBA do ? Authentication Single Sign-On Role Based Access Control Authorization Session Management User Management 9

Authentication 10 RMI/HTTP WS/HTTP 10 SIMBA filter SIMBA Enabled Your applications SIMBA Authentication Service Authentication Service Webservices Entry Point Webservices Entry Point Authentication Chain Authentication Chain WS Login Chain WS Login Chain SIMBA WS Handler

SIMBA Enabled Single Sign-On 11 SIMBA filter SIMBA Manager Your applications … … SSO Token stored in cookie

Role Based Access Control 12

RBAC in SIMBA 13 Policy (Permission) Role 1..* URL RuleResource Rule 1..*

Example RBAC 14 Visitor URL Rule: Access Zoo Resource Rule: View animals READ Resource Rule: Feeding READ

Example RBAC 15 URL Rule: Access Zoo Resource Rule: View animals READ Resource Rule: Feeding WRITE Groundkeeper

Authorization 16 RMI/HTTP 16 Your application (SIMBA Enabled) Your service SIMBA Authorization Service Security aspect / Delegate URL Rule Check Resource Rule Check (READ, WRITE access)

Session management 17 Overview user sessions Auto expire sessions Manually terminate sessions

User management Overview of users, roles, policies Relations between concept Creation of user & adding correct rights Set user inactive Unblock user Reset password to the default 18

SIMBA advantages It’s easy Chains It’s lightweight Caching Audit logging User overview Centralized / distributed deployment 19

SIMBA is easy, but …

Simba framework Simba-specific- your project Your application Customized for your application

Choose your armor

Command and Chains Webservice entrance Webpage entrance

Authentication chain Command and Chains Validate Parameters User Active Jaas Login Account Blocked Password Expired Create Session Session chain Enter Application Is Credential ? Check Session Check Client IP Logout URL Rule Check Incoming request

Command and Chains The first request

Command and Chains The login request

Command and Chains The logged-in request

Webservice chain Command and Chains Validate Parameters User Active Jaas Login … … Your security check CommandChain Collection of commands Mostly entry point Security check

It’s lightweight Your own chains = only what you need Deploy it on your application server Extra features as SAML, E-ID, biometrics, … = extra jars

Caching Server 1 Simba service Simba manager Simba service Simba manager Server 2 SIMBA Topic 1. Refresh cache 2. Publish event3. Clean cache

Audit logging Each Command: success / error Each authorization request Integrity check (HMAC – SHA1) Archiving job

Give me an overview !

One big tiger,… Application DB Server 1 Server 2 SIMBA Service Manager Application

or a pack ? Application Application DB Server 1 Server 2 SIMBA Service Manager SIMBA Service Manager

Distributed deployment Multiple instances of your security Security doesn’t go down You can always access the manager You don’t lose your security session Advantages

Future SIMBA’s 37 SAML support E-ID support Advanced RBAC (hierarchy, contraints,…) SIMBA Filter (Request parameters, Request headers,X509 certificates) Manager: add/remove roles, policies Documentation: SIMBA Threat model Release about every 6 months

Interested ? 38 More information: OWASP SIMBA Project simbasecurity.org Mail to

Questions ? 39 Thanks to:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.