Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation guarding your applications Koen Vanderloock

Published byJessie Newman Modified over 8 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation guarding your applications Koen Vanderloock"— Presentation transcript:

1 The OWASP Foundation http://www.owasp.org guarding your applications Koen Vanderloock koen.vanderloock@owasp.org

2 Koen Vanderloock? 9 years experience as Java developer The last 3 years working on security @ Cegeka Leader of the Security Competence Center @ Cegeka SIMBA founder

3 3 Identification Authentication Authorization Manager users & rights User Access Management (UAM) Security Integration Module for Business Applications

4 Why another UAM Tool ? Large Java Project 5 years of agile development 2 week releases 4 applications 8 big customers Secured by Sun Access Manager 4

5 Why another UAM Tool ? Problems with Sun Access Manager Configuration nightmare No clue what’s going on Management of users/rights disaster 5

6 Create it ourself ? 6 Other UAM vendors ?

7 Why another UAM Tool ? 7 Other UAM vendors CA Siteminder OpenSSO = AM JOSSO

8 Why another UAM Tool ? 8 Create it ourself Use it for each Java project Make it customizable See what’s going on Easy management

9 What can SIMBA do ? Authentication Single Sign-On Role Based Access Control Authorization Session Management User Management 9

10 Authentication 10 RMI/HTTP WS/HTTP 10 SIMBA filter SIMBA Enabled Your applications SIMBA Authentication Service Authentication Service Webservices Entry Point Webservices Entry Point Authentication Chain Authentication Chain WS Login Chain WS Login Chain SIMBA WS Handler

11 SIMBA Enabled Single Sign-On 11 SIMBA filter SIMBA Manager Your applications … … SSO Token stored in cookie

12 Role Based Access Control 12

13 RBAC in SIMBA 13 Policy (Permission) Role 1..* URL RuleResource Rule 1..*

14 Example RBAC 14 Visitor URL Rule: Access Zoo Resource Rule: View animals READ Resource Rule: Feeding READ

15 Example RBAC 15 URL Rule: Access Zoo Resource Rule: View animals READ Resource Rule: Feeding WRITE Groundkeeper

16 Authorization 16 RMI/HTTP 16 Your application (SIMBA Enabled) Your service SIMBA Authorization Service Security aspect / Delegate URL Rule Check Resource Rule Check (READ, WRITE access)

17 Session management 17 Overview user sessions Auto expire sessions Manually terminate sessions

18 User management Overview of users, roles, policies Relations between concept Creation of user & adding correct rights Set user inactive Unblock user Reset password to the default 18

19 SIMBA advantages It’s easy Chains It’s lightweight Caching Audit logging User overview Centralized / distributed deployment 19

20 SIMBA is easy, but …

21 Simba framework Simba-specific- your project Your application Customized for your application

22 Choose your armor

23 Command and Chains Webservice entrance Webpage entrance

24 Authentication chain Command and Chains Validate Parameters User Active Jaas Login Account Blocked Password Expired Create Session Session chain Enter Application Is Credential ? Check Session Check Client IP Logout URL Rule Check Incoming request

25 Command and Chains The first request

26 Command and Chains The login request

27 Command and Chains The logged-in request

28 Webservice chain Command and Chains Validate Parameters User Active Jaas Login … … Your security check CommandChain Collection of commands Mostly entry point Security check

29 It’s lightweight Your own chains = only what you need Deploy it on your application server Extra features as SAML, E-ID, biometrics, … = extra jars

30 Caching Server 1 Simba service Simba manager Simba service Simba manager Server 2 SIMBA Topic 1. Refresh cache 2. Publish event3. Clean cache

31 Audit logging Each Command: success / error Each authorization request Integrity check (HMAC – SHA1) Archiving job

32 Give me an overview !

33

34 One big tiger,… Application DB Server 1 Server 2 SIMBA Service Manager Application

35 or a pack ? Application Application DB Server 1 Server 2 SIMBA Service Manager SIMBA Service Manager

36 Distributed deployment Multiple instances of your security Security doesn’t go down You can always access the manager You don’t lose your security session Advantages

37 Future SIMBA’s 37 SAML support E-ID support Advanced RBAC (hierarchy, contraints,…) SIMBA Filter (Request parameters, Request headers,X509 certificates) Manager: add/remove roles, policies Documentation: SIMBA Threat model Release about every 6 months

38 Interested ? 38 More information: OWASP SIMBA Project simbasecurity.org Mail to koen.vanderloock@owasp.orgkoen.vanderloock@owasp.org

39 Questions ? 39 Thanks to:

Download ppt "The OWASP Foundation guarding your applications Koen Vanderloock"

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.

Mutual OATH HOTP Variants 65th IETF - Dallas, TX March 2006.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Don’t Let Anybody Slip into Your Network! Using the Login People Multi-Factor Authentication Server Means No Tokens, No OTP, No SMS, No Certificates MICROSOFT.

Don’t Let Anybody Slip into Your Network! Using the Login People Multi-Factor Authentication Server Means No Tokens, No OTP, No SMS, No Certificates MICROSOFT.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
1 Chapter 1 Introduction to Windows Server 2003. 2 Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.

1 Chapter 1 Introduction to Windows Server Two main goals for Net Admin Make network resources available to users Files, folders, printers, etc.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Identity and Access Management

Identity and Access Management
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Similar presentations

Ads by Google