1 / 39

g uarding your applications

g uarding your applications. Koen Vanderloock koen.vanderloock@owasp.org. Koen Vanderloock?. 9 years experience as Java developer The last 3 years working on security @ Cegeka Leader of the Security Competence Center @ Cegeka SIMBA founder.

rex
Download Presentation

g uarding your applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. guardingyourapplications • Koen Vanderloock • koen.vanderloock@owasp.org

  2. Koen Vanderloock? • 9years experience as Java developer • The last 3 years working on security @ Cegeka • Leader of the Security Competence Center @ Cegeka • SIMBA founder

  3. Security Integration Module for Business Applications • User Access Management (UAM) Identification Manager users & rights Authentication Authorization

  4. Why another UAM Tool ? • Large Java Project • 5 years of agile development • 2 week releases • 4 applications • 8 big customers • Secured by Sun Access Manager

  5. Whyanother UAM Tool ? • Problems with Sun Access Manager • Configuration nightmare • No clue what’s going on • Management of users/rights disaster

  6. Other UAM vendors ? • Createitourself ?

  7. Whyanother UAM Tool ? • Other UAM vendors • CA Siteminder • OpenSSO = AM • JOSSO

  8. Whyanother UAM Tool ? • Createitourself • Useitforeach Java project • Make itcustomizable • See what’sgoing on • Easy management

  9. Whatcan SIMBA do ? • Authentication • Single Sign-On • RoleBased Access Control • Authorization • SessionManagement • User Management

  10. Authentication SIMBA filter SIMBA Authentication Chain RMI/HTTP Authentication Service SIMBA Enabled Yourapplications WS Login Chain WS/HTTP Webservices Entry Point SIMBA WS Handler 10

  11. Single Sign-On SIMBA Enabled SIMBA filter SIMBA Manager Yourapplications … SSO Token stored in cookie 11

  12. RoleBased Access Control

  13. RBAC in SIMBA 1..* 1..* Role Policy(Permission) 1..* 1..* URL Rule Resource Rule

  14. Example RBAC URL Rule: Access Zoo Visitor Resource Rule: View animals READ Resource Rule: Feeding READ

  15. Example RBAC URL Rule: Access Zoo Groundkeeper Resource Rule: View animals READ Resource Rule: Feeding WRITE

  16. Authorization Yourapplication (SIMBA Enabled) Your service Security aspect / Delegate RMI/HTTP Resource Rule Check(READ, WRITE access) URL Rule Check Authorization Service SIMBA 16

  17. Session management • Overview user sessions • Auto expiresessions • Manuallyterminatesessions

  18. User management • Overview of users, roles, policies • Relations between concept • Creation of user & adding correct rights • Set user inactive • Unblock user • Reset password to the default

  19. SIMBA advantages • It’s easy • Chains • It’s lightweight • Caching • Audit logging • User overview • Centralized / distributeddeployment

  20. SIMBA is easy, but …

  21. SIMBA is easy, but … Customizedforyourapplication Simba-specific-your project Yourapplication Simbaframework

  22. Chooseyourarmor

  23. CommandandChains Webserviceentrance Webpage entrance

  24. CommandandChains Incomingrequest Authentication chain Session chain Validate Parameters Check Session User Active Check Client IP Jaas Login Logout Is Credential ? Account Blocked URL Rule Check Password Expired Enter Application CreateSession

  25. CommandandChains • The first request

  26. CommandandChains • The login request

  27. CommandandChains • The logged-in request

  28. CommandandChains Webservice chain Validate Parameters Chain Command User Active • Collection of commands • Mostly entry point • Security check Jaas Login Your security check …

  29. It’s lightweight • Yourownchains = onlywhatyouneed • Extra features as SAML, E-ID, biometrics, … =extra jars • Deployit on yourapplicationserver

  30. Caching 1. Refresh cache Server 1 Server 2 Simba manager Simba manager Simba service Simba service 2. Publish event 3. Clean cache 3. Clean cache SIMBA Topic

  31. Audit logging • EachCommand: success / error • Eachauthorizationrequest • Integrity check (HMAC – SHA1) • Archiving job

  32. Give me an overview !

  33. Give me an overview !

  34. One big tiger,… Server 1 Application Application Application DB SIMBA Service Server 2 Manager

  35. or a pack ? Server 1 Application Application Application DB SIMBA SIMBA Service Service Manager Manager Server 2

  36. Distributed deployment • Advantages • Multiple instances of your security • Security doesn’t go down • Youcanalways access the manager • Youdon’tloseyour security session

  37. FutureSIMBA’s • SAML support • E-ID support • Advanced RBAC (hierarchy, contraints,…) • SIMBA Filter (Request parameters, Request headers,X509 certificates) • Manager: add/removeroles, policies • Documentation: SIMBA Threat model • Release about every 6 months

  38. Interested ? • More information: • OWASP SIMBA Project • simbasecurity.org • Mail tokoen.vanderloock@owasp.org

  39. Questions ? • Thanksto:

More Related