Skip to content

Instantly share code, notes, and snippets.

@abstractj
Forked from sebastienblanc/tuto.md
Last active Oct 13, 2015
Embed
What would you like to do?

#tuto

Intro

Web applications

  • In the past

    • Java applets
    • Servlets
    • Limited connectivity
    • Static pages
    • Not too much threats
    • Desktops
  • Today

    • HTML5
    • Single page apps
    • RESTful architecture
    • Desktops, mobile, smartwatches...
    • Lots of standards (W3C)
      • Just talk about W3C and le gazillion of standards
      • Today we have several standards, but no pattern between browsers
    • JavaScript loves the browser
      • At the same time is hostile to security
      • Showcase a quick example about how to override crypto.getRandomValues

Security Big Picture

  • Heartbleed
  • Shellshock
  • Surveillance
  • Freak
  • Definition of security
      • the state of being free from danger or threat * — vocabulary.com

Current State of Web App Security

  • People don't care about security
    • e.g. Plain text passwords
  • Handling passwords is hard
    • e.g. People sending passwords in clear text
    • Systems giving too many hints for passwords
      • e.g. Your password must contain only letters with 6 digits
  • Security vs. Usability
  • Deadlines
    • The majority of developers don't have enough time to think about security
  • Things to keep in mind
    • There's no such thing as perfect security

1.Common vulnerabilities

  • Where to get started?

    • OWASP
    • CWE
    • NIST
  • MiTM

  • XSS

  • CSRF

  • Brute force

  • Session hijacking ...

  • How to prevent?

    • Show how people would prevent these vulnerabilities
      • Escaping inputs to prevent XSS
      • Implementing a token per session ...
    • People will see how overcomplicated it can be and figure out that Keycloak is the easy path.

2. Meet keycloak

Main concepts

Creating Realms, users and map roles

3. Security

  • How to enforce SSL
  • Preventing Brute force
  • Other security controls on KC to protect webapps

4. Secure a WAR containing a Web App

5. OAUth2

Secure A standalone webapp (nodejs?)

Secure a Cordova App (turning the above into a native app) (Not sure about this one

6. Secure a WAR providing a REST Service aka Microservice (bearer only)

7. SSO

8. Identity Broker

Social Login

Integration with other security protocols (SAML ? , LDAP ? )

9. 2-factor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment