Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape (Identiverse 2024)

DavidBrossard 57 views 22 slides Jun 17, 2024
Slide 1
Slide 1 of 22
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22

About This Presentation

Join us on a captivating exploration of the intricate relationship between Identity & Access Management (IAM) and the Open Worldwide Application Security Project (OWASP) in the realm of cybersecurity. Discover the convergence of IAM, a discipline applicable to both IT and the physical world, wit...

Size: 4.46 MB
Language: en
Added: Jun 17, 2024
Slides: 22 pages

Slide Content

Navigating the Intersection IAM and OWASP in the Cybersecurity Landscape

IAM and OWASP in the Cybersecurity Landscape CTO, Axiomatics David Brossard OpenID AuthZEN Co-Chair

A set of policies, procedures, technology, and other resources for maintaining identity information. Identity Management The process and techniques used to control access to resources. Access Management

What is OWASP? The Open Worldwide Application Security Project (OWASP) is an online community produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. (source: owasp.org ) OWASP focuses on web applications.

A01:2021-Broken Access Control A02:2021-Cryptographic Failures A03:2021-Injection A04:2021-Insecure Design A05:2021-Security Misconfiguration OWASP Top 10 A06:2021-Vulnerable & Outdated Components A07:2021-Identification & Authentication Failures A08:2021-Software & Data Integrity Failures A09:2021-Security Logging & Monitoring Failures A10:2021-Server-Side Request Forgery Source : https://owasp.org/www-project-top-ten/

OWASP Top 10 API Security Risks API1:2023 - Broken Object Level Authorization API2:2023 - Broken Authentication API3:2023 - Broken Object Property Level Authorization API4:2023 - Unrestricted Resource Consumption API5:2023 - Broken Function Level Authorization API6:2023 - Unrestricted Access to Sensitive Business Flows API7:2023 - Server Side Request Forgery API8:2023 - Security Misconfiguration API9:2023 - Improper Inventory Management API10:2023 - Unsafe Consumption of APIs Source : https://owasp.org/API-Security/editions/2023/en/0x11-t10/

Top Three IAM Categories that can help Authentication Establish your identity and prove who you are beyond a doubt. Establish levels of assurance. 1 Access Governance Review all identity & access events; correlate to webapp/API usage; prove all access was warranted 3 Authorization Determine what the client can do on the targeted resources; protect on a granular level. 2

OWASP General Threats

A01:2021-Broken Access Control Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized info disclosure, modification, or destruction of all data or performing a business function outside the user's limits. Common vulnerabilities: Violation of the principle of least privilege Bypassing checks by modifying the URL, internal application state, HTML page, or by modifying API requests. Insecure direct object references Accessing API with missing access controls for POST, PUT and DELETE. Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user. Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie. CORS misconfiguration allows API access from unauthorized/untrusted origins. Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

A01:2021-Broken Access Control - The Fix Authenticate every call OAuth & OIDC Authorize every call XACML, Rego, ALFA Use an API Gateway Regularly recertify user access GRC

A04:2021-Insecure Design This category focuses on risks related to design and architectural flaws, with a call for more use of threat modeling, secure design patterns, and reference architectures. Adopt standards OAuth, SCIM, OIDC, ALFA, Rego… Follow best practices NIST Digital Identity Guidelines Secure by Design Implement a security-first mindset, join IDPro, follow CISA

A05:2021-Security Misconfiguration With more shifts into highly configurable software, it's not surprising to see this category move up. Common vulnerabilities: Missing appropriate security hardening across any part of the application stack improperly configured permissions on cloud services. Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges). Default accounts and their passwords are still enabled and unchanged. Error handling reveals stack traces or other overly informative error messages to users. For upgraded systems, the latest security features are disabled or not configured securely. The security settings in the application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc., are not set to secure values. The server does not send security headers or directives, or they are not set to secure values. The software is out of date or vulnerable (see A06:2021-Vulnerable and Outdated Components ).

A05:2021-Security Misconfiguration - The Fix Decouple your app Externalize AuthN & AuthZ to dedicated frameworks Review vendor documentation Check vendor/framework documentation for config. best practices Pen. testing Not IAM-specific but still important to detect misconfiguration

A07:2021-Identification & Authentication Failures Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. Previously known as Broken Authentication, this category slid down from the second position and now includes Common Weakness Enumerations (CWEs) related to identification failures. Common vulnerabilities: Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords. Permits brute force or other automated attacks. Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin". Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers," which cannot be made safe. Uses plain text, encrypted, or weakly hashed passwords data stores (see A02:2021-Cryptographic Failures). Has missing or ineffective multi-factor authentication. Exposes session identifier in the URL. Reuse session identifier after successful login. Does not correctly invalidate Session IDs. User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.

Adopt standards OAuth, SCIM, OIDC, ALFA, Rego… Follow best practices NIST Digital Identity Guidelines Secure by Design Implement a security-first mindset, join IDPro, follow CISA A07:2021-Identification & Authentication Failures - The Fix Decouple your app Externalize AuthN & AuthZ to dedicated frameworks

A09:2021-Security Logging & Monitoring Failures This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response occurs any time: Auditable events, such as logins, failed logins, and high-value transactions, are not logged. Warnings and errors generate no, inadequate, or unclear log messages. Logs of applications and APIs are not monitored for suspicious activity. Logs are only stored locally. Appropriate alerting thresholds and response escalation processes are not in place or effective. Penetration testing and scans by dynamic application security testing (DAST) tools (such as OWASP ZAP) do not trigger alerts. The application cannot detect, escalate, or alert for active attacks in real-time or near real-time.

Leverage Frameworks Authentication, Authorization A09:2021-Security Logging & Monitoring - The Fix Listen for changes Shared Signals & CAEP Invest in SIEM Not IAM per se

OWASP API Threats

OWASP API Threats are an Opportunity Establish an API-first strategy All your apps, data, and functions go through the same logical API security layer It doesn’t have to be a single gateway It can be sidecars Use the API “gateways” to enforce authentication, access delegation, authorization, and logging Caveat: don’t assume this means you don’t need to secure the underlying apps and services

OWASP Top 10 API Security Risks API1:2023 - Broken Object Level Authorization API2:2023 - Broken Authentication API3:2023 - Broken Object Property Level Authorization API4:2023 - Unrestricted Resource Consumption API5:2023 - Broken Function Level Authorization API6:2023 - Unrestricted Access to Sensitive Business Flows API8:2023 - Security Misconfiguration API10:2023 - Unsafe Consumption of APIs IAM APISec AuthN AuthZ

Suggested Architecture
Tags
security owasp api api security access control open data authorization alfa xacml abac pbac cedar cybersecurity big data
Categories
Technology Business Design
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 57
  • Slides 22
  • Age 531 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
Know for Certain 21
Know for Certain
DaveSinNM
19 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views
View More in This Category