abstractj
10/13/2015 - 12:40 PM
tuto.md
#tuto
Intro
Web applications
In the past
- Java applets
- Servlets
- Limited connectivity
- Static pages
- Not too much threats
- Desktops
Today
- HTML5
- Single page apps
- RESTful architecture
- Desktops, mobile, smartwatches...
- Lots of standards (W3C)
- Just talk about W3C and le gazillion of standards
- Today we have several standards, but no pattern between browsers
- JavaScript loves the browser
- At the same time is hostile to security
- Showcase a quick example about how to override
crypto.getRandomValues
Security Big Picture
- Heartbleed
- Shellshock
- Surveillance
- Freak
- * * Definition of security - * the state of being free from danger or threat * — vocabulary.com
Current State of Web App Security
- People don't care about security
- e.g. Plain text passwords
- Handling passwords is hard
- e.g. People sending passwords in clear text
- Systems giving too many hints for passwords
- e.g. Your password must contain only letters with 6 digits
- Security vs. Usability
- Deadlines
- The majority of developers don't have enough time to think about security
- Things to keep in mind
- There's no such thing as perfect security
1.Common vulnerabilities
Where to get started?
- OWASP
- CWE
- NIST
MiTM
XSS
CSRF
Brute force
Session hijacking ...
How to prevent?
- Show how people would prevent these vulnerabilities
- Escaping inputs to prevent XSS
- Implementing a token per session ...
- People will see how overcomplicated it can be and figure out that Keycloak is the easy path.
- Show how people would prevent these vulnerabilities
2. Meet keycloak
Main concepts
Creating Realms, users and map roles
3. Security
- How to enforce SSL
- Preventing Brute force
- Other security controls on KC to protect webapps