Hi all! I'm at @foss_north today, enjoying the super interesting talks about open source, development tools, and general nerdery. :blobfoxlaugh: I live to meet people and talk tech so please say hi if you see me. I'm wearing a white cap with a cute little monster on it. :)
Oh and I'm also speaking this afternoon about #authz as a dev workflow, so feel free to come through and learn something about that if you like. :blobhaj_heartslove:
👋 Very stoked to announce that I will be speaking at #OWASP #Snowfroc this Friday at 11:00 in the Great Hall. The talk is entitled "Patterns of failure in modern #authorization" and it's mostly about why #authz is getting harder (instead of easier). I'll be citing some academic research but also looking at some interesting examples of authz failure at some fairly large, well-known brands. Hope to see you there! 🎤
p.s. I've never been to #Denver so looking forward to checking the city out a bit too. If you have suggestions for things to do (read: eat), let me know! 😄
Excited to be speaking at @fossasia
🚀 This year, I'm diving deep into Identity and Access Management (#IAM) for #OSS.
All are welcome and I encourage all knowledge levels to attend: Don't be intimidated by "advanced security"! I'm breaking down complex concepts into easy-to-understand explanations, with a historical perspective to give context.
1️⃣Explore #AuthN #AuthZ 🔐
2️⃣ @keycloak Primer 🌐
3️⃣Best Practices for #OSS 🛡️
#30MinsLearning Day 8: Today, I read the code of UserManager.CreateAsync(), it relies on the PasswordStore to set the password hash, then calls the UserStore to create the user in real - like in db. The responsibilities are quite clear. >>>🧵 #dotnet #csharp #aspnetcore #identity #auth #authZ
#30MinsLearning Day 7: Today, I sit down and read the `/register` endpoint code. Most of them is easy, validate the email, and create the user. This part, though, I don't understand why: 🧵 #dotnet #csharp #aspnetcore #identity #auth #authZ
🎉 Last week of Hacktoberfest! 🎉 The OpenFGA community has several issues labeled for Hacktoberfest—perfect for newcomers and veterans alike. From quick doc fixes to tackling bugs, all contributions are welcome.
Jump in, contribute, and grab some Hacktoberfest swag while there's still time! Let's wrap up October with a strong open source push. 🛠️
➡️ Learn about Hacktoberfest: https://hacktoberfest.com
網路捷徑檔案安全機制繞過漏洞遭到利用超過一年,攻擊者用於散布數種竊資軟體 | iThome
Link📌 Summary:
A critical flaw in Docker Engine, tracked as CVE-2024-41110, allows attackers to bypass authorization plugins under specific conditions. This vulnerability, with a CVSS score of 10.0, indicates maximum severity. It involves exploiting an API request with a Content-Length set to 0, tricking the Docker daemon into forwarding the request without the body to the AuthZ plugin, potentially leading to incorrect approval of the request. This issue was initially discovered in 2018 and fixed in Docker Engine v18.09.1 in January 2019, but it wasn't applied to subsequent versions until recently. Versions affected include those up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0, assuming AuthZ is used for access control decisions. Users relying on AuthZ plugins are at risk unless they update to versions 23.0.14 and 27.1.0 released on July 23, 2024. Docker Desktop versions up to 4.32.0 are also affected, though the chance of exploitation is low due to the need for local access to the host and the absence of AuthZ plugins in default configurations. Docker advises updating to the latest version to mitigate potential threats.
https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/
#cybersecurity #docker #vulnerability #cve #authz #dockerengine #dockerdesktop #api #plugins #threat #update
[Перевод] Использование Verified Permissions для реализации точной авторизации в высоконагруженных приложениях
Техники оптимизации функции авторизации в современных веб-приложениях. В статье рассматриваются эффективные подходы к управлению точной авторизацией с использованием Amazon Verified Permissions ( читай Cedar Engine ). Вы узнаете о техниках пакетной авторизации и кэширования ответов, которые помогут значительно повысить производительность и отзывчивость приложений. Читать
https://habr.com/ru/companies/bercut/articles/829576/
#авторизация #bercut #беркут #authz #authorization #Policyascode #вебприложения #web_application
Banks: to transfer money from another bank, just give us your username and password for that other bank. These tools work by literally having a bot log in to your account to scrape data and simulate clicks.
Meanwhile, literally everywhere else: "never share your login details with anyone, and we will never ask you for them!"
Banks are gatekeepers for how we spend and receive money, and have access to the most sensitive financial information possible.
Yet, any random website with OpenID Connect (OIDC) or OAuth 2 has superior security with respect to authorized information sharing.
This isn't new or fringe technology, by any means. Banks are just laughably far behind.
It's nothing short of a miracle that there aren't more large-scale hacks and breaches of financial institutions.
💡 TIL that authorizing individuals (not groups) in #argocd via #OIDC needs to be enabled by extending the OIDC scopes to "email".
The default in the helm charts is "groups".
Default: https://artifacthub.io/packages/helm/argo/argo-cd/7.1.3?modal=values&path=configs.rbac.scopes
![Screenshot of Argo CD helm chart values.yaml showing rbac.scopes: "[email, group]" bellow a comment "Default is group, but we want to be able to authorize individuals as well"](https://files.mastodon.social/cache/media_attachments/files/112/609/191/101/838/563/original/734617e171bc50f0.png)
![Screenshot of artifact hub showing the default values of Argo CD helm chart with scopes: "[groups]".](https://files.mastodon.social/cache/media_attachments/files/112/609/191/101/838/564/original/b1c38e0e98d083c6.png)
"Why not just implement Feature Flags as #authorisation
^ has probably popped into someone's head more than once.
It's a fairly reasonable thought, but the devil is in the details. IMO it's like saying we should put up traffic lights instead of using traffic cones.
Check out my latest post on the Cedar policy engine 🌲📝
Learn where common policy authoring mistakes can happen, and the solutions to those issues to help ensure you keep your authorization system secure 💪
Check out my new blog post about #Pundit and different #RSpec test approaches.
https://tobiasmaier.info/posts/2023/06/19/pundit-rspec-approaches.html
I will be speaking about application security at the Azure Bootcamp Switzerland in Bern, a technology conference focusing on the Microsoft Azure Cloud. I really recommend this. Please come a say hello, would love to meet you, really looking forward.
Thanks for organizing Manuel Meyer Stefan Johner Stefan Roth
#azure #iam #azuread #identity #ciam #fido2 #oauth2 #oidc #mfa #authz #authn
Working on a project with non-InfoSec folks I was reminded that not everyone's gotten the message. All the contributors were accessing the collaboration platform with the admin's credentials ('cause it was easier than creating separate accounts). #sigh
Qqn sait où on peut trouver plus d'info sur le protocole en "double anonymat" que le gouv veut déployer en mars pour restreindre l'accès à certains sites, dont les sites porno ?
J'ai vu un schéma et moralement, ça ressemble a du "sous-privacy pass", mais je voudrais bien étudier la spec ou le code.
#cryptography #france #pornography #privacypass #sécurité #security #authz #authn
Updated to .NET 7
ASP.NET Core Azure Storage Secure Files
https://github.com/damienbod/AspNetCoreAzureAdAzureStorage
#aspnetcore #dotnet #blob #azuread #oauth #rbac #groups #authz
Whoa. Today I learned that the OAuth.net website was not owned by a foundation, but by a single member. The banner for advertising is what gave it away. #OAuth #AuthZ #Authorization #ads
Updated .NET 7 and latest ASP.NET Core Identity
Implementing User Management with ASP.NET Core Identity and custom claims
