SecAppDev 2017

This session covers access control. Access control is an essential part of every application that manages data of any value. However, access control is also complex and hard to get right, both from a development and management point of view.

In this session, we first explore the concept and goals of access control in general. We then discuss the different models that exist in practice and in literature to reason about access control. We then investigate different approaches of how to enforce access control in an application. Overall, this sessions aims to provide deeper insights into access control in order to better reason about it and implement it correctly and efficiently.

Learning objectives 

• Understand the goal of access control.
• Understand the process of access control.
• Learn about existing and emerging models to reason about access control.
• Learn about different approaches to implement access control, their advantages and limitations.
• Be aware of upcoming evolutions and how to prepare for them.

OAuth is a delegation framework that appears on the radar of security professionals and developers more and more every day. OAuth intersects with authentication and access control, yet you would not likely use OAuth in and of itself for authentication, session management or an access control in your applications. Even more confusing, OAuth is not a standard and various service providers will likely have different implementations. Let's say it again, OAuth is not a standard - its a framework for delegation. So this leaves us with questions! What really is delegation? Where does OAuth fit in? How can I use OAuth in a secure fashion? These questions and more will me answered in this talk!

REST services are very popular. Unfortunately, many are not secure. In this session, we identify access control requirements for a range of application types and discuss how these can be delivered with current standards and tools.
The presentation is interactive; we discuss the trade-offs when implementing typical requirements.
OpenID Providers authenticate end users and issue a security token called an ID Token, containing a set of claims about the attributes of the caller. We will be dissecting the OpenID Connect ID Tokens, encoded as JSON Web Tokens (JWT).
Even though OIDC and OAuth are supplanting older authN/Z standards for web services such as SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language), they will have to co-exist for a long time. Many components offering OIDC or OAuth interfaces also work with SAML or XACML, which define interesting roles such as Identity Provider (IdP), Policy Enforcement Point (PEP) and Policy Decision Point (PDP). So it is natural to ask whether these roles are relevant in a REST architecture as well and, if so, how they map on OIDC and OAuth roles.
This session builds on Maarten Decat's Access Control lecture and Jim Manico's Introduction to OAuth 2.0 Security. 

In this session, we will discuss the current threat of denial-of-service attacks and several popular mitigation solutions. Based on our research, we will talk about the common pitfalls of setting up cloud-based DDoS protection services.