Category: Software Security

Secure coding standards

Secure coding standards

  1. OWASP – Open Web Application Security Project
  2. CWE – Common Weakness Enumeration
  3. SEI CERT –

Tool Used – Fortify (HP- security vulnerability code analyser )

OAuth

๐—” ๐—ฆ๐˜‚๐—บ๐—บ๐—ฎ๐—ฟ๐˜† ๐—ผ๐—ณ ๐—ข๐—”๐˜‚๐˜๐—ต ๐—ฎ๐—ป๐—ฑ ๐—œ๐˜๐˜€ ๐—จ๐˜€๐—ฒ๐˜€ ๐Ÿ›ก๐Ÿ”ฅ

OAuth is an open protocol that enables secure authorization from web, mobile, or desktop applications. Itโ€™s used to grant access to services such as APIs and websites without needing to exchange passwords.

๐Ÿ” ๐—ช๐—ต๐—ฎ๐˜ ๐—ถ๐˜€ ๐—ข๐—”๐˜‚๐˜๐—ต?
OAuth stands for Open Authorization. It’s an open protocol that enables secure authorization from web, mobile, or desktop applications. It allows users to share their private resources stored on one site with another site without having to give away their credentials such as username and password.

โœ ๐˜๐˜ฐ๐˜ณ ๐˜ฆ๐˜น๐˜ข๐˜ฎ๐˜ฑ๐˜ญ๐˜ฆ, ๐˜ช๐˜ง ๐˜บ๐˜ฐ๐˜ถ ๐˜ฉ๐˜ข๐˜ท๐˜ฆ ๐˜ข ๐˜Ž๐˜ฐ๐˜ฐ๐˜จ๐˜ญ๐˜ฆ ๐˜ข๐˜ค๐˜ค๐˜ฐ๐˜ถ๐˜ฏ๐˜ต ๐˜ข๐˜ฏ๐˜ฅ ๐˜ธ๐˜ข๐˜ฏ๐˜ต ๐˜ต๐˜ฐ ๐˜ข๐˜ค๐˜ค๐˜ฆ๐˜ด๐˜ด ๐˜ ๐˜ฐ๐˜ถ๐˜›๐˜ถ๐˜ฃ๐˜ฆ ๐˜ฐ๐˜ณ ๐˜Ž๐˜ฎ๐˜ข๐˜ช๐˜ญ ๐˜ด๐˜ฆ๐˜ณ๐˜ท๐˜ช๐˜ค๐˜ฆ๐˜ด, ๐˜บ๐˜ฐ๐˜ถ ๐˜ค๐˜ข๐˜ฏ ๐˜ถ๐˜ด๐˜ฆ ๐˜–๐˜ˆ๐˜ถ๐˜ต๐˜ฉ ๐˜ช๐˜ฏ๐˜ด๐˜ต๐˜ฆ๐˜ข๐˜ฅ ๐˜ฐ๐˜ง ๐˜ฑ๐˜ณ๐˜ฐ๐˜ท๐˜ช๐˜ฅ๐˜ช๐˜ฏ๐˜จ ๐˜บ๐˜ฐ๐˜ถ๐˜ณ ๐˜Ž๐˜ฐ๐˜ฐ๐˜จ๐˜ญ๐˜ฆ ๐˜ข๐˜ค๐˜ค๐˜ฐ๐˜ถ๐˜ฏ๐˜ต ๐˜ค๐˜ณ๐˜ฆ๐˜ฅ๐˜ฆ๐˜ฏ๐˜ต๐˜ช๐˜ข๐˜ญ๐˜ด.

๐Ÿ” ๐—›๐—ผ๐˜„ ๐——๐—ผ๐—ฒ๐˜€ ๐—ข๐—”๐˜‚๐˜๐—ต ๐—ช๐—ผ๐—ฟ๐—ธ?
OAuth works by authenticating the userโ€™s identity without them having to provide their login details directly. The process involves the user being redirected to the service provider where they are asked to approve the application that requests access. Once approved, the service provider sends back an access token which can then be used by the application to make authorized requests on behalf of the user.

Security Intro

Objective –

  1. meaning /structure of security mechanism
  2. where used? use case
  3. Implementation

Index

  1. Introduction
  2. Basic username-pwd
  3. JWT
  4. Oauth ( micro-services)
  5. Digital Signature (NPCI)

Introduction

Session, Cookie, JWT, Token, SSO, and OAuth 2.0 – here’s what you need to know

These terms are essential for identifying, authenticating, and authorizing users online. Let’s dive in๐Ÿ‘‡

๐—ช๐—ช๐—ช-๐—”๐˜‚๐˜๐—ต๐—ฒ๐—ป๐˜๐—ถ๐—ฐ๐—ฎ๐˜๐—ฒ
๐Ÿ”น Oldest & most basic method
๐Ÿ”น Browser asks for username & password
๐Ÿ”น Lacks control over login life cycle
๐Ÿ”น Rarely used today

๐—ฆ๐—ฒ๐˜€๐˜€๐—ถ๐—ผ๐—ป-๐—–๐—ผ๐—ผ๐—ธ๐—ถ๐—ฒ
๐Ÿ”น Server maintains session storage
๐Ÿ”น Browser keeps session ID
๐Ÿ”น Works mainly with browsers, not mobile app friendly

๐—ง๐—ผ๐—ธ๐—ฒ๐—ป
๐Ÿ”น Compatible with mobile apps
๐Ÿ”น Client sends token to server for validation

๐—๐—ช๐—ง (๐—๐—ฆ๐—ข๐—ก ๐—ช๐—ฒ๐—ฏ ๐—ง๐—ผ๐—ธ๐—ฒ๐—ป)
๐Ÿ”น Standard representation of tokens
๐Ÿ”น Digitally signed & verifiable
๐Ÿ”น No need to save session info server-side

๐—ฆ๐—ฆ๐—ข (๐—ฆ๐—ถ๐—ป๐—ด๐—น๐—ฒ ๐—ฆ๐—ถ๐—ด๐—ป-๐—ข๐—ป) & ๐—ข๐—”๐˜‚๐˜๐—ต ๐Ÿฎ.๐Ÿฌ
๐Ÿ”น SSO: Log in once, access multiple sites
๐Ÿ”น Uses CAS (central authentication service)
๐Ÿ”น OAuth 2.0: Authorize one site to access info on another

JWT

Index

  1. What is JWT?
  2. When to use and why?
  3. Application

๐—ช๐—ต๐—ฎ๐˜ ๐—ถ๐˜€ ๐—๐—ช๐—ง?

Securing the API is one of the most important things to do to prevent its abuse. It is done via the authentication and authorisation process and the most used is the ๐—๐—ช๐—ง token-based mechanism.

JSON Web Token is a standard that is used to share information between client and server as a JSON object.

Official Introduction- https://jwt.io/introduction

It is represented as a string that consists of 3 parts: (Memory map JWT[3words 3 parts – H.P.S. – Header Payload Signature])

  1. ๐—›๐—ฒ๐—ฎ๐—ฑ๐—ฒ๐—ฟ: It consists of token type(typ) and signing algorithm that is used(alg). The type will always be JWT, and the signing algorithm can be HMAC SHA256 or RSA.
  2. ๐—ฃ๐—ฎ๐˜†๐—น๐—ผ๐—ฎ๐—ฑ: This part contains related data(mostly for users) known as claims. There are three types of claims:
    • ๐—ฅ๐—ฒ๐—ด๐—ถ๐˜€๐˜๐—ฒ๐—ฟ๐—ฒ๐—ฑ – claims that are recommended to use for interoperability like issuer(iss), subject(sub), expiration time(exp), etc.
    • ๐—ฃ๐˜‚๐—ฏ๐—น๐—ถ๐—ฐ – contains generic information like email, name, or role. Itโ€™s recommended to use collision-resistant names to avoid collision with private claims.
    • ๐—ฃ๐—ฟ๐—ถ๐˜ƒ๐—ฎ๐˜๐—ฒ – custom claims
  3. ๐—ฆ๐—ถ๐—ด๐—ป๐—ฎ๐˜๐˜‚๐—ฟ๐—ฒ: It ensures that the token hasnโ€™t been altered. JWT is signed with the algorithm from a header, and the signature consists of an encoded header and payload, and secret.

A string is always encoded like a Base64 string where every part is separated by dots and like that is easily passed in HTTP environments through HTTP headers.

Note:

  1. the claim names are only three characters long as JWT is meant to be compact.
  2. though signed tokens are protected against tampering, is readable by anyone(base-64 decry-pt). Do not put secret information in the payload or header elements of a JWT unless it is encrypted. (Note – the token is encoded not encrypted)

Relevant articles on encryption vs encoding

Where JWT Is used? (refer official link above for description)

  1. Authorisation
  2. Information exchange

When to use and why?

In cases of S2S cases, no needed to maintain additional tokens for 3rd party.

Application