Simplifying Application Development Security 

Security is an integral and often challenging component in application development. Developers focus on the functionality of the frontend and backend, but they may be unaware of potential security design flaws in their implementations and APIs. OAuth and OpenID Connect (OIDC) provide a standardized security framework for protecting applications.

Authlete is a service solution that streamlines development of security components. Software Engineering Daily’s Gregor Vand recently spoke with the Principal Architect at Authlete, Justin Richer,  to discuss common authorization, identity, and security challenges, and the solution landscape. You can find their full conversation here.

The Gap Between Developers and Security Professionals

Developers’ interest, and often their time, is focused on adding functionality to applications. The security of these systems can sometimes seem obtuse, since security is a specialty that many are not totally familiar or comfortable with. As a consequence, design problems often emerge as applications are built.  

“Sometimes, the security team shows up and says, you can’t connect everything together because that’s not secure,” explained Authlete’s Justin Richer. Security professionals often start with the desire to lock the system down and protect confidential information. Consequently, security gets in the way of the application developer, who wants to provide functionality to connect data, people, and processes. The functionality and security viewpoints may possibly clash because their goals are different. 

Security Systems Have to be Collaborative

As a result, a fresh outlook and approach are needed. As Gregor noted, “the juxtaposition of collaboration and security does not initially sound like they can coexist, but they have to.” 

Humans use the security solutions, and often how people interface with these products is not in the way that vendors designed or even considered. So, enterprises must create security checks that keep information secure but do not prevent people from completing their work, and this is often a difficult balancing act. 

What are OAuth and OpenID Connect?

Two key building blocks of modern application security are OAuth, from the IETF, and OpenID Connect, from the OpenID Foundation. Each of these standards plays a key role in ensuring security, but the specifications can be challenging for developers to work with.

While often thought of as an authorization protocol, OAuth is fundamentally a delegation protocol. “OAuth excels whenever you have multiple systems and need to provide an abstract security layer,” noted Authlete’s Justin Richer. In applying a delegation protocol, a user possesses a set of system rights that perform certain tasks, such as the ability to access a record or update certain metadata. Users delegate specific subsets of their rights to applications that perform them on their behalf. How does OAuth accomplish this? OAuth creates an artifact called an access token that encompasses not only the end user’s rights but also the identity of the delegated software.

Here are the steps in the delegation process:

The OAuth delegation process. Image from OAuth 2 In Action by Justin Richer and Antonio Sanso. Manning Publications 2017. Used with permission.

A user, known as the Resource Owner (RO) in OAuth terminology, has access to an API, known as the Protected Resource hosted on the Resource Server (RS). The RO wants a piece of software, known as the Client, to act on their behalf at the RS. The RO can authenticate to the system to prove who they are and that they have access, but we don’t want the RO to give those credentials to the Client. OAuth provides an Authorization Server (AS) to facilitate the RO giving the client delegated access, through the use of an access token. The access token represents the combination of all the parties in the OAuth protocol and the access being given, and it can be used by the Client to call the RS.

The OAuth standard simplifies typical API integration work by allowing the Client and RS to never deal with the user’s credentials, and it allows the user to be very deliberate about what kinds of access they want to give the Client application. 

The second component, OpenID Connect, works with OAuth. OAuth enables users to securely delegate certain rights to pieces of software, but OAuth does not tell the software who the user is. OpenID Connect works by allowing the user to delegate their own identity information to the client software from the AS, which becomes an Identity Provider (IdP) in OIDC. The IdP provides information about who the user is alongside the access token from OAuth. “Let’s say an app needs all of the extended profile information, such as address, email, and other personal data. A developer writes an API call to do that. That API call is protected by an OAuth access token and it’s the same OAuth access token that I got when I made the call that said who is the user. That access token could also be used for many other functions: getting their calendar information, looking at their bank account history, checking their health record, or any other type of transaction. All these features are possible, but developers need to create them in order to use them.” 

A Hosted Security Solution 

When building out a protected system, developers need to have dedicated components like the AS to provide key security functionalities. Building an OAuth AS and an OIDC IdP is a formidable task, but many deployments need a level of flexibility and power that only building can provide. But how could you go about building such an important security component?

Authlete is a unique product because it’s a hosted service that provides OAuth and OpenID Connect support functions. What is different from other services is that Authlete does not host the entire platform that handles user authentication, accounts, or attributes. Instead, it supplies support for the OAuth and OpenID Connect protocol pieces where and when they are needed. 

“Authlete really shines in the space where developers want to build out something custom and have it run in their environment and programming language,” explained Authlete’s Richer. A developer needs to build an IdP or AS. A request comes in to the developer’s implementation, say a token endpoint request or an authorization endpoint request. The software then calls the Authlete service, which examines the request: Is this request formed correctly? Is everything formatted properly? Which extensions are valid? What should the response be?

Authlete provides developers with an SDK that features an OAuth library they can call and use as needed, but instead of being a static library, “the solution is backed by a live service,” said Authlete’s Richer. Authlete stores the protocol state, which allows it to manage data over time.  It handles tokens, keys, and other information so the application developer doesn’t need to account for these directly. Authlete also provides libraries to ease integration, “our libraries turn around and they call the right endpoint with a properly formatted REST request. The API itself is really straightforward.” Some of Authlete’s largest customers have been able to take advantage of this by integrating directly with the API without needing to use an SDK, which wasn’t available in their preferred development platform.

In essence, the developer builds their own authorization server. They provide the application rights and privileges and the OAuth and OpenID parts. Therefore, they concentrate on shipping the features of their application or service. The Authlete service provides only the security layers that matter to their applications.

As a result, instead of taking an off-the-shelf software project and building their own security system on top of it, developers have a world-class system on which they build out their own customized functionality. Nor do developers need to give over all control to a fully hosted service. With the Authlete product, customers retain the control and flexibility that a custom solution provides but don’t have to become experts in the details of the interoperability layer that OAuth and OpenID provide.

Prioritizing Security and Data Control

The solution has found adoption in multiple industries, with particular use in the banking industry. “In the financial sector, Authlete gives enterprises the ability to hold all of the sensitive information close to themselves,” explained Richer. “We don’t store user accounts. We don’t store names and passwords and addresses and account numbers and all of that other stuff. Instead, they tell us, I need an access token for the following subject identifier with the following rights and we deliver it.” Privacy-driven regulations and demand for privacy protections from consumers is changing how companies architect and deploy their systems, especially with regard to hosted services. Letting go of personal data to a cloud service is not a choice to be taken lightly, especially in highly regulated verticals. Authlete’s semi-hosted service architecture allows its customers to retain control over sensitive financial data and provide service that is hosted and controlled by the customer’s systems, while at the same time providing a state-of-the-art implementation of security protocols to protect these systems.

Security is an important but difficult aspect of modern systems, and deploying security protocols like OAuth and OIDC brings its own benefits and challenges. At the end of the day, developers want to provide the best functionality for their users, and Authlete provides a compelling and unique approach to securing that functionality.

Check out https://events.authlete.com/sed to try out Authlete for an extended 90-day free trial. 

Full Disclosure: Authlete is a sponsor of Software Engineering Daily

 

 

The post Making OAuth and OIDC Accessible to Developers appeared first on Software Engineering Daily.

OAuth is an open standard for access delegation. It lets users grant websites or applications access to their information on other websites, but without giving away passwords.

OpenID Connect is an identity layer on top of OAuth. Even if you haven’t programmed using OAuth and OpenID Connect, you’ve certainly used them for authentication on Google, Facebook, Spotify, and countless other services.

Authlete is a service that provides a set of APIs to implement OAuth authorization servers, and OpenID Connect identity providers.

Justin Richer is the Principal Architect at Authlete and is part of the working group that developed OAuth 2.0. He joins the podcast to talk about the history of OAuth, OAuth as a delegation protocol, the Authlete API, and much more.

Check out https://events.authlete.com/sed to try out Authlete for an extended 90-day free trial.

Full Disclosure: This episode is sponsored by Authlete.

Gregor Vand is a security-focused technologist, and is the founder and CTO of Mailpass. Previously, Gregor was a CTO across cybersecurity, cyber insurance and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile at vand.hk.

 

Please click here to see the transcript of this episode.

Sponsorship inquiries: [email protected]

 

The post Authlete and Making OAuth Accessible with Justin Richer appeared first on Software Engineering Daily.

Corbado is an authentication platform that provides APIs for developers to replace passwords with passkeys such as Face ID or Touch ID.

Vincent Delitz is a Co-Founder at Corbado and he joins the show to talk about the platform, the changing authentication landscape, the challenge of session management with passkeys, and more.

Gregor Vand is a security-focused technologist, and is the founder and CTO of Mailpass. Previously, Gregor was a CTO across cybersecurity, cyber insurance and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile at vand.hk.

 

Please click here to see the transcript of this episode.

Sponsorship inquiries: [email protected]

The post Biometric Authentication with Vincent Delitz appeared first on Software Engineering Daily.

SimpleWebAuthn is an open source TypeScript-centric pair of libraries – frontend and backend – that make it easier for devs to implement WebAuthn on the web.

Matthew Miller started the project in 2019 and it has grown in tandem with the popularization of WebAuthn. He joins the podcast today to talk about the history of the project starting from the first commit, the problems it solves, its design, and more.

Gregor Vand is a security-focused technologist, and is the founder and CTO of Mailpass. Previously, Gregor was a CTO across cybersecurity, cyber insurance and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile at vand.hk.

 

Please click here to see the transcript of this episode.

Sponsorship inquiries: [email protected]

The post SimpleWebAuthn with Matthew Miller appeared first on Software Engineering Daily.

Security issues can often be traced back to small misconfigurations in a database or cloud service, or an innocent code commit. OpsHelm is a security platform that’s oriented around identifying and fixing these issues.

Kyle McCullough is the Co-Founder and CTO of OpsHelm and he has deep experience in backend and data engineering. He joins the show to talk about the challenges of security incident monitoring, prioritization, and response.

This episode is hosted by Tyson Kunovsky. Tyson is the co-founder and CEO of AutoCloud, an infrastructure as code platform. He is originally from South Africa, and has a background in software engineering and cloud development. When he’s not busy designing new GitOps workflows, he enjoys skiing, riding motorcycles, and reading sci-fi books. Check the show notes for more information on Tyson’s work, and where to find him.

Please click here to see the transcript of this episode.

Sponsorship inquiries: [email protected]

The post OpsHelm with Kyle McCullough appeared first on Software Engineering Daily.

Software supply chain security is a major challenge in the modern engineering environment. Many teams are working to establish best practices to proactively identify, fix, and prevent risks in their applications. Apiiro is a platform designed to solve this problem and gives risk visibility, prioritization, and remediation.

Yonatan Eldar is the Co-Founder and CTO at Apiiro and he joins the podcast to talk about the platform, application security posture management, and more.

Gregor Vand is a security-focused technologist, and is the founder and CTO of Mailpass. Previously, Gregor was a CTO across cybersecurity, cyber insurance and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile at vand.hk.

Please click here to see the transcript of this episode.

Full Disclosure: 10KMedia is a sponsor of Software Engineering Daily.

The post Apiiro Security Posture Management with Yonatan Eldar appeared first on Software Engineering Daily.

Ransomware attacks involve the deployment of malware that blocks access to a user’s or organization’s computer files by encrypting them. The attackers then demand a ransom payment in exchange for the decryption key that will restore access to the files. These attacks are often directed at governments and corporations, and can be costly.

Veeam is a data storage system that was designed specifically to provide protection against ransomware attacks. Object First is a system that works with Veeam to increase its safety and security.

Anthony Cusimano is the Director of Technical Marketing at Object First and he joins the podcast to talk about the growing sophistication of ransomware attacks and the emerging technologies to block them.

This episode is hosted by Lee Atchison. Lee Atchison is a software architect, author, and thought leader on cloud computing and application modernization. His best-selling book, Architecting for Scale (O’Reilly Media), is an essential resource for technical teams looking to maintain high availability and manage risk in their cloud environments.

Lee is the host of his podcast, Modern Digital Business, an engaging and informative podcast produced for people looking to build and grow their digital business with the help of modern applications and processes developed for today’s fast-moving business environment. Listen at mdb.fm. Follow Lee at softwarearchitectureinsights.com, and see all his content at leeatchison.com.

Please click here to see the transcript of this episode.

Sponsorship inquiries:[email protected]

The post Blocking Ransomware Attacks with Anthony Cusimano appeared first on Software Engineering Daily.

One of the most famous software exploits in recent years was the SolarWinds attack in 2020. In this attack, Russian hackers inserted malicious code into the SolarWinds Orion system, allowing them to infiltrate the systems of numerous corporations and government agencies, including the U.S. executive branch, military, and intelligence services.

This was an example of a software supply chain attack, which exploits interdependencies within software ecosystems. Software supply chain security is a growing issue, and is particularly important for companies that rely on large numbers of open source dependencies.

Michael Lieberman is the Co-Founder and CTO of Kusari and has an extensive background in software security from his time at Citi Bank, MUFG and Bridgewater. He’s also active in the open source and security communities, including the Open Source Security Foundation and Cloud Native Computing Foundation. Michael joins the show today to talk about challenges and strategies in software supply chain security.

Gregor Vand is a security-focused technologist, and is the founder and CTO of Mailpass. Previously, Gregor was a CTO across cybersecurity, cyber insurance and general software engineering companies. He has been based in Asia Pacific for almost a decade and can be found via his profile at vand.hk.

 

Please click here for the transcript of this episode.

Sponsorship inquiries: [email protected]

The post Software Supply Chain Security with Michael Lieberman appeared first on Software Engineering Daily.

This episode of Software Engineering Daily is part of our on-site coverage of KubeCon 2023, which took place from November 6th through 9th in Chicago.

In today’s interview, host Jordi Mon Companys speaks with Santiago Torres-Arias who is a contributor to Sigstore, which is a system to register software supply chain actors using federated identity management.

Jordi Mon Companys is a product manager and marketer that specializes in software delivery, developer experience, cloud native and open source. He has developed his career at companies like GitLab, Weaveworks, Harness and other platform and devtool providers. His interests range from software supply chain security to open source innovation. You can reach out to him on Twitter at @jordimonpmm

Please click here to see the transcript for this episode. Sponsorship inquiries: [email protected]

The post KubeCon Special: Sigstore with Santiago Torres-Arias appeared first on Software Engineering Daily.

The Hypertext Transfer Protocol, or HTTP, is used to load webpages using hypertext links, and it’s the foundation of the web. Tim Berners-Lee famously created HTTP version 0.9 in 1989, and defined the essential behavior of a client and a server. Version 1.0 was eventually finalized in 1996, and its secure variant called HTTPS is now used on more than 80% of websites. HTTP continues to undergo intense development and version 3 in now being actively adopted across the tech industry.

Nick Shadrin is a Software Architect at NGINX, and Roman Arutyunyan is a Principal Software Engineer at NGINX. Nick and Roman are experts in HTTP and they join the show today to tell the history of its evolution since 1989, and how NGINX is implementing support for HTTP/3.

Full disclosure: NGINX is a sponsor of Software Engineering Daily.

Mike Bifulco is CTO and co-founder of Craftwork. He’s also a developer advocate, writer, podcaster and serial startup founder. In past lives, Mike worked for Google, Stripe, Microsoft, and Gymnasium. Mike is also co-founder of APIs You Won’t Hate, a community for API Developers on the web. Mike’s publishes a weekly newsletter for product builders called Tiny Improvements at mikebifulco.com. Mike is on Mastodon at https://hachyderm.io/@irreverentmike

Please click here to view this show’s transcript.

Sponsorship inquiries: [email protected]

The post The Future of HTTP with Nick Shadrin and Roman Arutyunyan appeared first on Software Engineering Daily.

Cloud applications continue to grow in popularity, but ensuring the security of these applications often presents a formidable engineering challenge. This challenge motivated the creation of Jit. Jit is a continuous security platform for developers, and seeks to enable every cloud app to start with minimum viable security, or MVS, without slowing development velocity. David Melamed is the Co-founder and CTO of Jit and he joins us in the episode to talk about his platform. Jeff is a DevSecOps engineer with  experience in security, the software development life cycle, and cloud technologies. His advanced expertise in HashiCorp technologies places him as one of the most sought after trainers in the Europe, Middle East, and Africa regions and beyond. Jeff has worked for a range of different companies – from small startups to some of the biggest financial institutions. He now successfully runs his own consultancy that provides services in DevSecOps, Cloud and Security. You can find Jeff at hemmen.lu. Sponsorship inquiries: [email protected] Please click here to view this show’s transcript.

The post Minimum Viable Security for Cloud Apps with David Melamed appeared first on Software Engineering Daily.