This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Bucharest AppSec Conference 2018 Agenda Talks"

From OWASP
Jump to: navigation, search
Line 22: Line 22:
 
|-
 
|-
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30<br>(45 mins)  
 
| style="width:10%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | 10:45 - 11:30<br>(45 mins)  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | Access control, REST and sessions
  
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" |  
+
| style="width:25%" valign="middle" height="30" bgcolor="#EEEEEE" align="center" colspan="0" | [https://www.linkedin.com/in/johanpeeters Johan Peeters]
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |
+
| style="width:40%" valign="middle" height="30" bgcolor="#EEEEEE" align="justify" colspan="0" |There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up. <br>
 +
REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective. <br>
 +
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user.<br>
 +
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.
  
 
|-
 
|-

Revision as of 18:29, 12 August 2018

Conference agenda, 26th of October

Time Title Speaker Description
9:00 - 9:30
(30 mins) 		Registration and coffee break
9:30 - 9:45
(15 mins) 		Introduction Oana Cornea Introduction to the OWASP Bucharest Event, Schedule for the Day
9:45 - 10:30
(45 mins) 		Browsers - For better or worse ... Renato Rodrigues It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
10:45 - 11:30
(45 mins) 		Access control, REST and sessions Johan Peeters There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up.

REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective.
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user.
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

11:45 - 12:30
(45 mins)
12:30 - 13:30
(60 mins) 		Lunch/Coffee Break
13:30 - 14:15
(40 mins) 		Women in AppSec Panel

WiA 400x400.jpg

14:20 - 15:05
(45 mins)
15:05 - 15:20
(15 mins) 		Coffee break
15:20 - 16:05
(45 mins)
16:05 - 16:50
(45 mins)
16:50 - 17:00
(15 mins) 		Closing ceremony OWASP Bucharest team CTF Prizes
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Bucharest_AppSec_Conference_2018_Agenda_Talks&oldid=242471"