Global AppSec DC 2019

Online verification of identity today extends across microservices, cloud providers, IoT devices, emerging systems and end user. In a brief study we conducted on 100 most visited websites, over 95% supported authenticated sessions with more than 97% of these are username and password based. 81% of discovered breaches are due to broken authentication, indicate there is still a problem to solve and this is the focus of our talk.

Developers are generally aware of different authentication methods used for secure interaction between these entities, but most often miss out on best practices. In this context, we discuss popular authentication schemes like SAML, OAuth, token, magic links, adopted by developers today and emerging ones like WebAuthN. We will present incorrectly coded authentication patterns observed from our study and also highlight recurring mistakes like MFA bypass, token leakages and other authentication misconfigurations. Finally, we provide secure blueprints that developers can leverage to bake security into their software development lifecycle.