Skip to content

Commit

Permalink
Merge pull request #228 from supertokens/update-blog-toc
Browse files Browse the repository at this point in the history
Update blog toc
  • Loading branch information
jscyo authored Mar 27, 2024
2 parents cfa8669 + 17196fe commit 1dbcb05
Show file tree
Hide file tree
Showing 6 changed files with 57 additions and 7 deletions.
10 changes: 10 additions & 0 deletions content/authorization-code-flow-with-pkce/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,16 @@ category: "programming"
author: "Joel Coutinho"
---

## Table of Content
- [Introduction](#introduction)
- [What are the security concerns with OAuth](#what-are-the-security-concerns-with-oauth)
- [How does PKCE solve this issue](#how-does-pkce-solve-this-issue)
- [How does PKCE work](#how-does-pkce-work)
- [What are the problems that PKCE solves](#what-are-the-problems-pkce-solves)
- [Conclusion](#conclusion)

## Introduction

In the authentication space, password based authentication is considered to be the least secure. Most users tend to reuse passwords and not use password managers. This is why [federated identity](https://en.wikipedia.org/wiki/Federated_identity) has gain an increase in popularity in the last decade. OAuth is a a protocol that enables identity federation allowing applications and is key enabling the social login flows we interact with on a daily basis. Although it is very popular, there are a few critical concerns around OAuth and OAuth with Authorization Code flow. This is where Authorization Code flow with Proof Key for Code Exchange comes in.


Expand Down
9 changes: 9 additions & 0 deletions content/otp-vs-totp-vs-hotp/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,15 @@ category: "programming"
author: "Sara Mashfej"
---

## Table of Content
- [Introduction](#introduction)
- [Understanding Multi-factor authentication and OTP](#understanding-multi-factor-authentication-and-otp)
- [One Time Passwords (OTP)](#one-time-passwords-otp)
- [Time based One Time Password (TOTP)](#totp)
- [HMAC-based One-time Password (HOTP)](#hotp)
- [TOTP vs HOTP](#totp-vs-hotp)
- [Conclusion](#conclusion)

## Introduction

Traditional username and password authentication methods have historically served as the default choice for ensuring secure access. However, [nearly half (49%) of incidents](https://www.verizon.com/business/en-gb/resources/reports/dbir/) cited in Verizon's 2023 Data Breach Investigations Report involved compromised passwords.
Expand Down
6 changes: 6 additions & 0 deletions content/phishing-attacks-in-2024/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ category: "programming"
author: "Sarah Sanders"
---

## Table of Content
- [Introduction](#introduction)
- [Phishing in a New Era](#phishing-in-a-new-era)
- [Detecting a phish](#detecting-a-phish)
- [Conclusion](#conclusion)


## Introduction

Expand Down
7 changes: 7 additions & 0 deletions content/what-is-credential-stuffing/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ category: "programming"
author: "Joel Coutinho"
---

## Table of Content

- [Introduction](#introduction)
- [How does Credential Stuffing work?](#how-does-credential-stuffing-work)
- [How to protect against Credential Stuffing?](#how-to-protect-against-credential-stuffing)
- [Conclusion](#conclusion)

## Introduction

The early 2000's saw a large number of brute force attacks. Attackers would employ bots to generate passwords and try to gain access to user accounts. They would also employ a dictionary of commonly used passwords to supplement the attack. Back then, users would employ simple passwords, that were easy to guess. Over the years websites began to institute password policies, forcing users to generate unique passwords between 8-12 characters, with numerals and special characters. This drastically lowered the success rate of brute force attacks. The problem that remains is that most users tend to reuse passwords across accounts. This makes users susceptible to an attack known as Credential Stuffing.
Expand Down
10 changes: 9 additions & 1 deletion content/what-is-scim-provisioning/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,14 @@ category: "programming"
author: "Sara Mashfej"
---

## Table of Contents
- [Introduction](#introduction)
- [What is SCIM Provisioning](#what-is-scim-provisioning)
- [Why is SCIM Provisioning important](#why-is-scim-provisioning-important)
- [SCIM vs SAML](#scim-vs-saml)
- [SCIM vs SSO](#scim-vs-sso)
- [Conclusion](#conclusion)

## Introduction

In 2024, a staggering 94% of enterprises use cloud applications. The key to improving employee productivity and job performance lies in making the communication between these tools as seamless as possible while providing the necessary security. Administrators play a pivotal role in guaranteeing quick access to essential resources while also maintaining the efficiency of promptly revoking access when it is no longer required.
Expand All @@ -22,7 +30,7 @@ SCIM works by exchanging user identity attributes like a user’s profile, their

![scim provisioning flow](./scim-provisioning-flow.png)

## Why is SCIM provisioning important
## Why is SCIM Provisioning important

Many organizations choose to adopt SCIM today for different reasons, here are some common advantages to SCIM:

Expand Down
22 changes: 16 additions & 6 deletions content/what-is-zero-trust/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,16 @@ category: "programming"
author: "Mostafa Ibrahim"
---

## Table of Content
- [Introduction](#introduction)
- [The Main Concept Behind Zero Trust](#the-main-concept-behind-zero-trust)
- [Key Principles of Zero Trust](#key-principles-of-zero-trust)
- [Benefits of Zero Trust](#benefits-of-zero-trust)
- [How to implement Zero Trust into your application](#how-to-implement-zero-trust-into-your-application)
- [BeyondCorp: Googles implementation of Zero Trust](#beyondcorp-googles-implementation-of-zero-trust)
- [Zero Trust in Action](#zero-trust-in-action)
- [Conclusion](#zero-trust-in-action)

## Introduction


Expand Down Expand Up @@ -53,25 +63,25 @@ Here are five key components or steps that companies must implement to successfu

![Implement zero trust in your application](./implement-zero-trust.png)

## 1. Identifying and Securing the Attack Surface
### 1. Identifying and Securing the Attack Surface
- **Initial Assessment**: Identify potential vulnerabilities in the network and web platforms.
- **Infrastructure Segmentation**: Implement VLANs and network firewalls for segregation and control of network traffic.

## 2. Data Protection and Encryption
### 2. Data Protection and Encryption
- **Data Classification**: Prioritize safeguarding sensitive data across the network and within applications.
- **Encryption Implementation**: Classify and categorize data to apply appropriate encryption and access measures, using [TLS 1.3](https://www.cloudflare.com/learning/ssl/why-use-tls-1.3/) and [AES encryption](https://www.simplilearn.com/tutorials/cryptography-tutorial/aes-encryption) standards.
- **Data Leakage Prevention**: Implement [Data Leakage Prevention](https://www.microsoft.com/en-us/security/business/security-101/what-is-data-loss-prevention-dlp) tools for monitoring data transfer and preventing leaks.

## 3. Comprehensive Application/API Security
### 3. Comprehensive Application/API Security
- **Application Layer Security**: Secure critical applications with Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP).
- **API Management**: Apply OAuth 2.0 and OpenID Connect for secure and delegated authorization.
- **API Gateway Protection**: Protect API gateways using OAuth 2.0 scopes, JSON Web Tokens (JWT) for secure data transmission between services, and mutual TLS (mTLS) for service-to-service authentication.

## 4. Robust Identity and Access Management
### 4. Robust Identity and Access Management
- **IAM Framework Implementation**: Use a [secure identity and access management](https://supertokens.com/) solution for managing access to services and web applications.
- **MFA Integration**: Implement Multi-factor Authentication (MFA) at both the network and application levels.

## 5. Protecting Physical and Digital Assets
### 5. Protecting Physical and Digital Assets
- **Physical Security Extension**: Extend Zero Trust principles to physical devices and endpoints with [Endpoint Detection and Response (EDR)](https://www.trellix.com/security-awareness/endpoint/what-is-endpoint-detection-and-response/) that is installed on endpoint devices such as laptops, desktops, and servers Moreover, utilization of hardware security modules (HSMs).
- **Verification and Authorization**: Ensure strict verification and authorization for physical and digital access, enhancing security for both corporate resources and application services.

Expand Down Expand Up @@ -102,7 +112,7 @@ The primary objective in this research paper, is to enhance security in accessin
- **Gateways**: Include SSH servers, Web proxies, or 802.1x-enabled networks that control access to resources.
- **Resources**: All applications, services, and infrastructure subject to access control, each associated with a minimum trust tier.

## [BeyondCorp and the long tail of Zero Trust](https://www.usenix.org/publications/loginonline/beyondcorp-and-long-tail-zero-trust)
### [BeyondCorp and the long tail of Zero Trust](https://www.usenix.org/publications/loginonline/beyondcorp-and-long-tail-zero-trust)
The main focus of this paper is addressing the latter stages of Google's BeyondCorp migration, focusing on specific or challenging situations that required innovative solutions beyond their core HTTPS-based workflow.

Initially, Google transitioned from a privileged, legacy network to a more secure MNP(Managed Non-Privileged) network. This involved reconfiguring workflows to function within the Zero Trust framework, particularly those relying solely on HTTPS traffic.
Expand Down

0 comments on commit 1dbcb05

Please sign in to comment.