diff --git a/content/authorization-code-flow-with-pkce/index.md b/content/authorization-code-flow-with-pkce/index.md index 913577e9..b5ac01da 100644 --- a/content/authorization-code-flow-with-pkce/index.md +++ b/content/authorization-code-flow-with-pkce/index.md @@ -7,6 +7,16 @@ category: "programming" author: "Joel Coutinho" --- +## Table of Content +- [Introduction](#introduction) +- [What are the security concerns with OAuth](#what-are-the-security-concerns-with-oauth) +- [How does PKCE solve this issue](#how-does-pkce-solve-this-issue) +- [How does PKCE work](#how-does-pkce-work) +- [What are the problems that PKCE solves](#what-are-the-problems-pkce-solves) +- [Conclusion](#conclusion) + +## Introduction + In the authentication space, password based authentication is considered to be the least secure. Most users tend to reuse passwords and not use password managers. This is why [federated identity](https://en.wikipedia.org/wiki/Federated_identity) has gain an increase in popularity in the last decade. OAuth is a a protocol that enables identity federation allowing applications and is key enabling the social login flows we interact with on a daily basis. Although it is very popular, there are a few critical concerns around OAuth and OAuth with Authorization Code flow. This is where Authorization Code flow with Proof Key for Code Exchange comes in. diff --git a/content/otp-vs-totp-vs-hotp/index.md b/content/otp-vs-totp-vs-hotp/index.md index 1ebe55e1..5649f0dc 100644 --- a/content/otp-vs-totp-vs-hotp/index.md +++ b/content/otp-vs-totp-vs-hotp/index.md @@ -7,6 +7,15 @@ category: "programming" author: "Sara Mashfej" --- +## Table of Content +- [Introduction](#introduction) +- [Understanding Multi-factor authentication and OTP](#understanding-multi-factor-authentication-and-otp) +- [One Time Passwords (OTP)](#one-time-passwords-otp) +- [Time based One Time Password (TOTP)](#totp) +- [HMAC-based One-time Password (HOTP)](#hotp) +- [TOTP vs HOTP](#totp-vs-hotp) +- [Conclusion](#conclusion) + ## Introduction Traditional username and password authentication methods have historically served as the default choice for ensuring secure access. However, [nearly half (49%) of incidents](https://www.verizon.com/business/en-gb/resources/reports/dbir/) cited in Verizon's 2023 Data Breach Investigations Report involved compromised passwords. diff --git a/content/phishing-attacks-in-2024/index.md b/content/phishing-attacks-in-2024/index.md index 4d1ae5d6..20856151 100644 --- a/content/phishing-attacks-in-2024/index.md +++ b/content/phishing-attacks-in-2024/index.md @@ -7,6 +7,12 @@ category: "programming" author: "Sarah Sanders" --- +## Table of Content +- [Introduction](#introduction) +- [Phishing in a New Era](#phishing-in-a-new-era) +- [Detecting a phish](#detecting-a-phish) +- [Conclusion](#conclusion) + ## Introduction diff --git a/content/what-is-credential-stuffing/index.md b/content/what-is-credential-stuffing/index.md index 03a2d4a7..b0c8222b 100644 --- a/content/what-is-credential-stuffing/index.md +++ b/content/what-is-credential-stuffing/index.md @@ -7,6 +7,13 @@ category: "programming" author: "Joel Coutinho" --- +## Table of Content + +- [Introduction](#introduction) +- [How does Credential Stuffing work?](#how-does-credential-stuffing-work) +- [How to protect against Credential Stuffing?](#how-to-protect-against-credential-stuffing) +- [Conclusion](#conclusion) + ## Introduction The early 2000's saw a large number of brute force attacks. Attackers would employ bots to generate passwords and try to gain access to user accounts. They would also employ a dictionary of commonly used passwords to supplement the attack. Back then, users would employ simple passwords, that were easy to guess. Over the years websites began to institute password policies, forcing users to generate unique passwords between 8-12 characters, with numerals and special characters. This drastically lowered the success rate of brute force attacks. The problem that remains is that most users tend to reuse passwords across accounts. This makes users susceptible to an attack known as Credential Stuffing. diff --git a/content/what-is-scim-provisioning/index.md b/content/what-is-scim-provisioning/index.md index ee8d5657..16d920a8 100644 --- a/content/what-is-scim-provisioning/index.md +++ b/content/what-is-scim-provisioning/index.md @@ -7,6 +7,14 @@ category: "programming" author: "Sara Mashfej" --- +## Table of Contents +- [Introduction](#introduction) +- [What is SCIM Provisioning](#what-is-scim-provisioning) +- [Why is SCIM Provisioning important](#why-is-scim-provisioning-important) +- [SCIM vs SAML](#scim-vs-saml) +- [SCIM vs SSO](#scim-vs-sso) +- [Conclusion](#conclusion) + ## Introduction In 2024, a staggering 94% of enterprises use cloud applications. The key to improving employee productivity and job performance lies in making the communication between these tools as seamless as possible while providing the necessary security. Administrators play a pivotal role in guaranteeing quick access to essential resources while also maintaining the efficiency of promptly revoking access when it is no longer required. @@ -22,7 +30,7 @@ SCIM works by exchanging user identity attributes like a user’s profile, their ![scim provisioning flow](./scim-provisioning-flow.png) -## Why is SCIM provisioning important +## Why is SCIM Provisioning important Many organizations choose to adopt SCIM today for different reasons, here are some common advantages to SCIM: diff --git a/content/what-is-zero-trust/index.md b/content/what-is-zero-trust/index.md index eeb78e86..f0037232 100644 --- a/content/what-is-zero-trust/index.md +++ b/content/what-is-zero-trust/index.md @@ -7,6 +7,16 @@ category: "programming" author: "Mostafa Ibrahim" --- +## Table of Content +- [Introduction](#introduction) +- [The Main Concept Behind Zero Trust](#the-main-concept-behind-zero-trust) +- [Key Principles of Zero Trust](#key-principles-of-zero-trust) +- [Benefits of Zero Trust](#benefits-of-zero-trust) +- [How to implement Zero Trust into your application](#how-to-implement-zero-trust-into-your-application) +- [BeyondCorp: Googles implementation of Zero Trust](#beyondcorp-googles-implementation-of-zero-trust) +- [Zero Trust in Action](#zero-trust-in-action) +- [Conclusion](#zero-trust-in-action) + ## Introduction @@ -53,25 +63,25 @@ Here are five key components or steps that companies must implement to successfu ![Implement zero trust in your application](./implement-zero-trust.png) -## 1. Identifying and Securing the Attack Surface +### 1. Identifying and Securing the Attack Surface - **Initial Assessment**: Identify potential vulnerabilities in the network and web platforms. - **Infrastructure Segmentation**: Implement VLANs and network firewalls for segregation and control of network traffic. -## 2. Data Protection and Encryption +### 2. Data Protection and Encryption - **Data Classification**: Prioritize safeguarding sensitive data across the network and within applications. - **Encryption Implementation**: Classify and categorize data to apply appropriate encryption and access measures, using [TLS 1.3](https://www.cloudflare.com/learning/ssl/why-use-tls-1.3/) and [AES encryption](https://www.simplilearn.com/tutorials/cryptography-tutorial/aes-encryption) standards. - **Data Leakage Prevention**: Implement [Data Leakage Prevention](https://www.microsoft.com/en-us/security/business/security-101/what-is-data-loss-prevention-dlp) tools for monitoring data transfer and preventing leaks. -## 3. Comprehensive Application/API Security +### 3. Comprehensive Application/API Security - **Application Layer Security**: Secure critical applications with Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP). - **API Management**: Apply OAuth 2.0 and OpenID Connect for secure and delegated authorization. - **API Gateway Protection**: Protect API gateways using OAuth 2.0 scopes, JSON Web Tokens (JWT) for secure data transmission between services, and mutual TLS (mTLS) for service-to-service authentication. -## 4. Robust Identity and Access Management +### 4. Robust Identity and Access Management - **IAM Framework Implementation**: Use a [secure identity and access management](https://supertokens.com/) solution for managing access to services and web applications. - **MFA Integration**: Implement Multi-factor Authentication (MFA) at both the network and application levels. -## 5. Protecting Physical and Digital Assets +### 5. Protecting Physical and Digital Assets - **Physical Security Extension**: Extend Zero Trust principles to physical devices and endpoints with [Endpoint Detection and Response (EDR)](https://www.trellix.com/security-awareness/endpoint/what-is-endpoint-detection-and-response/) that is installed on endpoint devices such as laptops, desktops, and servers Moreover, utilization of hardware security modules (HSMs). - **Verification and Authorization**: Ensure strict verification and authorization for physical and digital access, enhancing security for both corporate resources and application services. @@ -102,7 +112,7 @@ The primary objective in this research paper, is to enhance security in accessin - **Gateways**: Include SSH servers, Web proxies, or 802.1x-enabled networks that control access to resources. - **Resources**: All applications, services, and infrastructure subject to access control, each associated with a minimum trust tier. -## [BeyondCorp and the long tail of Zero Trust](https://www.usenix.org/publications/loginonline/beyondcorp-and-long-tail-zero-trust) +### [BeyondCorp and the long tail of Zero Trust](https://www.usenix.org/publications/loginonline/beyondcorp-and-long-tail-zero-trust) The main focus of this paper is addressing the latter stages of Google's BeyondCorp migration, focusing on specific or challenging situations that required innovative solutions beyond their core HTTPS-based workflow. Initially, Google transitioned from a privileged, legacy network to a more secure MNP(Managed Non-Privileged) network. This involved reconfiguring workflows to function within the Zero Trust framework, particularly those relying solely on HTTPS traffic.