Application Security Workshop
Application Security Workshop
The focus of the first day is on application security aspects, while the second day takes an in-depth look at the architecture of security-related aspects.
Agenda
What you can expect at the Workshop
1. Day: Application Security
08.30 am - 12.00 am
- Introduction, goals of the workshop
- App architecture security overview
- OpenID Connect, OAuth2 flows
12.00 am lunch
01.15 pm - 06.00 pm
- DevOps security
- Protecting the session (client)
- API authorization
- Securing SPA applications
06.00 pm End
2. Day: Application Security Architecture
08.30 am - 12.00 am
- Introduction, goals of the workshop
- App architecture security overview
- OpenID Connect, OAuth2 flows (recap)
- App security architectures
12.00 am lunch
01.15 pm - 06.00 pm
- Choosing the right identity provider
- DevOps security advanced
- API authorization advanced
- Authorization architecture
06.00 pm End
1. Day: Application Security
Authentication and Security in ASP.NET Core with Azure DevOps
This workshop shows how authentication, authorization and security requirements can be implemented using ASP.NET Core and Azure DevOps with different identity providers. Some of the different approaches when implementing these in SPAs, or ASP.NET Core Razor/ MVC will be explained as well as the different OpenID Connect/ OAuth flows which should be used or can be used for these types of solutions.
Introduction, Goals of the Workshop
At the beginning we give an overview and introduction to the two workshop days. Afterwards, we define the goals of the day and address the wishes and expectations of the participants.
App Architecture Security Overview
The module provides an overview of application security architecture and explains some of the topics from a top-level perspective. The different areas of applications security will be explained as well as best practice for multi factor authentication.
OpenID Connect, OAuth2 Flows
Best practices for implementing OAuth and OpenID Connect in software. The recommended flows and how they work are highlighted, and attendees gain a clear understanding of when to use which flow for which application type.
DevOps Security
In the DevOps security part, the focus is on possible attack vectors in the development process and how these can generally be mitigated and detected in relation to the source code by means of static security tests.
Protecting the Session (Client)
Learn how your session can be attacked even if your authentication flow is perfect. Team up with your browser and learn about important security headers. In the exercises, you will demonstrate multiple attacks on an application and learn how to mitigate them.
API Authorization
This module looks at implementing authorization for APIs, exploring the different ways to secure the APIs, for example cookies, self contained access tokens or reference tokens and introspection.
Securing SPA Applications
Securing single page applications is hard. This is no common recommended best practice for securing SPA applications. This module shows the current recommendations for implementing security in SPAs and things like the backend for frontend architecture (BFF) will be explained.
2. Day: Application Security Architecture
Security Architecture with ASP.NET Core and Azure DevOps
This day shows how security architecture requirements can be planned and designed using ASP.NET Core and Azure DevOps with different identity providers. Some of the different approaches when designing these in cloud solutions, high security architectures will be explained as well as the different OpenID Connect/OAuth flows which should be used or can be used for these types of solutions.
Introduction, Goals of the Workshop
At the beginning we give an overview and introduction to the two workshop days. Afterwards, we define the goals of the day and address the wishes and expectations of the participants.
App Architecture Security Overview
The module gives an overview of application security architecture and explains some of the topics from a top-level perspective. Things like development security, infrastructure security, governance will be explained and well as how to plan and define requirements for security.
OpenID Connect, OAuth2 Flows (Recap)
This is a recap of the application security module and explains the best practices for OAuth and OpenID Connect. The recommended flows and how they work will be highlighted and the attendees show gain a clear knowledge of when to use which flow for which application type.
App Security Architectures
Here we explore the architectural requirements for application security. As well we leverage application architecture best practices, such as quality attributes, and explain what makes a good security context diagram and what kind of requirements should be visible in a good diagram.
Choose the right Provider
Choosing the right identity provider for your software solution is not easy. We explain some of the advantages and disadvantages of the different identity provider products and give you the knowledge to choose the right identity provider for your solution authentication and authorization.
DevOps Security advanced
We create an overview of GitHub's features with a focus on security features and go into detail in the context of DevOps security. In particular, in the area of GitHub Actions.
API Authorization advanced
This module looks at implementing authorization for APIs, exploring things like delegated user definitions or application access tokens, Other topics like implementing and using the on behalf of flow and using Azure continuous access in your applications are explained as well as general or advanced API security topics.
Authorization Architecture
First, we explain the technical implementation of current best practices in implementing authorization in ASP.NET Core applications. Then, we look at the design and planning of the application authorization architecture in software solutions.
