Global AppSec Amsterdam

Modern applications include Mobile Applications, JS Single Page Applications, APIs, Microservices, etc and we need modern & secure Identity and Access Management solutions to protect them. Unfortunately, Authentication and Authorization related CWEs (Common Weakness and Enumerations) still result in many vulnerabilities in both traditional and modern applications. This eventually results in data breaches. Different studies related to data breaches (Verizon data breach report) clearly show attackers' interest in these vulnerabilities and how they are abusing this. This presentation is focused on a proactive solution to these problems. It's evident that attackers misuse the vulnerabilities in the IAM implementations. This can be secured by reducing the multiple weak IAM implementations and by utilizing centrally managed and more secure IAM solutions using the federation with the security principle of minimization attack surface area. This presentation will cover basic terminologies in IAM, different ways to implement IAM solutions, benefits of the Federation. Comparison between OIDC and SAML. Explanation of different OIDC flows (Authcode flow, Auth Code Flow with PKCE) for modern applications.