SlideShare a Scribd company logo

Touchless security with FLOW3

A
Andreas Förthner

The document discusses security features in the FLOW3 framework, including authorization using access control lists, authentication using multiple providers, validation and filtering of user input, and an application firewall. It notes that FLOW3 provides a basis for secure applications while allowing flexibility through extensible voters, providers, patterns, and validators. Future plans include improving authentication mechanisms and adding channel security, session handling, logging, and administration interfaces.

Technology
1 of 27
Download to read offline
Touchless Security with FLOW3 Andreas Förthner <andreas.foerthner@netlogix.de> T3CON08 Inspiring people to Touchless Security with FLOW3 share
Overview About me What is a Security-Framework good for? Authorization with FLOW3 Configuring security with ACLs Authentication Validation, Filtering and Application Firewall Current status and plans for the future T3CON08 Inspiring people to Touchless Security with FLOW3 share
Introduction About me Andreas Förthner, born 04.12.1985 Working with TYPO3 in customer projects for netlogix in Nuremberg, Germany since 2003 Studying computer science in Erlangen, Germany Member of the TYPO3v5/FLOW3 Core Team since summer 2007 T3CON08 Inspiring people to Touchless Security with FLOW3 share
Introduction What is a Security-Framework good for? Support the developer in creating secure applications Security is handled at a central place Code is as secure as possible by default (?!) Provide a configurable and extensible architecture to secure any part of an application/scenario T3CON08 Inspiring people to Touchless Security with FLOW3 share
Authorization T3CON08 Inspiring people to Touchless Security with FLOW3 share
Authorization What should be protected? As we don't know what should be protected by the framework, we have to be able to protect anything The most general thing to protect are (PHP) functions Someone has to decide, if a functions is allowed to be executed in the current context If it's not allowed, the function call has to be aborted (e.g. by throwing a permission denied exception) T3CON08 Inspiring people to Touchless Security with FLOW3 share
Authorization How to protect? We want to protect PHP functions So the developer has to call the security framework in every single PHP function ?! T3CON08 Inspiring people to Touchless Security with FLOW3 share
Authorization Of course not... We have AOP! With Aspect Oriented Programming (AOP) we can intercept every method, if we need to, without touching the original function code That's why our security is “touchless” ;-) With AOP we can centralize security, although it is used almost everywhere in your application T3CON08 Inspiring people to Touchless Security with FLOW3 share
Authorization The security election – voting for access The access decision is based on the votes of so called access decision voters Access is only granted, if there is at least one “grant vote” and no “deny vote” You can implement your own voters, that may for example take function parameters into account Voters can abstain, if they are not responsible for the current method T3CON08 Inspiring people to Touchless Security with FLOW3 share
Security Policy T3CON08 Inspiring people to Touchless Security with FLOW3 share
Access Control Lists The security policy To tell the system who has access to which methods (the security policy), the standard way is to define Access Control Lists (ACLs) An ACL entry defines which roles (not users!) have which privileges on which resources Privileges: ACCESS_GRANT, ACCESS_DENY, MYPRIVILEGE_GRANT Roles: ADMINISTRATOR, CUSTOMER Resources: MyPackage::MyClass->delete.*() T3CON08 Inspiring people to Touchless Security with FLOW3 share
Access Control Lists Demo T3CON08 Inspiring people to Touchless Security with FLOW3 share
Authentication T3CON08 Inspiring people to Touchless Security with FLOW3 share
Authentication Identifying request partners Tell me your username and password and I'll tell you who you are! Really? Wouldn't it be better to identify him by certificate? or secure token? or ask a LDAP directory? or all together? Cool, but username and password are OK for the online shop... T3CON08 Inspiring people to Touchless Security with FLOW3 share
Authentication Managing authentication You can have more than one authentication provider in place (username/password, ldap, certificate, HTTP Basic, ...) A provider can be active for the whole application or just for a certain part (e.g. certificate authentication only in the extranet area) Configure, if it's enough to authentication one provider successfully or all Develop your own provider by implementing a simple interface and use it right away to authenticate your users T3CON08 Inspiring people to Touchless Security with FLOW3 share
Validation and Filtering T3CON08 Inspiring people to Touchless Security with FLOW3 share
Validation and Filtering Never trust anyone In other words: Never trust any data! Especially GET/POST parameters, cli arguments, session Ids But that's no problem, you all check those things in your applications, right? T3CON08 Inspiring people to Touchless Security with FLOW3 share
Validation and Filtering Accessing parameters in FLOW3 You have to register them, otherwise they won't be available (No access to superglobals!) And you have to register a type! If the type is not correct you'll get an error instead of the parameter You can register filters, to filter the parameter's value (remove HTML/JS code ...) T3CON08 Inspiring people to Touchless Security with FLOW3 share
Validation and Filtering Which types are available? Any you like ;-) A type is represented by a validator, that tells you if a given subject is of a certain type Implement your own validators and use them as a parameter type Of course there are many available in FLOW3 (Integer, Text, Email ...) T3CON08 Inspiring people to Touchless Security with FLOW3 share
Validation and Filtering Demo T3CON08 Inspiring people to Touchless Security with FLOW3 share
Application Firewall T3CON08 Inspiring people to Touchless Security with FLOW3 share
Application Firewall The first line of defense Block bad requests as soon as possible In the firewall you can identify request by so called request patterns (e.g. URL, IP address/range, ...) If a request matches a pattern you can define a security interceptor to be called (deny access, grant access, authentication required, ...) If no pattern matches, access is denied by default T3CON08 Inspiring people to Touchless Security with FLOW3 share
Application Firewall Guess what: You can implement and configure your own patterns and interceptors, if you need something special T3CON08 Inspiring people to Touchless Security with FLOW3 share
FLOW3 Security Summary The security framework does not solve all security related issues, but a lot of them It supports the developer to create secure applications, even if he's no security specialist It gives a strong basis to secure code right away, while leaving the flexibility to extend it to your special needs (access voters, authentication providers, request patterns, validators...) T3CON08 Inspiring people to Touchless Security with FLOW3 share
FLOW3 Security What's next? Implement the missing parts of the current architecture, especially add features like different authentication mechanisms... Add channel security (e.g. a password has to be transmitted over a SSL connection/channel) Implement a secure session handling Add logging to the whole thing Implement nice GUIs to configure policies Test in real world scenarios T3CON08 Inspiring people to Touchless Security with FLOW3 share
So long and thanks for the fish Questions? T3CON08 Inspiring people to Touchless Security with FLOW3 share
Touchless security with FLOW3

Recommended

Network security by sandhya
Network security by sandhyaNetwork security by sandhya
Network security by sandhyasandeepsandy75
 
Security R U Totally Secure !
Security R U Totally Secure ! Security R U Totally Secure !
Security R U Totally Secure ! trendy updates
 
Touchless Technology
Touchless TechnologyTouchless Technology
Touchless TechnologyNani Vasireddy
 
Main ppt
Main pptMain ppt
Main pptManish Mani
 
Touchless Touchscreen Technology
Touchless Touchscreen TechnologyTouchless Touchscreen Technology
Touchless Touchscreen TechnologyAkshay Vasava
 
Touchless technology Seminar Presentation
Touchless technology Seminar PresentationTouchless technology Seminar Presentation
Touchless technology Seminar PresentationAparna Nk
 
Touchless Interactive Screen
Touchless Interactive ScreenTouchless Interactive Screen
Touchless Interactive ScreenGautam.M
 
HCLT Whitepaper: Gesture Recognition using a Touch-less Sensor
HCLT Whitepaper: Gesture Recognition using a Touch-less SensorHCLT Whitepaper: Gesture Recognition using a Touch-less Sensor
HCLT Whitepaper: Gesture Recognition using a Touch-less SensorHCL Technologies
 

Recommended

Network security by sandhya
Network security by sandhyaNetwork security by sandhya
Network security by sandhyasandeepsandy75
 
Security R U Totally Secure !
Security R U Totally Secure ! Security R U Totally Secure !
Security R U Totally Secure ! trendy updates
 
Touchless Technology
Touchless TechnologyTouchless Technology
Touchless TechnologyNani Vasireddy
 
Main ppt
Main pptMain ppt
Main pptManish Mani
 
Touchless Touchscreen Technology
Touchless Touchscreen TechnologyTouchless Touchscreen Technology
Touchless Touchscreen TechnologyAkshay Vasava
 
Touchless technology Seminar Presentation
Touchless technology Seminar PresentationTouchless technology Seminar Presentation
Touchless technology Seminar PresentationAparna Nk
 
Touchless Interactive Screen
Touchless Interactive ScreenTouchless Interactive Screen
Touchless Interactive ScreenGautam.M
 
HCLT Whitepaper: Gesture Recognition using a Touch-less Sensor
HCLT Whitepaper: Gesture Recognition using a Touch-less SensorHCLT Whitepaper: Gesture Recognition using a Touch-less Sensor
HCLT Whitepaper: Gesture Recognition using a Touch-less SensorHCL Technologies
 
Touchless Circular Menus
Touchless Circular MenusTouchless Circular Menus
Touchless Circular MenusDebaleena Chattopadhyay
 
Multi touch interactive screen, MIE Competition
Multi touch interactive screen, MIE CompetitionMulti touch interactive screen, MIE Competition
Multi touch interactive screen, MIE CompetitionHadeel M. Yusef
 
touchless technology
touchless technologytouchless technology
touchless technologyChaitanya Ram
 
Sniffer for-detecting-lost-mobiles
Sniffer for-detecting-lost-mobilesSniffer for-detecting-lost-mobiles
Sniffer for-detecting-lost-mobilesRuqeya Afshan
 
Operational Risk Management in China
Operational Risk Management in ChinaOperational Risk Management in China
Operational Risk Management in ChinaKapronasia
 
Touchless interactivity is the new frontier
Touchless interactivity is the new frontierTouchless interactivity is the new frontier
Touchless interactivity is the new frontierLM3LABS
 
Ambulance drones
Ambulance dronesAmbulance drones
Ambulance dronesmanuel22888
 
AmbulanceDrone
AmbulanceDroneAmbulanceDrone
AmbulanceDroneVasanti Mahajan
 
Drones in Healthcare
Drones in HealthcareDrones in Healthcare
Drones in HealthcareDrone Research
 
CLOCKLESS CHIP BY Saurabh singh
CLOCKLESS CHIP BY Saurabh singhCLOCKLESS CHIP BY Saurabh singh
CLOCKLESS CHIP BY Saurabh singhSaurabh Singh
 
Pico projectors
Pico projectorsPico projectors
Pico projectorsanjithashaji
 
Clockless Chips
Clockless ChipsClockless Chips
Clockless ChipsAngel Dholakia
 
Pico projector
Pico projectorPico projector
Pico projectorJeffrey Funk
 
DakNet PPT
DakNet PPTDakNet PPT
DakNet PPTSeminar Links
 
Touchless Touchscreen
Touchless TouchscreenTouchless Touchscreen
Touchless TouchscreenSaptarshi Dey
 
Touch Screen Technology PRESENTATION
Touch Screen Technology PRESENTATIONTouch Screen Technology PRESENTATION
Touch Screen Technology PRESENTATIONMrQaz996
 
Drones: Present & Future
Drones: Present & FutureDrones: Present & Future
Drones: Present & FutureFresh Digital Group
 
Drones
DronesDrones
DronesAtharva Chavan
 
Touchscreen PPT
Touchscreen PPTTouchscreen PPT
Touchscreen PPT76 Degree Creative
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016 Mukesh Pathak
 
Chapter 01
Chapter 01Chapter 01
Chapter 01nathanurag
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesJavier González
 

More Related Content

Viewers also liked

Multi touch interactive screen, MIE Competition
Multi touch interactive screen, MIE CompetitionMulti touch interactive screen, MIE Competition
Multi touch interactive screen, MIE CompetitionHadeel M. Yusef
 
touchless technology
touchless technologytouchless technology
touchless technologyChaitanya Ram
 
Sniffer for-detecting-lost-mobiles
Sniffer for-detecting-lost-mobilesSniffer for-detecting-lost-mobiles
Sniffer for-detecting-lost-mobilesRuqeya Afshan
 
Operational Risk Management in China
Operational Risk Management in ChinaOperational Risk Management in China
Operational Risk Management in ChinaKapronasia
 
Touchless interactivity is the new frontier
Touchless interactivity is the new frontierTouchless interactivity is the new frontier
Touchless interactivity is the new frontierLM3LABS
 
Ambulance drones
Ambulance dronesAmbulance drones
Ambulance dronesmanuel22888
 
CLOCKLESS CHIP BY Saurabh singh
CLOCKLESS CHIP BY Saurabh singhCLOCKLESS CHIP BY Saurabh singh
CLOCKLESS CHIP BY Saurabh singhSaurabh Singh
 
Touchless Touchscreen
Touchless TouchscreenTouchless Touchscreen
Touchless TouchscreenSaptarshi Dey
 
Touch Screen Technology PRESENTATION
Touch Screen Technology PRESENTATIONTouch Screen Technology PRESENTATION
Touch Screen Technology PRESENTATIONMrQaz996
 

Viewers also liked (19)

Touchless Circular Menus
Touchless Circular MenusTouchless Circular Menus
Touchless Circular Menus
 
Multi touch interactive screen, MIE Competition
Multi touch interactive screen, MIE CompetitionMulti touch interactive screen, MIE Competition
Multi touch interactive screen, MIE Competition
 
touchless technology
touchless technologytouchless technology
touchless technology
 
Sniffer for-detecting-lost-mobiles
Sniffer for-detecting-lost-mobilesSniffer for-detecting-lost-mobiles
Sniffer for-detecting-lost-mobiles
 
Operational Risk Management in China
Operational Risk Management in ChinaOperational Risk Management in China
Operational Risk Management in China
 
Touchless interactivity is the new frontier
Touchless interactivity is the new frontierTouchless interactivity is the new frontier
Touchless interactivity is the new frontier
 
Ambulance drones
Ambulance dronesAmbulance drones
Ambulance drones
 
AmbulanceDrone
AmbulanceDroneAmbulanceDrone
AmbulanceDrone
 
Drones in Healthcare
Drones in HealthcareDrones in Healthcare
Drones in Healthcare
 
CLOCKLESS CHIP BY Saurabh singh
CLOCKLESS CHIP BY Saurabh singhCLOCKLESS CHIP BY Saurabh singh
CLOCKLESS CHIP BY Saurabh singh
 
Pico projectors
Pico projectorsPico projectors
Pico projectors
 
Clockless Chips
Clockless ChipsClockless Chips
Clockless Chips
 
Pico projector
Pico projectorPico projector
Pico projector
 
DakNet PPT
DakNet PPTDakNet PPT
DakNet PPT
 
Touchless Touchscreen
Touchless TouchscreenTouchless Touchscreen
Touchless Touchscreen
 
Touch Screen Technology PRESENTATION
Touch Screen Technology PRESENTATIONTouch Screen Technology PRESENTATION
Touch Screen Technology PRESENTATION
 
Drones: Present & Future
Drones: Present & FutureDrones: Present & Future
Drones: Present & Future
 
Drones
DronesDrones
Drones
 
Touchscreen PPT
Touchscreen PPTTouchscreen PPT
Touchscreen PPT
 

Similar to Touchless security with FLOW3

Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016 Mukesh Pathak
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesJavier González
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtityAhmed Sallam
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
R U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingR U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingTal Melamed
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1bora.gungoren
 
network security, group policy and firewalls
network security, group policy and firewallsnetwork security, group policy and firewalls
network security, group policy and firewallsSapna Kumari
 
The Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarThe Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarMandy Cross
 
Web Server Technologies Part III: Security & Future Musings
Web Server Technologies Part III: Security & Future MusingsWeb Server Technologies Part III: Security & Future Musings
Web Server Technologies Part III: Security & Future MusingsPort80 Software
 
Cyber security & network attack6
Cyber security & network attack6Cyber security & network attack6
Cyber security & network attack6HCL Technologies
 
Watch guard solution
Watch guard solutionWatch guard solution
Watch guard solutionlaonap166
 
FLOW3 Security Framework applied to TYPO3 Phoenix
FLOW3 Security Framework applied to TYPO3 PhoenixFLOW3 Security Framework applied to TYPO3 Phoenix
FLOW3 Security Framework applied to TYPO3 PhoenixAndreas Förthner
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Cengage Learning
 

Similar to Touchless security with FLOW3 (20)

Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016
 
Chapter 01
Chapter 01Chapter 01
Chapter 01
 
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal DevicesBuilding Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal Devices
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtity
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
R U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingR U aBLE? BLE Application Hacking
R U aBLE? BLE Application Hacking
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
 
3D Password PPT
3D Password PPT3D Password PPT
3D Password PPT
 
Is4560
Is4560Is4560
Is4560
 
network security, group policy and firewalls
network security, group policy and firewallsnetwork security, group policy and firewalls
network security, group policy and firewalls
 
Sapna ppt
Sapna pptSapna ppt
Sapna ppt
 
The Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan WarThe Comprehensive Security Policy In The Trojan War
The Comprehensive Security Policy In The Trojan War
 
Web Server Technologies Part III: Security & Future Musings
Web Server Technologies Part III: Security & Future MusingsWeb Server Technologies Part III: Security & Future Musings
Web Server Technologies Part III: Security & Future Musings
 
Bluetooth Hacking
Bluetooth HackingBluetooth Hacking
Bluetooth Hacking
 
Cyber security & network attack6
Cyber security & network attack6Cyber security & network attack6
Cyber security & network attack6
 
Watch guard solution
Watch guard solutionWatch guard solution
Watch guard solution
 
Trusted systems
Trusted systemsTrusted systems
Trusted systems
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
FLOW3 Security Framework applied to TYPO3 Phoenix
FLOW3 Security Framework applied to TYPO3 PhoenixFLOW3 Security Framework applied to TYPO3 Phoenix
FLOW3 Security Framework applied to TYPO3 Phoenix
 
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
Compusecuraphobia – The Fear of HOPING Your Computer is Secure - Course Techn...
 

Recently uploaded

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Recently uploaded (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

Touchless security with FLOW3

  • 1. Touchless Security with FLOW3 Andreas Förthner <andreas.foerthner@netlogix.de> T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 2. Overview About me What is a Security-Framework good for? Authorization with FLOW3 Configuring security with ACLs Authentication Validation, Filtering and Application Firewall Current status and plans for the future T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 3. Introduction About me Andreas Förthner, born 04.12.1985 Working with TYPO3 in customer projects for netlogix in Nuremberg, Germany since 2003 Studying computer science in Erlangen, Germany Member of the TYPO3v5/FLOW3 Core Team since summer 2007 T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 4. Introduction What is a Security-Framework good for? Support the developer in creating secure applications Security is handled at a central place Code is as secure as possible by default (?!) Provide a configurable and extensible architecture to secure any part of an application/scenario T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 5. Authorization T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 6. Authorization What should be protected? As we don't know what should be protected by the framework, we have to be able to protect anything The most general thing to protect are (PHP) functions Someone has to decide, if a functions is allowed to be executed in the current context If it's not allowed, the function call has to be aborted (e.g. by throwing a permission denied exception) T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 7. Authorization How to protect? We want to protect PHP functions So the developer has to call the security framework in every single PHP function ?! T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 8. Authorization Of course not... We have AOP! With Aspect Oriented Programming (AOP) we can intercept every method, if we need to, without touching the original function code That's why our security is “touchless” ;-) With AOP we can centralize security, although it is used almost everywhere in your application T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 9. Authorization The security election – voting for access The access decision is based on the votes of so called access decision voters Access is only granted, if there is at least one “grant vote” and no “deny vote” You can implement your own voters, that may for example take function parameters into account Voters can abstain, if they are not responsible for the current method T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 10. Security Policy T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 11. Access Control Lists The security policy To tell the system who has access to which methods (the security policy), the standard way is to define Access Control Lists (ACLs) An ACL entry defines which roles (not users!) have which privileges on which resources Privileges: ACCESS_GRANT, ACCESS_DENY, MYPRIVILEGE_GRANT Roles: ADMINISTRATOR, CUSTOMER Resources: MyPackage::MyClass->delete.*() T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 12. Access Control Lists Demo T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 13. Authentication T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 14. Authentication Identifying request partners Tell me your username and password and I'll tell you who you are! Really? Wouldn't it be better to identify him by certificate? or secure token? or ask a LDAP directory? or all together? Cool, but username and password are OK for the online shop... T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 15. Authentication Managing authentication You can have more than one authentication provider in place (username/password, ldap, certificate, HTTP Basic, ...) A provider can be active for the whole application or just for a certain part (e.g. certificate authentication only in the extranet area) Configure, if it's enough to authentication one provider successfully or all Develop your own provider by implementing a simple interface and use it right away to authenticate your users T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 16. Validation and Filtering T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 17. Validation and Filtering Never trust anyone In other words: Never trust any data! Especially GET/POST parameters, cli arguments, session Ids But that's no problem, you all check those things in your applications, right? T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 18. Validation and Filtering Accessing parameters in FLOW3 You have to register them, otherwise they won't be available (No access to superglobals!) And you have to register a type! If the type is not correct you'll get an error instead of the parameter You can register filters, to filter the parameter's value (remove HTML/JS code ...) T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 19. Validation and Filtering Which types are available? Any you like ;-) A type is represented by a validator, that tells you if a given subject is of a certain type Implement your own validators and use them as a parameter type Of course there are many available in FLOW3 (Integer, Text, Email ...) T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 20. Validation and Filtering Demo T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 21. Application Firewall T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 22. Application Firewall The first line of defense Block bad requests as soon as possible In the firewall you can identify request by so called request patterns (e.g. URL, IP address/range, ...) If a request matches a pattern you can define a security interceptor to be called (deny access, grant access, authentication required, ...) If no pattern matches, access is denied by default T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 23. Application Firewall Guess what: You can implement and configure your own patterns and interceptors, if you need something special T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 24. FLOW3 Security Summary The security framework does not solve all security related issues, but a lot of them It supports the developer to create secure applications, even if he's no security specialist It gives a strong basis to secure code right away, while leaving the flexibility to extend it to your special needs (access voters, authentication providers, request patterns, validators...) T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 25. FLOW3 Security What's next? Implement the missing parts of the current architecture, especially add features like different authentication mechanisms... Add channel security (e.g. a password has to be transmitted over a SSL connection/channel) Implement a secure session handling Add logging to the whole thing Implement nice GUIs to configure policies Test in real world scenarios T3CON08 Inspiring people to Touchless Security with FLOW3 share
  • 26. So long and thanks for the fish Questions? T3CON08 Inspiring people to Touchless Security with FLOW3 share