Articles
Defense in Depth: Identity modelling (part 1/7)
Virtually all of the systems we are building today share data via public networks. We rarely want that data to be available to everyone, so we restrict access to it.
Defense in Depth: Claims-based access control (part 2/7)
In the previous article, we talked about what information we require to achieve strong access control. This article looks at how we transfer information on what scopes and audiences the user has approved, their identity and details on their login, plus rights we use for access control.
Defense in Depth: Clients and sessions (part 3/7)
In the first two articles, we discussed how to design your system in order to build strong access control. We looked at how you can strike the right balance in terms of what information is associated with your access token, and we looked at balancing identity and local permissions. This article will take a look at how to configure a client in order to get a token, and how we handle sessions.
Defense in Depth: Secure APIs (part 4/7)
Our first three articles were about designing and getting an access token. We also established a model for how we move from identity and scopes to the permissions that we base all further access control on. In this article, we discuss what you need to do when implementing your API in order to protect your functions and your data.
Defense in Depth: Infrastructure and data storage (part 5/7)
The first three articles covered modelling identity and the steps necessary to retrieve an access token. The fourth article showed how to validate an incoming request and build a fine-grained access control for our API. In this article we will discuss the infrastructure necessary to deploy and operate the system we’ve described in the previous articles. We will also cover some important notes regarding data management.
Defense in Depth: Web browsers (part 6/7)
In the previous article we covered some important security aspects regarding server-side infrastructure. This article covers some of the challenges we face on the client-side, in particular when working with browsers. The browser is a very attractive target environment for distributing applications and systems to the user. It’s easy to access and requires no additional installation since most of today’s users have access to a modern browser. For the user it is, compared to installing...
Defense in Depth: Summary (part 7/7)
This article summarizes the learnings from article series and highlight key security principles and recommended further reading.
How to choose an Identity Provider (IdP)
As independent security consultants we have had the opportunity and privilege to help our customers selecting and implementing a plethora of different solutions.In this article we aim to share with you some of the key factors to consider when selecting the right IdP solution for you, a central part of your architecture and IAM solution.
Offensive Application Security
This article gives an introduction to ethical hacking and web application penetration testing, and how it differs from for other types of penetration tests. We cover the basic principles of penetration testing and a simplified model for pentesting methodology. It will highlight key aspects of a high-quality security review, where the penetration test plays a big part, and the importance for developers to embrace a hacker's mindset (and vice-versa)
Defense in Depth as Code: Secure APIs by design
This article will show how to implement our six-step model for building APIs highlighting key aspects for creating APIs that are secure by design. Example code is available on GitHub.
Defense in Depth: Secure Architecture
Secure architecture is a broad topic. This article highlights six important architectural decisions and patterns that fundamentally impact the overall security of this system. The article is also provides an overview and introduction to the seven part article series Defense in depth.
Defense in Depth as Code: Test Driven Application Security
This article presents a test-driven approach to application security and shows how we can write automated tests to prove that our defenses work as expected.
Omegapoint security review questionnaire
This document defines a set of questions Omegapoint uses for security reviews. The purpose is to be able to cover many aspects of security for a cloud-native DevOps team, during a two-hour interview with the team.
Omegapoint CIS Control Verifications for Cloud Native Applications
This document interprets CIS Controls v8 IG 3 for a cloud-native system built, operated, and defended by a DevOps team. It references additional standards for guidance on implementation details, in example CIS Benchmarks and OWASP material.
Writeup: AWS API Gateway header smuggling and cache confusion
In this blog, we'll dive deeply into two potential security issues that Omegapoint identified in AWS API Gateway authorizers. We reported these issues to AWS in November 2022 and January 2023. AWS rolled out mitigations to all AWS customer accounts in May 2023.
Writeup: Keycloak open redirect (CVE-2023-6927)
CVE-2023-6927 Keycloak vulnerability allows bypassing redirect URI validation which can be used as a vector for stealing authorization codes, access tokens and be used to redirect victims to arbitrary hosts.
Writeup: Exploiting TruffleHog v3 - Bending a Security Tool to Steal Secrets
This blog covers several potential security issues that were identified in TruffleHog v3; an open source secret scanner. The issues were reported to Truffle Security, the team behind TruffleHog in December 2023.
Writeup: Stored XSS in Apache Syncope (CVE-2024-45031)
CVE-2024-45031 in the IAM solution Apache Syncope allows a low-privileged attacker to inject an XSS payload in a self-registration/self-service portal. The payload executes in a high-privilege context of an administrative portal, enabling privilege escalation through session riding against system administrators.