Balancing Autonomy and Control in API Security with Token Swapping

The question of how much control to retain versus how much to give up is something that occupies the minds of parents, management consultants, and often coaches. A high level of control helps achieve specific objectives, but, at the same time, it may lead to a complex bureaucracy that slows down self-initiative, entrepreneurship, and general productivity. A high level of empowerment, on the other hand, fosters creativity and ownership, but it may lead to unmanageable or risky outcomes. 

In the world of identity and security, organizations across all sectors also face this conundrum. Managing identity involves both controlled (stateful) and autonomous (stateless) security tokens. 

• Stateful tokens are opaque and can be de-referenced by a central authority only after request (token introspection). The authority manages the state of the token, including revocation. The token depends on the availability and performance of the authority.
• Stateless tokens are self-contained and can be “unpacked” by any party with the appropriate key material. Stateless tokens can be processed with or without the availability of an authoritative service. 

Knowing which to use is often straightforward, but sometimes what you really want to deploy is something in between.

A Closer Look at Token Swapping Use Cases

Exposing open services and APIs to external clients is a perfect use case for stateful tokens. Because external clients can be located anywhere and security tokens can travel over many networks, more control is needed. With stateful tokens, you can have opaque tokens that don’t carry sensitive content, always introspect tokens against a central authority, and revoke tokens as needed to provide a high level of control. 

However, for Zero Trust architectures that require security checks at every stage, including each microservice-to-microservice call, using stateless tokens makes more sense. That’s because they don’t depend on a central authority, which could impact the ability to scale and to continue operations if the authority is unreachable. 

Token swapping describes the ability to exchange one security token for another in a different, enriched, or restricted form. A gateway can function as the “token swapper.” It intercepts requests, validates tokens, and generates new tokens either by itself or in conjunction with other services. 

Let’s look at the example of a financial company exposing APIs to partner organizations. Such a scenario requires a higher level of control and the ability to revoke granted access, so, for these external clients, the financial institution issues stateful tokens. Token swapping allows the company to use those stateful tokens on the front end but then switch to stateless tokens for scalability and other benefits within their microservices environment. 

If you swap a stateful token for a stateless token in the right way and at the right time, you can achieve that delicate balance between control and autonomy to better suit your purposes.

In the aforementioned scenario, ForgeRock Identity Gateway, deployed as a north-south gateway, validates stateful OAuth2 tokens by introspection with ForgeRock Access Management, ForgeRock Identity Cloud, or any other OAuth2 authorization server. After validating the stateful token, Identity Gateway then generates a stateless JSON Web Token (JWT) containing the identity information the downstream services need to proceed autonomously.

Self-contained JWTs are a compelling token type for scenarios that require a high level of scaling, do not have a strong dependency on external services (such as the authority), and can tolerate the absence of token revocation capability. For many microservices scenarios, this is a very effective use case for token swapping. 

Local JWT validation can also be conducted by service meshes, such as Istio, or by ForgeRock Identity Gateway, deployed as an east-west gateway, or Microgateway with the JwtValidationFilter. Note, however, that service meshes support self-contained JWTs but do not integrate well with stateful OAuth2 and remote token introspection. Furthermore, JWTs consumed by service meshes like Istio need to have the appropriate content, which can be built using token swapping. The “token swapper” can aggregate the appropriate JWTs.

Token swapping is not limited to stateful OAuth2 to JWT token swapping. You can create transformations using other token types – such as OpenID Connect, SAML or SSO tokens – and services like the security token service (STS). You can also enrich tokens with user roles, entitlements, or attributes obtained from the authority. 

To learn more about balancing control and autonomy with token swapping, read about the following useful components: JwtBuilderFilter, JwtValidationFilter, IdTokenValidationFilter, OAuth2ResourceServerFilter, TokenTransformationFilter.

With token swapping, you can expand your options for obtaining the right balance in the control versus autonomy dilemma—at least in the identity and security realm. Parents, philosophers, and management will have to look elsewhere.

 

The post Balancing Autonomy and Control in API Security with Token Swapping appeared first on Security Boulevard.

Read More

The post Balancing Autonomy and Control in API Security with Token Swapping appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/balancing-autonomy-and-control-in-api-security-with-token-swapping/?utm_source=rss&utm_medium=rss&utm_campaign=balancing-autonomy-and-control-in-api-security-with-token-swapping

What’s in today’s cybercriminal’s toolbox? Let’s open it.

Cyber fraud is a catch-all term for endless schemes to fool users into giving assets access to their data […]

The post What’s in today’s cybercriminal’s toolbox? Let’s open it. appeared first on NuData Security.

The post What’s in today’s cybercriminal’s toolbox? Let’s open it. appeared first on Security Boulevard.

Read More

The post What’s in today’s cybercriminal’s toolbox? Let’s open it. appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/whats-in-todays-cybercriminals-toolbox-lets-open-it/?utm_source=rss&utm_medium=rss&utm_campaign=whats-in-todays-cybercriminals-toolbox-lets-open-it

US Seizes 27 More IRGC-Controlled Domain Names

The action follows last month’s seizure of 92 domain names used by Iran’s Islamic Revolutionary Guard Corps to spread disinformation.

The post US Seizes 27 More IRGC-Controlled Domain Names appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/us-seizes-27-more-irgc-controlled-domain-names/?utm_source=rss&utm_medium=rss&utm_campaign=us-seizes-27-more-irgc-controlled-domain-names

NSS Labs’ Abrupt Shutdown Leaves Many Unanswered Questions

Former execs and employees share some insights into the testing firm’s shutdown. What does it mean for the future of security product testing?

The post NSS Labs’ Abrupt Shutdown Leaves Many Unanswered Questions appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/nss-labs-abrupt-shutdown-leaves-many-unanswered-questions/?utm_source=rss&utm_medium=rss&utm_campaign=nss-labs-abrupt-shutdown-leaves-many-unanswered-questions

Bug Bounty Hunters’ Pro Tips on Chasing Vulns & Money

From meditation to the right mindset, seasoned vulnerability researchers give their advice on how to maximize bug bounty profits and avoid burnout.

The post Bug Bounty Hunters’ Pro Tips on Chasing Vulns & Money appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/bug-bounty-hunters-pro-tips-on-chasing-vulns-money/?utm_source=rss&utm_medium=rss&utm_campaign=bug-bounty-hunters-pro-tips-on-chasing-vulns-money

Gaming Giant Capcom Hit By Ragnar Locker Ransomware: Report

The Resident Evil creator reportedly been hit in a ransomware attack that stole 1TB of sensitive data.
Read More

The post Gaming Giant Capcom Hit By Ragnar Locker Ransomware: Report appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/gaming-giant-capcom-hit-by-ragnar-locker-ransomware-report/?utm_source=rss&utm_medium=rss&utm_campaign=gaming-giant-capcom-hit-by-ragnar-locker-ransomware-report

Zoom Snooping: How Body Language Can Spill Your Password

Researchers figure out how to read what people are typing during a Zoom call using shoulder movements.
Read More

The post Zoom Snooping: How Body Language Can Spill Your Password appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/zoom-snooping-how-body-language-can-spill-your-password/?utm_source=rss&utm_medium=rss&utm_campaign=zoom-snooping-how-body-language-can-spill-your-password

🔴 LIVE: Paul’s Security Weekly #673

This week, we welcome Sven Morgenroth from Netsparker, then we are joined by Dan DeCloss from PlexTrac, and we wrap with the Security News!

→Full Show Notes: https://wiki.securityweekly.com/psw673
→Join the Security Weekly Discord Server: https://discord.gg/pqSwWm4
→Visit our website: https://www.securityweekly.com
→Follow us on Twitter: https://www.twitter.com/securityweekly

The post 🔴 LIVE: Paul’s Security Weekly #673 appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/%f0%9f%94%b4-live-pauls-security-weekly-673/?utm_source=rss&utm_medium=rss&utm_campaign=%25f0%259f%2594%25b4-live-pauls-security-weekly-673

Agent Tesla: A Day in a Life of IR

Introduction

The Agent Tesla infostealer has been around since 2014. During the last two to three years, it’s also had a significant distribution growth factor partially due to the fact that cracked versions of it have been leaked.

The post Agent Tesla: A Day in a Life of IR appeared first on Security Boulevard.

Read More

The post Agent Tesla: A Day in a Life of IR appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/agent-tesla-a-day-in-a-life-of-ir/?utm_source=rss&utm_medium=rss&utm_campaign=agent-tesla-a-day-in-a-life-of-ir

North Korean Hackers Used ‘Torisma’ Spyware in Job Offers-based Attacks

A cyberespionage campaign aimed at aerospace and defense sectors in order to install data gathering implants on victims’ machines for purposes of surveillance and data exfiltration may have been more sophisticated than previously thought.
The attacks, which targeted IP-addresses belonging to internet service providers (ISPs) in Australia, Israel, Russia, and defense contractors based in Russia
Read More

The post North Korean Hackers Used ‘Torisma’ Spyware in Job Offers-based Attacks appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/north-korean-hackers-used-torisma-spyware-in-job-offers-based-attacks/?utm_source=rss&utm_medium=rss&utm_campaign=north-korean-hackers-used-torisma-spyware-in-job-offers-based-attacks

Digital Transformation Means Security Must Also Transform

Being successful in this moment requires the ability to evolve in terms of team management, visibility, and crisis management.

The post Digital Transformation Means Security Must Also Transform appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/digital-transformation-means-security-must-also-transform/?utm_source=rss&utm_medium=rss&utm_campaign=digital-transformation-means-security-must-also-transform

DEF CON 28 Safe Mode ICS Village – Marina Krotofi’s ‘Confessions Of An Offensive ICS Researcher’

Many thanks to DEF CON and Conference Speakers for publishing their outstanding presentations; of which, originally appeared at the organization’s DEFCON 28 SAFE MODE Conference, and on the DEF CON YouTube channel. Enjoy!

Permalink

The post DEF CON 28 Safe Mode ICS Village – Marina Krotofi’s ‘Confessions Of An Offensive ICS Researcher’ appeared first on Security Boulevard.

Read More

The post DEF CON 28 Safe Mode ICS Village – Marina Krotofi’s ‘Confessions Of An Offensive ICS Researcher’ appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/def-con-28-safe-mode-ics-village-marina-krotofis-confessions-of-an-offensive-ics-researcher/?utm_source=rss&utm_medium=rss&utm_campaign=def-con-28-safe-mode-ics-village-marina-krotofis-confessions-of-an-offensive-ics-researcher

Achieving Application Security in Today’s Complex Digital World

Application security is an essential part of the software development lifecycle, and getting it right should be a top priority in today’s ever-evolving and expanding digital ecosystem. Application security is the practice of protecting your applications from malicious attacks by detecting and fixing security weaknesses in your applications’ code. 

Organizations today invest a lot of time and money in tools and processes that help them secure their applications throughout the software development lifecycle. Achieving application security has become a major challenge for software engineers, security, and DevOps professionals as systems become more complex and hackers are continuously increasing their efforts to target the application layer. 

How can software development organizations make sure that they have all the tools and processes in place to effectively address the many threats to application security?

 

When It Comes to Security, Applications Remain the Weakest Link

Findings from top industry research reports show that attacking application weaknesses and software vulnerabilities remains the most common external attack method. For example, Verizon’s 2020 Data Breach Investigations Report recently found that web applications are a top hacking vector in breaches. The Verizon report asserts that “this trend of having web applications as the vector of these attacks is not going away.”

From: Verizon 2020 Data Breach Investigations Report 

Forrester’s 2020 State of Application Security Report also predicted that application vulnerabilities will continue to be the most common external attack method, and found that most external attacks target either software vulnerabilities or web applications. 

Based on Forrester’s The State Of Application Security 2020

Unfortunately, it appears that most organizations continue to invest in the protection of other attack vectors. Currently, the amount of investment in protecting certain areas like the network is often inconsistent with the level of risk associated with them in today’s threat landscape. 

According to the Ponemon Institute’s Research Report The Increasing Risk to Enterprise Applications, “Investment in application security is not commensurate with the risk.” The research report shows that “There is a significant gap between the level of application risk and what companies are spending to protect their applications,” while “the level of risk to networks is much lower than the investment in network security.”

 

From: The Increasing Risk to Enterprise Applications by Ponemon Institute

In order to ensure effective application security, organizations need to make sure that their application security practices evolve beyond the old methods of blocking traffic, and understand that investing heavily in network security is not enough.

 

The Main Application Security Technologies

When it comes to investing in application security tools, the market is full of a variety of new and old technologies and solutions to help organizations improve their application security and ensure it keeps up with the security challenges of the evolving threat landscape. 

Forrester’s market taxonomy for application security tools makes a distinction between two market segments: security scanning tools and runtime protection tools, and predicts that spending will continue to rise for both categories. 

   

from: Application Security Market Will Exceed $7B by 2023, Forrester

Each category of application security testing tools focuses on a different stage in the software development lifecycle. Security scanning tools are used to remediate vulnerabilities when applications are in development. Runtime protection is performed when applications are in production. It’s important to remember that runtime protection tools provide an extra layer of protection and are not an alternative to scanning. 

Security scanning tools are used primarily in development — applications are tested in the design and build stages. The goal of security scanning tools is prevention. They detect and remediate vulnerabilities in applications before they run in a production environment. Tools in this market include SAST (static application security testing), DAST (dynamic application security testing), IAST (interactive application security testing), and SCA (software composition analysis).

Runtime protection tools come in later in production. They are designed to protect against malicious players while an application is running in a production environment. These tools react in real-time to defend against attacks. This market is segmented into web application firewalls (WAF), bot management, and RASP (runtime application self-protection). 

Each one of these application security testing technologies has its own set of featureכs and functions, and its strong and weak points. No single tool can be used as a magic potion against malicious players. Organizations need to analyze their specific needs and choose the tools that best support their application security policy and strategy. 

 

Getting It Right: The Application Security Maturity Model

While getting the right tools for application security is important, it is just one step. Though most tools today focus on detection, a mature application security policy goes a few steps further to bridge the gap from detection to remediation. 

Considering the continuous increase in known software vulnerabilities, focusing on detection will leave organizations with an incomplete application security model. Application security tools often provide security and development teams with exhausting laundry lists of security alerts. However, teams also need to have the means to quickly fix the issues that present the biggest security risks. 

In order to address the most urgent application security threats, organizations need to adopt a mature application security model that includes prioritization and remediation on top of detection. 

While detecting as many security issues in the application layer is extremely important, considering the current threat landscape and competitive release timelines, it has become unrealistic to attempt to fix them all. It’s important to remember Gartner analysts’ Neil MacDonald and Ian Head’s statement from Gartner’s 10 Things to Get Right for Successful DevSecOps: “Perfect security is impossible, Zero risk is impossible. We must bring continuous risk and trust-based assessment and prioritization of application vulnerabilities to DevSecOps.” 

A mature application security model includes strategies and technologies that help teams prioritize — providing them the tools to zero-in on the security vulnerabilities that present the biggest risk to their systems so that they can address them as quickly as possible. Otherwise, teams end up spending a lot of valuable time sorting through alerts, debating what to fix first, and running the risk of leaving the most urgent issues unattended. 

Next in the application security maturity model comes remediation — technologies that integrate seamlessly into the development cycle to help remediate issues when they are relatively easier and cheaper to fix, and update vulnerable versions automatically. 

Application Security at the Speed of DevSecOps 

As development cycles get shorter, security professionals and developers struggle to address security issues while keeping up with the increasingly rapid pace of release cycles. This constant push and pull between application security needs and the speed of development often results in friction between developers who don’t want security to slow them down and security professionals who feel developers are neglecting security. The DevSecOps approach attempts to address this conflict, and break the silos between developers and security. 

WhiteSource Report – DevSecOps Insights 2020 Download Free
Report

DevSecOps addresses the challenge of continuously increasing the pace of development and delivery without compromising on security. First came DevOps, which helped organizations create shorter release cycles so that they could meet the market demand of delivering innovative software products at a rapid pace. DevSecOps adds security to the mix, integrating security throughout the software development lifecycle (SDLC), to make sure that security doesn’t slow down development and application development is both agile and secure. 

DevSecOps aims to seamlessly integrate application security in the earliest stages of the SDLC, by updating organizations’ application security practices, tools, and teamwork. It calls for shifting security testing left to help teams work together to address security issues early in development when remediation can be relatively simple. 

 

Hackers Are Keeping up with the Evolving Software Development Landscape. Are You? 

As applications evolve and take on new forms, malicious players adapt to the new technologies and environments. The days of applications being heavy monolithic client/server behemoths are long gone, and your application security strategies need to keep up in order to protect against current threats to your applications. 

Attackers compromise modern applications through unsecured API endpoints, unvalidated API payloads, and client-side attacks injecting malware into unprotected scripts. The rise of new architectures like cloud-native and frameworks offers new attack surfaces. Security professionals need to adjust their focus and address issues like image integrity, vulnerabilities in common container images, and changes to containers and functions in production.

Application security is a constantly evolving ecosystem of tools and processes. If you want to stay ahead of the hackers, you need to make sure that your application security practices are as advanced as today’s software development technologies. 

The post Achieving Application Security in Today’s Complex Digital World appeared first on Security Boulevard.

Read More

The post Achieving Application Security in Today’s Complex Digital World appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/achieving-application-security-in-todays-complex-digital-world/?utm_source=rss&utm_medium=rss&utm_campaign=achieving-application-security-in-todays-complex-digital-world

Cado Security Gets $1.5 Million Seed

The seed funding round was led by Ten Eleven Ventures.

The post Cado Security Gets $1.5 Million Seed appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/cado-security-gets-1-5-million-seed/?utm_source=rss&utm_medium=rss&utm_campaign=cado-security-gets-1-5-million-seed

Westcon Signs Distribution Agreement with Breach & Attack Simulation Leader AttackIQ

Westcon has signed an agreement with AttackIQ, the leader in Breach and Attack Simulation (BAS), to distribute its solutions with immediate effect in the EMEA and APAC regions. Carl Wright, Chief Commercial Officer at Attack IQ, comments: “Breach damage is worse than ever. In 2021, cyber damage on the global economy is expected to reach $6..

The post Westcon Signs Distribution Agreement with Breach & Attack Simulation Leader AttackIQ appeared first on Security Boulevard.

Read More

The post Westcon Signs Distribution Agreement with Breach & Attack Simulation Leader AttackIQ appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/westcon-signs-distribution-agreement-with-breach-attack-simulation-leader-attackiq/?utm_source=rss&utm_medium=rss&utm_campaign=westcon-signs-distribution-agreement-with-breach-attack-simulation-leader-attackiq

23% of Windows in Use is Old, Insecure Win7 or XP

Windows 7 and XP are obsolete, but that hasn’t stopped almost a quarter of Windows users using them. It’s a security nightmare waiting to happen.

The post 23% of Windows in Use is Old, Insecure Win7 or XP appeared first on Security Boulevard.

Read More

The post 23% of Windows in Use is Old, Insecure Win7 or XP appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/23-of-windows-in-use-is-old-insecure-win7-or-xp/?utm_source=rss&utm_medium=rss&utm_campaign=23-of-windows-in-use-is-old-insecure-win7-or-xp

XKCD ‘The True Name Of The Bear’

via the comic delivery system monikered Randall Munroe resident at XKCD!

Permalink

The post XKCD ‘The True Name Of The Bear’ appeared first on Security Boulevard.

Read More

The post XKCD ‘The True Name Of The Bear’ appeared first on Malware Devil.

https://malwaredevil.com/2020/11/05/xkcd-the-true-name-of-the-bear/?utm_source=rss&utm_medium=rss&utm_campaign=xkcd-the-true-name-of-the-bear

Memory buffers for… initiated

Early Visual Basic program crackers knew that if you put a breakpoint in a right place, you can intercept strings entered into a text/input box. Once you do that, finding the key verification routine is easy as it will refer the memory buffer we can track after data is copied to it.

Around 13 years ago I was asked by an analyst on my team to help him with a WinBatch-compiled malicious sample. At that time there were not many options for analyzing these types of programs and of course, reading producers’ web site one would be discouraged to reverse engineer such executables as they are ‘close to impossible to crack’. After poking around I realized that the code of the ‘compiled’ batch file was actually available in plain text during run-time! It was decrypted and then stored in a memory block on a heap.

I was experimenting a lot with API hooking at that time and this particular experience led me to write a tool that was intercepting calls to a RtlFreeHeap function (HeapFree was forwarded to it), then dumping the content of a memory block the API referenced to a file before releasing the memory. You see, if you are a coder that is taught to free memory buffers after use, it’s only natural you will call these APIs. Even if you don’t really need to, because after process is killed these memory buffer will be killed anyway…

That tool I wrote back in 2008 was essential in handling many ‘script hidden by obfuscation more than anything else’ – it dealt with executables created by perl2exe, winbatch, and many bat2exe converters, and alike. It would literally take seconds to run a suspicious sample through that tool, review the data file it created, and cherry-pick the content that was of interest.

Because of that tool I was probably one of the first analysts being able to systematically dump code of many perl2exe samples targeting POS as well as forensic tools shared by prominent forensic experts e.g. compare rfc.exe vs. its source code, where the dump from my tool shows this (raw data + formatted):

Over next few years I started building a more robust sandbox and I added handling for buffers freed by many memory functions including VirtualFree, RtlFreeHeap, GlobalFree/LocalFree, free, NtFreeVirtualMemory and a few others that I knew contained buffers worth looking at.

Software analysis progressed really a lot since then and we have a gamut of decompilers, sandboxes, emulators, debuggers, plug-ins and both dynamic and static-oriented analysis tools now. It’s a treat.

Yet.

One thing remains constant – tricks are here to stay.

If you can cut reversing corners – you definitely should.

Read More

The post Memory buffers for… initiated appeared first on Malware Devil.

https://malwaredevil.com/2020/11/04/memory-buffers-for-initiated/?utm_source=rss&utm_medium=rss&utm_campaign=memory-buffers-for-initiated

Disinformation Now the Top Concern Following Hack-Free Election Day

After an Election Day without foreign interference and cyberattacks, security experts turn their focus to disinformation.

The post Disinformation Now the Top Concern Following Hack-Free Election Day appeared first on Malware Devil.

https://malwaredevil.com/2020/11/04/disinformation-now-the-top-concern-following-hack-free-election-day/?utm_source=rss&utm_medium=rss&utm_campaign=disinformation-now-the-top-concern-following-hack-free-election-day

Core Frameworks to Streamline Financial Services Cybersecurity Compliance

The post Core Frameworks to Streamline Financial Services Cybersecurity Compliance appeared first on Security Boulevard.

Read More

The post Core Frameworks to Streamline Financial Services Cybersecurity Compliance appeared first on Malware Devil.

https://malwaredevil.com/2020/11/04/core-frameworks-to-streamline-financial-services-cybersecurity-compliance-4/?utm_source=rss&utm_medium=rss&utm_campaign=core-frameworks-to-streamline-financial-services-cybersecurity-compliance-4