Security OAuth 2.0 by Jonathon Brookfield and Fraser Winterborn
Abstract:
Enterprise authentication and single sign-on is a frequently overlooked subject by developers and security testers and is often relegated to something that "just works" or stands in the way of accessing the application being assessed. As such, the finer details are frequently ignored or left to third-party libraries to implement.
This talk aims to help penetration testers and developers understand OAuth 2.0 protocol, detailing its components, configurations and modes of operation. Common implementation pitfalls will be explored from first-hand experience of securing OAuth in the enterprise, and an example will be demonstrated of how a mistake in the implementation can lead to a compromise of applications relying on OAuth for authorisation.
Speaker Bio:
Jonathon Brookfield leads the Security Research Group at BlackBerry. He has been working in product security for over 12 years, with the last 6 years at BlackBerry. At BlackBerry he has been involved in improving the security of a range of products including BlackBerry OS, BlackBerry 10 and most recently the PRIV on the device side and BlackBerry ID and Enterprise Identity by BlackBerry on the services side.
Fraser Winterborn is a security researcher in the Security Research Group at BlackBerry. He previously worked at Encription for 8 years as a penetration tester and infrastructure CHECK Team Leader, during which time he was involved in the security assessment of a wide range of infrastructures and applications for organisations of all sizes. His current work involves research to improve the security of BlackBerry's Enterprise and QNX products.
-
Category
No comments found