So for a while now, I’ve been getting sick and tired of hearing about data breaches. It seems like every other week I get a new letter in the mail saying I can get in on this class action lawsuit. While the 8 dollars is nice every few months, I’d rather not have to worry about my identity. But, I’m a software engineer, right? Well what can I do about it?
My security rabbit hole started a few years ago, when I had a client that wanted help with a legacy application. I thought it would end up as a good playground to learn React, so I had to learn how to handle security with a front and back end that were not completely integrated. So I learned about OAuth and JWTs. I specifically remember that creating a new project with a template that included Identity Server. But around that time, they stopped maintaining it and then it was forked and made into a commercial product. Well I’m trying to pay off my student loans and don’t have money to pay for a commercial license and I don’t think my client wanted to pay for that either, so hell, why not just make my own?
There’s definitely value in building something like that from the ground up. Knowing how OAuth 2.0 works with JWTs and rotating refresh tokens has served me well in my career. I’ve been able to diagnose security issues in my regular job and help figure out correct configurations. But it also took out the magic of what it is.
To think of it in realistic terms, you are offered a card to get into the building, but every so often (hopefully you set it for 5 minutes), you have to go back to the security desk and rip off the bottom of your badge that contains the ticket (refresh token) to get a new badge. The security desk makes sure no one else used that ticket and issues you a new badge. If someone else did use that, they have no idea if you are the one who’s supposed to have the badge, or if someone else just photocopied your badge and traded in the ticket for a brand new, completely legit badge.
So now you get kicked out, and then security finds the other guy when he tries to get a new token and kicks him out too. Now, security could figure out which badge was given to the other guy and blacklist it, effectively finding it and not letting him have even 5 minutes of peace. But that’s only recommended if it’s a bank or other highly sensitive office building.
Now that I’ve given a simplified run down of OAuth 2.0, implementing that in code is a whole other story. There’s just the implementation itself. Which means the server or computer running the code is completely in control and assuming it was implemented correctly, should keep security at a maximum. But how would you know?
Well, now let’s add some logging. Not just any logging, but let’s add SIEM compatible logging so that we can get an insight into what the security desk is up to. This can be tedious (and let me know if there’s a really good way I don’t know about), but is extremely beneficial for any production environment.
This mentions nothing about roles and privileges. Role Based Access Control (RBAC) is the hottest security method on the block currently, so now you need to implement that in your JWT and endpoints. You don’t want the mail room to be able to get into the money vault, after all. This leads to a whole rabbit hole about Least Privileged Access, but that’s for another post.
But we’re not finished yet, you really should validate everything that’s coming into your office building. Maybe that package contains anthrax but you think it’s that’s AG1 you ordered. If you don’t validate, now the whole office could be infected!
This is just a simplified story and the beginning of a security journey when making a software product. Ideally, when building something new, this should be the first implementation step. If these companies that have all these breaches had built security in from the ground up, and kept up with it for the life of the software, we’d have way less breaches.
This kind of thing has inspired me to make a free and open source template that shows how to implement these things that I’ve talked about. It isn’t perfect, but I took what I’ve learned for the past several years and am currently using in a few of my production apps. I wanted to get as close to enterprise level as I could. I also hope it could become a teaching tool to aid in the building of the next generation of software that takes a security first approach.
The repo is here:
https://github.com/Red-Cardinal-Software/OAuthDotNetAPI
Try it out, fork it, or suggest improvements, I’m open to any and all feedback. Yes, it is in .NET, I apologize to anyone looking for a different language. I hope to expand on the template and keep it up to date.
Top comments (0)