JWTs The Good, the Bad, and the Ugly Security Edition
HTML-код
- Опубликовано: 3 апр 2024
- JSON Web Tokens (JWTs) are a popular way of securely transmitting information between parties. They have numerous benefits, such as being stateless, easily verifiable, and compatible with many different platforms. However, despite their advantages, JWTs can also present a number of security risks if not properly implemented or used. In this talk, we will explore the good, the bad, and the ugly of JWTs from a security standpoint. We will examine common vulnerabilities and discuss best practices for mitigating these risks. By the end of this talk, attendees will have a better understanding of the potential dangers of JWTs and how to avoid them, as well as a deeper appreciation for the importance of secure token-based authentication.
Learning Objectives:
- Understand the basics of JSON Web Tokens
- - Define what JSON Web Tokens (JWTs) are
- - Define the standard structure of a JWT
- Explore the advantages of JWTs:
- - Understand the benefits of using JWTs for secure information transfer
- - Understand how JWTs can be used for authentication and authorization.
- Identify security risks associated with JWTs:
- - Recognize the potential vulnerabilities in JWTs
- - Understand the different types of attacks against JWTs
- Understand the types of attacks that are performed on JWTs
- - Learn about token tampering attacks
- - Learn about injection attacks using JWTs
- Mitigations for JWTs security risks
- - Best practices for securing JWTs
- - Understand the importance of verifying signatures and metadata, and using strong encryption
ABOUT THE SPEAKER
Joshua Barone has over 10 years of experience as a software developer, specializing in security design and development. Joshua Barone has a core background in Java, .Net, Python, and security design principles. Joshua specializes in .Net and Java Enterprise technologies, Web Services, Agile Methodologies, Open Source, and Test-Driven Development. He is familiar with a variety of platforms (Windows, Mac OS X, Linux, Unix), databases (PostrgreSQL, MySQL, MSSQL, Oracle), J2EE Application Servers, Software Development Methodologies and Tools. Joshua is also experienced in security vulnerability assessment for platforms and applications. Joshua is a Certified Information System Security Professional (CISSP) and holds GIAC GPYC, GPEN, GCIA, GWAPT, GCIH, and GSEC certifications, as well as a Master's in Computer Science from the University of New Orleans. He is currently a Senior Developer for Cellebrite. Learn more about Josh at www.sans.org/profiles/joshua-....
This webcast supports content from SANS SEC522: Application Security: Securing Web Apps, APIs, and Microservices. Learn more about the course at www.sans.org/cyber-security-c...
SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, GIAC certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications.
SANS Cloud Security Curriculum: www.sans.org/cloud-security
GIAC Cloud Security Certifications: www.giac.org/focus-areas/clou...
LinkedIn: / sanscloudsec
Discord: www.sansurl.com/cloud-discord
Twitter: @SANSCloudSec
