9/8/2023

Software Security

Secure Coding Practices for

Authentication and Authorization

Hiruna De Alwis
1

Authentication
● Authentication is the process of verifying a
user or device before allowing access to a
system or resources.
● It confirming that a user is who they say they
are.
● This ensures only those with authorized
credentials gain access to secure systems.
● Authentication allows you to grant access to
the right user at the right time with confidence

1
 9/8/2023

History of Authentication
● 1960s: Passwords and encryption
● 1970s: Asymmetric cryptography
○ Public-key cryptography, uses a mathematically related pair of keys
○ One public and one private to encrypt and decrypt information
● 1980s: Dynamic passwords
○ Old passwords were easily guessable
○ TOTP: Time-based One-Time Password(OTP)
○ HOTP-HMAC (Hash-based Message Authentication Code) OTP is an event-based OTP,
where the password is generated by a hash code that uses an incremental counter.
○ Dynamic passwords are often used in combination with regular passwords as one form
of two-factor authentication
3

History of Authentication

● 1990s: Public key infrastructure

○ PKI defined how to create, store, and send digital certificates
○ Adding more robust protection for online users and communication
● 2000s: Multi-factor authentication and single sign-on
○ Multi-factor authentication required users to provide two forms of verification before
gaining access
○ Single sign-on (SSO) streamlined the verification process so that users only have to
provide credentials at one access point - verified by a trusted third party
● 2010s: Biometrics
○ Ex: Including fingerprint Touch ID and Face ID on smart devices
4

2
 9/8/2023

How does Authentication Work?

● Authentication methods
○ username and password
○ biometric information such as facial recognition or fingerprint scans
○ phone or text confirmations - 2FA
● Basic flow
○ Input your login credentials on a login page or username and password bar
○ The server checks those credentials against the ones saved in its database
○ If they match, the user is granted access

How does Authentication Work?

● Maintain a session
○ Each period during which a user can log in without having to re-authenticate is called a
session
○ To keep a session open:
■ Create a token (a string of unique characters) that is tied to the account
■ Assign a cookie to the browser with the token attached
○ When the user goes to load a secure page, the app will check the token in the browser
cookie and compare it to the one in its database
○ If they match, the user maintains access without having to re-enter their credentials
○ Many applications use cookies to authenticate users after the initial login (user doesn’t
want to keep signing in to his account every time) 6

3
 9/8/2023

Types of ● Single-Factor Authentication

Authentication ● Multi-Factor Authentication - MFA

○ Two-Factor Authentication - 2FA
○ Three-Factor Authentication - 3FA
● Single Sign-On Authentication - SSO
● One-Time Password - OTP
● Passwordless Authentication
○ Conjunction with SSO and MFA
● Certificate-Based Authentication
● Biometrics
○ Fingerprints, retinal scans, and facial scans

HTTP & HTTPS

● HTTP (Hypertext Transfer Protocol) is the set of rules for transferring files such as text, images,
sound, video and other multimedia files over the web
● RFC 2616 (HTTP) & RFC 7540 (HTTP/2) ...
● HTTP status codes …
● HTTPS is the use of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) as a
sublayer under regular HTTP application layering. HTTPS encrypts and decrypts user HTTP
page requests as well as the pages that are returned by the web server
● Features of HTTPS …

4
 9/8/2023

HTTP Basic Auth

● Basic Authentication is a method for an
HTTP user agent (e.g., a web browser) to
provide a username and password when
making a request
● RFC 7617
● The Authorization header follows this format:
○ Authorization: Basic <credentials>
● Server receives this request, it can access
the Authorization header, decode the
credentials, and look up the user to
determine if they should be allowed access
to the requested resource 9

HTTP Basic Auth: Drawbacks

● The username and password are sent in every request. Although they are encoded with
Base64, this does not add any security since they can be decoded easily
● Most configurations of Basic Authentication do not implement protection against password
brute forcing. For external-facing systems, this may pose a heightened risk as anyone on the
internet can attempt to brute force passwords for weeks, months, or years
● Logout functionality is not supported. Although there are workarounds for this, they are not
supported by all browsers
● Passwords cannot be easily reset. If a user loses their credentials, they should be able to
reset their password immediately. This is not possible in most basic authentication
implementations
10

5
 9/8/2023

Identity Federation

11

Single Sign On (SSO)

● Single sign-on (SSO) is a session and user authentication service that permits a user to use
one set of login credentials
○ A username and password to access multiple applications
○ SSO can be used by enterprises, small and midsize organizations, and individuals to
ease the management of multiple credentials
● Use HTTPS to guarantee confidentiality and integrity
● Advantages
○ Simplicity, Increased Productivity, Improved Security, Decreased IT Costs
● Drawbacks
○ Single point of failure, ID federation
12

6
 9/8/2023

How SSO works?

13

OpenID

● OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0

framework of specifications (IETF RFC 6749 and 6750)
● It simplifies the way to verify the identity of users based on the authentication performed by
an Authorization Server and to obtain user profile information in an interoperable and REST
like manner
● OpenID Connect enables application and website developers to launch sign-in flows and
receive verifiable assertions about users across Web-based, mobile, and JavaScript clients.
And the specification suite is extensible to support a range of optional features such as
encryption of identity data, discovery of OpenID Providers, and session logout
● Drawbacks …
14

7
 9/8/2023

How OpenID
works?
1. End user navigates to a website or
web application via a browser
2. End user clicks sign-in and types
their username and password
3. The RP (Client) sends a request to
the OpenID Provider (OP)
4. The OP authenticates the User and
obtains authorization
5. The OP responds with an Identity
Token and usually an Access Token.
6. The RP can send a request with the
Access Token to the User device
7. The UserInfo Endpoint returns
Claims about the End-User
15

Kerberos
● Protocol for authenticating service requests between trusted hosts across an untrusted
network, such as the internet
● Kerberos provides a centralized authentication server whose function is to authenticate users
to servers and servers to users
● In Kerberos Authentication server and database is used for client authentication. Kerberos
runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user
and service on the network is a principal
● Workflow .. (https://www.geeksforgeeks.org/kerberos/)
● Applications:
○ User Authentication, Single Sign-On (SSO), Mutual Authentication, Authorization,
Network Security
16

8
 9/8/2023

Authorization
● Authorization is the process, a the person’s or
user’s authorities are checked for accessing
the resources
● Determines what permission does the user
have (users or persons are validated)
● Done after the authentication process
● Needs the user’s privilege or security levels

17

Authentication vs Authorization

● Authentication confirms that users are who they say they are. Authorization gives those users
permission to access a resource
● In the authentication process, users or persons are verified. In the authorization process,
users or persons are validated.
● The user authentication is visible at user end. The user authorization is not visible at the user
end
● In authentication, the user or computer has to prove its identity to the server or client
● Authorization is usually coupled with authentication so that the server has some concept of
who the client is that is requesting access

18

9
 9/8/2023

Authentication vs Authorization

● Authentication does not determine what tasks the individual can do or what files the individual
can see. Authentication merely identifies and verifies who the person or system is
● Authentication Ex:
○ Employees in a company are required to authenticate through the network before
accessing their company email
● Authorization Ex:
○ After an employee successfully authenticates, the system determines what information
the employees are allowed to access
● In some cases, there is no authorization; any user may be use a resource or access a file
simply by asking for it. Most of the web pages on the Internet require no authentication or
authorization. 19

Usernames and Passwords

● The basic concept behind implementing password-based authentication is:
○ If the username and password combination entered by the user matches what the
application has stored, the user is granted access
○ If the username isn’t one the application recognizes, or the password supplied by the
user doesn’t match the one associated with that username, access is denied
● This method works only if the user knows and remembers the password and keeps it secret
● Primary goal of user authentication is keeping unknown or unauthorized users out of our
applications
● We also need to keep out automated scripts that hackers use to create legitimate accounts
○ Use of CAPTCHA code - (Completely Automated Public Turing Test to tell Computers
and Humans Apart)
20

10
 9/8/2023

Privileges
● The concept of user privileges is based upon
restricting access to functionality within the
application to various classes of users
○ Visitors, or anonymous users
○ Registered and authenticated users
○ Administrative users
● Ex: User role based access controlling

21

Password Attack Methods

● Credential stuffing attacks
○ An automated attack where the attacker repeatedly tries to sign in to an application
using a list of compromised credentials, usually taken from a breach on a different
application
● Rainbow table attacks
○ An attack that attempts to crack a hashed password by comparing it to a database of
pre-determined password hashes, known as a rainbow table
● Brute force attacks
○ An attack that uses trial and error to try out every combination of possible passwords
until the correct one is found (https://www.security.org/how-secure-is-my-password/)
22

11
 9/8/2023

Secure Coding ● The practice of developing computer software

in such a way that guards against the
accidental introduction of security
vulnerabilities
● Defects, bugs and logic flaws are consistently
the primary cause of commonly exploited
software vulnerabilities
● By following secure coding principles,
developers can help to write secure code that
is resistant to attack.

23

Key Principles of Secure Coding

● Use secure coding standards and guidelines

○ Many secure coding standards and guidelines available (Ex: OWASP Secure Coding
Practices and the SANS Top 25 Most Critical Web Application Security Vulnerabilities)
● Avoid common coding mistakes
○ There are many common coding mistakes that can lead to security vulnerabilities
■ Using insecure functions and libraries
■ Failing to validate input
■ Not properly handling errors
■ Using weak passwords and encryption

24

12
 9/8/2023

Key Principles of Secure Coding

● Use secure coding tools

○ Many secure coding tools available that can help developers to identify and fix security
vulnerabilities in their code
● Get security reviews
○ Security expert to identify any security vulnerabilities
● Educate your developers
○ Make sure the developers are aware of the importance of secure coding and the best
practices to follow

25

Tips for Secure Coding

● Use a secure development environment
○ Should be configured to minimize security risks. This includes using a secure operating
system, installing security patches, and using a firewall.
● Follow a secure development lifecycle
○ SDLC is a process for developing software that is secure by design. The SDLC includes steps
such as risk assessment, threat modeling, and security testing.
● Test the code for security vulnerabilities
○ Security testing should be performed throughout the SDLC to identify and fix security
vulnerabilities.
● Deploy the code securely
○ The deployment process should be secure to prevent attackers from exploiting vulnerabilities.
● Monitor the applications for security threats
○ Monitoring for unauthorized access, data breaches, and other security incidents 26

13
 9/8/2023

Tips for Secure Coding: Usernames and Passwords

● Registering with username and password

○ In an ideal world, the user would always pick a strong and unique password so that it's harder
for an attacker to guess. Unfortunately, we don't live in an ideal world. For this reason, it's up
to you as the developer to enforce this
● Enforcing password rules
○ Minimum of 8 characters, at least one uppercase letter, at least one number, at least one
special character
● Storing the user's credentials
○ Hashing algorithms (md5, sha1, sha2) …
○ How store password in applications …
○ Way of braking hashes …
○ Other usages of hash algorithms …
○ Recover forgot password … 27

Thanks!

Contact:

Hiruna De Alwis
hiruna@effectivesolutions.lk

28

14