SlideShare a Scribd company logo

Multi Factor Authetification - ZendCon 2017

Philippe Gamache
Philippe Gamache

The password is currently the most commonly used way to identify a user. It does not, however, have the level of security required to protect sensitive information. The addition of new identification factor allows to solve this problem. But what, where, when do you have them? In this session we'll see the concepts of strong authentication, the introduction of alternative free or low cost second-factor identification.

Internet
1 of 65
Download to read offline
MULTI-FACTOR AUTHENTICATION AND STRONG AUTHENTICATION
ABOUT ME PHILIPPE GAMACHE HI I’M PHILIPPE I’m a Developer Evangelist for kuzzle.io. Long-time internet developer, author, screen caster, podcaster and speaker. I’m specializes in PHP, Symfony, Kuzzle, security, code quality, performance, real time and geolocation. • Sécurité PHP 5 et MySQL 5 • OWASP Montreal • PHP Quebec • Table Top Game Developer • Pen & Paper RPG Writer
I'M MISLEADING YOU THIS IS NOT THE EIFFEL TOWER
WHERE IN LAS VEGAS EIFFEL TOWER RESTAURANT
AGENDA • Authentication vs Authorization • Authentication's Problems • The solutions • Strong Authentication • Solutions for all budgets
AUTHENTICATION VS AUTHORIZATION • Authentication • Procedure that verifies the identity of an entity (person, computer ...) to allow access to resources (systems, networks, applications ...) • Authorization • Procedure that allows access to resources only to those authorized to use. AUTHORIZATION
AUTHENTICATION'S PROBLEMS • Accurately identify the entity • Accurately identify the entity type • Accessibility • Broken Password A SIMPLE LIST
• People use easy to find password • Easily give their passwords to strangers • without reason • 45 % of woman1 • 10 % of man1 • For a chocolate bar • 64 % of people1 • 21% have 10+ years old password2 • 47% have 5+ years old password2 • 73% use duplicated password2 • 54% have 5 or fewer passwords across the entire life2 • On average, only 6 unique passwords are used to guard 24 online account2 BROKEN PASSWORD THE HUMAN FACTOR 1 Infosec Europe Conference 2008 2 TeleSign Customer Account Security Report 2015
– Chris Nickerson - Exotic Liability #37 “In the middle of talking to him, he gives me, is online banking username and password.”
– Chris Nickerson - Exotic Liability #37 “In the middle of talking to him, he gives me, is online banking username and password.”
THE SOLUTION USE SECURITY QUESTIONS?
THE SOLUTION USE SECURITY QUESTIONS?
THE SOLUTIONS SIGN THE FORM <?php $code = hash_hmac( 'sha256', json_encode([ $verifierNonce, $userID, $expiration->format('Y-m-dTH:i:s') ]), $tokenSigningKey ]);
THE SOLUTIONS HTTP://WWW.CAPTCHA.NET/
CAPTCHA IMAGES
CAPTCHA HOT OR NOT
GOOGLE RECAPTCHA HTTPS://WWW.GOOGLE.COM/RECAPTCHA/
GOOGLE RECAPTCHA HTTPS://WWW.GOOGLE.COM/RECAPTCHA/
FAITHFULLY IDENTIFY THE ENTITY AND SHOVE THE SECURITY PROBLEM AWAY
STRONG AUTHENTICATION • Method of computer access control; • User is granted access; • After successfully presenting several separate pieces of evidence MULTI-FACTOR AUTHENTICATION
MULTI-FACTOR AUTHENTICATION MEMORIAL FACTOR Memorial factor
MULTI-FACTOR AUTHENTICATION MEMORIAL FACTOR Memorial factor
MULTI-FACTOR AUTHENTICATION MEMORIAL FACTOR Memorial factor
MULTI-FACTOR AUTHENTICATION MEMORIAL FACTOR Memorial factor
MULTI-FACTOR AUTHENTICATION MEMORIAL FACTOR Memorial factor
MULTI-FACTOR AUTHENTICATION MEMORIAL FACTOR Memorial factor
MULTI-FACTOR AUTHENTICATION PHYSICAL FACTOR Memorial factor Physical Factor
MULTI-FACTOR AUTHENTICATION PHYSICAL FACTOR Memorial factor Physical Factor
MULTI-FACTOR AUTHENTICATION PHYSICAL FACTOR Memorial factor Physical Factor
MULTI-FACTOR AUTHENTICATION PHYSICAL FACTOR Memorial factor Physical Factor
MULTI-FACTOR AUTHENTICATION PHYSICAL FACTOR Memorial factor Physical Factor
MULTI-FACTOR AUTHENTICATION PHYSICAL FACTOR Memorial factor Physical Factor
MULTI-FACTOR AUTHENTICATION PHYSICAL FACTOR Memorial factor Physical Factor
MULTI-FACTOR AUTHENTICATION PHYSICAL FACTOR Memorial factor Physical Factor
MULTI-FACTOR AUTHENTICATION PHYSICAL FACTOR Memorial factor Physical Factor
MULTI-FACTOR AUTHENTICATION REACTIONAL FACTOR Memorial factor Reactional factor Physical Factor
MULTI-FACTOR AUTHENTICATION REACTIONAL FACTOR Memorial factor Reactional factor Physical Factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor
MULTI-FACTOR AUTHENTICATION TWO-FACTOR AUTHENTICATION Memorial factor Reactional factor Physical FactorMaterial factor
TWO-FACTOR AUTHENTICATION EXAMPLES? Memorial factor Reactional factor Physical FactorMaterial factor
SOLUTIONS FOR ALL BUDGETS PERFECT PAPER PASSWORDS
PERFECT PAPER PASSWORDS HTTPS://WWW.GRC.COM/PPP.HTM
PERFECT PAPER PASSWORDS HTTPS://WWW.GRC.COM/PPP.HTM
PERFECT PAPER PASSWORDS HTTPS://WWW.GRC.COM/PPP.HTM
SOLUTIONS FOR ALL BUDGETS YUBIKEY
YUBIKEY HTTP://WWW.YUBICO.COM/PRODUCTS/YUBIKEY/
tgbvgflvvndijcfhftgnnldhgviktivhdvnekehejceh tgbvgflvvndiknblilkrtbdvflbdhvdvutlblkfuueel cccccccclildcuhrrhneenjbrrbbnikcvhvbgbcbnvhn cccccccclildibndgdgihuvdcggthnjrbcujdkujnblv YUBIKEY HTTP://WWW.YUBICO.COM/PRODUCTS/YUBIKEY/
SOLUTIONS FOR ALL BUDGETS OATH OPEN AUTHENTICATION
SOLUTIONS FOR ALL BUDGETS OATH OPEN AUTHENTICATION
SOLUTIONS FOR ALL BUDGETS OATH OPEN AUTHENTICATION https://openauthentication.org
STRONG AUTHENTICATION • Man-in-the-middle attacks • Session or cookies thefts • Data theft if site not protected • Advance Phishing DOESN'T PROTECT YOU...
ANY QUESTIONS? THANK YOU! If you want to talk more, feel free to contact me. http://kuzzle.io This presentation was created using Keynote. The text is set in Oswald and Ubuntu. The source code is set in Ubuntu Mono. The iconography is provided by Keynote, kuzzle.io and Font Awesome. Unless otherwise noted, all photographs are used by permission under a Creative Commons license. Please refer to the Photo Credits slide for more information. Copyright © This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For uses not covered under this license, please contact the author. hello@kuzzle.io @kuzzleio Kuzzle kuzzleio http://kuzzle.io Presentation © Format_Informations hello@kuzzle.io @kuzzleio philippegamache joind.in/talk/b21f7 Please visit us at:
PHOTO CREDITS • Page 3 to 5: By Simeon87 (Own work) [CC BY-SA 3.0 (http:// creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons • Page 11: http://failblog.cheezburger.com/

Recommended

Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.SecureAuth
 
Your code are my tests
Your code are my testsYour code are my tests
Your code are my testsMichelangelo van Dam
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentȘtefan Popa
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughSecureAuth
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilDavid Ochel
 
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...Amazon Web Services
 
CIS14: Continuous Authentication: Don’t Even Think about It
CIS14: Continuous Authentication: Don’t Even Think about ItCIS14: Continuous Authentication: Don’t Even Think about It
CIS14: Continuous Authentication: Don’t Even Think about ItCloudIDSummit
 
Rubbing the Sankara Stones the wrong way - From the Front 2014
Rubbing the Sankara Stones the wrong way - From the Front 2014Rubbing the Sankara Stones the wrong way - From the Front 2014
Rubbing the Sankara Stones the wrong way - From the Front 2014Christian Heilmann
 

Recommended

Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.SecureAuth
 
Your code are my tests
Your code are my testsYour code are my tests
Your code are my testsMichelangelo van Dam
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentȘtefan Popa
 
Why Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughWhy Two-Factor Isn't Enough
Why Two-Factor Isn't EnoughSecureAuth
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilDavid Ochel
 
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...
Incorporating the AWS Well-Architected Framework into Your Architecture (ARC2...Amazon Web Services
 
CIS14: Continuous Authentication: Don’t Even Think about It
CIS14: Continuous Authentication: Don’t Even Think about ItCIS14: Continuous Authentication: Don’t Even Think about It
CIS14: Continuous Authentication: Don’t Even Think about ItCloudIDSummit
 
Rubbing the Sankara Stones the wrong way - From the Front 2014
Rubbing the Sankara Stones the wrong way - From the Front 2014Rubbing the Sankara Stones the wrong way - From the Front 2014
Rubbing the Sankara Stones the wrong way - From the Front 2014Christian Heilmann
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...mdevtalk
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...OWASP Kyiv
 
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?François-Guillaume Ribreau
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101Atlassian
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachSonatype
 
How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...YK Chang
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
 
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...CloudIDSummit
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Jason Hong
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy
 
Ethical hacking for fun and profit
Ethical hacking for fun and profitEthical hacking for fun and profit
Ethical hacking for fun and profitFlorent Batard
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!FitCEO, Inc. (FCI)
 
Phishcops multifactor-authentication-website-authentication1096
Phishcops multifactor-authentication-website-authentication1096Phishcops multifactor-authentication-website-authentication1096
Phishcops multifactor-authentication-website-authentication1096Hai Nguyen
 
Trust & UX
Trust & UXTrust & UX
Trust & UXMichael Le
 
How to improve app business based on data?
How to improve app business based on data?How to improve app business based on data?
How to improve app business based on data?DevGAMM Conference
 
Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Philippe Gamache
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 

More Related Content

Similar to Multi Factor Authetification - ZendCon 2017

Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...mdevtalk
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...OWASP Kyiv
 
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?François-Guillaume Ribreau
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101Atlassian
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC IdentityMarc Littlemore
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachSonatype
 
How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...YK Chang
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
 
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...CloudIDSummit
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Jason Hong
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy
 
Ethical hacking for fun and profit
Ethical hacking for fun and profitEthical hacking for fun and profit
Ethical hacking for fun and profitFlorent Batard
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!FitCEO, Inc. (FCI)
 
Phishcops multifactor-authentication-website-authentication1096
Phishcops multifactor-authentication-website-authentication1096Phishcops multifactor-authentication-website-authentication1096
Phishcops multifactor-authentication-website-authentication1096Hai Nguyen
 
How to improve app business based on data?
How to improve app business based on data?How to improve app business based on data?
How to improve app business based on data?DevGAMM Conference
 

Similar to Multi Factor Authetification - ZendCon 2017 (20)

Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
 
⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?⛳️ Votre API passe-t-elle le contrôle technique ?
⛳️ Votre API passe-t-elle le contrôle technique ?
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101
 
Securing Your BBC Identity
Securing Your BBC IdentitySecuring Your BBC Identity
Securing Your BBC Identity
 
Continuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain ApproachContinuous Acceleration with a Software Supply Chain Approach
Continuous Acceleration with a Software Supply Chain Approach
 
How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...How to get along with HATEOAS without letting the bad guys steal your lunch -...
How to get along with HATEOAS without letting the bad guys steal your lunch -...
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
 
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
CIS13: Is Identity the Answer to the Great Question of Life, the Universe, an...
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
 
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by DesignJon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Design
 
Ethical hacking for fun and profit
Ethical hacking for fun and profitEthical hacking for fun and profit
Ethical hacking for fun and profit
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
 
Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!Passwords don't work multifactor controls do!
Passwords don't work multifactor controls do!
 
Phishcops multifactor-authentication-website-authentication1096
Phishcops multifactor-authentication-website-authentication1096Phishcops multifactor-authentication-website-authentication1096
Phishcops multifactor-authentication-website-authentication1096
 
Trust & UX
Trust & UXTrust & UX
Trust & UX
 
How to improve app business based on data?
How to improve app business based on data?How to improve app business based on data?
How to improve app business based on data?
 

More from Philippe Gamache

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Philippe Gamache
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Philippe Gamache
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Philippe Gamache
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continuePhilippe Gamache
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealPhilippe Gamache
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Philippe Gamache
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Philippe Gamache
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuvePhilippe Gamache
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Philippe Gamache
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009Philippe Gamache
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Philippe Gamache
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Philippe Gamache
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Philippe Gamache
 

More from Philippe Gamache (18)

Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)Cryptographie 101 Pour les programmeurs (PHP)
Cryptographie 101 Pour les programmeurs (PHP)
 
Content-Security-Policy 2018.0
Content-Security-Policy 2018.0Content-Security-Policy 2018.0
Content-Security-Policy 2018.0
 
Mentor et votre équipe
Mentor et votre équipeMentor et votre équipe
Mentor et votre équipe
 
Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017Browser Serving Your We Application Security - ZendCon 2017
Browser Serving Your We Application Security - ZendCon 2017
 
Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017Browser Serving Your Web Application Security - Madison PHP 2017
Browser Serving Your Web Application Security - Madison PHP 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017Browser Serving Your Web Application Security - NorthEast PHP 2017
Browser Serving Your Web Application Security - NorthEast PHP 2017
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
Kaizen ou l'amélioration continue
Kaizen ou l'amélioration continueKaizen ou l'amélioration continue
Kaizen ou l'amélioration continue
 
Entreprise Security API - OWASP Montreal
Entreprise Security API - OWASP MontrealEntreprise Security API - OWASP Montreal
Entreprise Security API - OWASP Montreal
 
Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011Entreprise Security API - ConFoo 2011
Entreprise Security API - ConFoo 2011
 
Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011Strong authetification - ConFoo 2011
Strong authetification - ConFoo 2011
 
Une application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de MainsonneuveUne application en une heure avec symfony - Collège de Mainsonneuve
Une application en une heure avec symfony - Collège de Mainsonneuve
 
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
Laboratoire sécurité : audit de code PHP - Conférence PHP Québec 2009
 
One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009One hour application - PHP Quebec Conference 2009
One hour application - PHP Quebec Conference 2009
 
Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009Une application en deux heure - PHP Québec Janvier 2009
Une application en deux heure - PHP Québec Janvier 2009
 
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009Audit de code PHP - PHP Code Audit - HackFest.ca 2009
Audit de code PHP - PHP Code Audit - HackFest.ca 2009
 
Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009Auditing and securing PHP applications - FRHACK 2009
Auditing and securing PHP applications - FRHACK 2009
 

Multi Factor Authetification - ZendCon 2017