Abstract - RESTful Security at Work

[tmarrs]

You’ve been working with RESTful Web Services for a few years now, and you’d like to know if your services are secure. Maybe you're new to REST on your project. In any case, you have questions: • How do I design a secure service? • Are there any guidelines and best practices? • What is OWASP and how does it help? • What is OAuth and how do I use it? • How does RESTful Security tie to existing infrastructure?

In this presentation, we’ll cover:

RESTful Web Service Security Best Practices • OWASP o Controlling Access – Authentication / Authorization o Securing the Payload – Confidentiality & Integrity o Protecting sensitive data o Securing the URI o Whitelisting Methods and Response Types o Content Validation

• OAuth o Overview o Flow and Concepts

Security and Common RESTful APIs • Twitter • LinkedIn • Twilio • Groupon

Security Tokens • SAML • JWT • Custom

Security and Common Infrastructure • LDAP • SSO (Single Sign-On) • Open AM • CAS

We will look at a single business problem to secure a RESTful Web Service. Along the way, we'll walk through several well-known RESTful Web Service APIs. Attendees will gain a solid foundation in RESTful Web Service security.

[matthewmccullough]

I think by the percentage of folks using a given technology, we should lead with thinking about https://github.com/DOSUG/feedback/issues/8 as JSON is the "it is everywhere!" thing right now. What say you @DOSUG/boardmembers ?

[virtualandy]

I'm bummed I miss this talk at DJUG and would love to see it come to DOSUG. Security is usually an afterthought and beyond OAuth I'm not sure many of us even deal with it much.

Maybe you could bring in someone from OWASP (or Tom could go there, too) to coincide with this talk.

[tmarrs]

I could the JSON talk(s) for one meeting this summer, and something on REST in December (or early 2014).

Tom

---

Tom Marrs, PSM I thomasamarrs@comcast.net http://www.linkedin.com/in/tommarrs http://www.facebook.com/thomasamarrs http://twitter.com/TomMarrs 303-547-5415

On Mar 8, 2013, at 8:11 PM, Andy notifications@github.com wrote:

I'm bummed I miss this talk at DJUG and would love to see it come to DOSUG. Security is usually an afterthought and beyond OAuth I'm not sure many of us even deal with it much.

Maybe you could bring in someone from OWASP (or Tom could go there, too) to coincide with this talk.

— Reply to this email directly or view it on GitHub.

[tlberglund]

@tmarrs Is this talk ready to go? Might it be doable in October?

[tmarrs]

Tim, Sure, I could do this talk in October. I'm doing some updates this week, so I'll send you a new abstract this weekend.

I'm still up for some JSON talks during the winter.

Thanks.

Tom

---

Tom Marrs, MCIS, MTEL, CSM, PSM I thomasamarrs@comcast.net http://www.linkedin.com/in/tommarrs http://www.facebook.com/thomasamarrs http://twitter.com/TomMarrs 303-547-5415

On Aug 25, 2013, at 9:25 PM, Tim Berglund notifications@github.com wrote:

@tmarrs Is this talk ready to go? Might it be doable in October?

— Reply to this email directly or view it on GitHub.

[tlberglund]

@tmarrs Suhweet. I am going to consider you booked for October. :smile:

[danhillenbrand]

@tmarrs Tom, I have a colleague who will miss your presentation tonight, and wondering if you would allow me to videotape it for him. Is that something you're ok with? Thanks--Dan Hillenbrand

[tmarrs]

Dan, I’d rather not do the recording. I’ll make the slides available after the meeting.

Thanks.

Tom

---

Tom Marrs, MCIS, MTEL, CSM, PSM I, PSD I thomasamarrs@comcast.net http://www.linkedin.com/in/tommarrs http://www.facebook.com/thomasamarrs http://twitter.com/TomMarrs 303-547-5415

On Nov 5, 2013, at 11:36 AM, Dan Hillenbrand notifications@github.com wrote:

@tmarrs Tom, I have a colleague who will miss your presentation tonight, and wondering if you would allow me to videotape it for him. Is that something you're ok with? Thanks--Dan Hillenbrand

— Reply to this email directly or view it on GitHub.

[danhillenbrand]

Alright, thanks Tom!