Application Security
Defence in depth — a series of articles about building secure systems.
It is easy to forget important things when you move fast. And the pace of software digitalization moves fast. Requirements for businesses are ever-changing as technologies and services evolve and change. This change presents a challenge for those of us that work with development and architecture. It means that we always need to adapt existing systems or create new ones. In the stress of moving fast, security sometimes takes a back seat.
This article series aims to help you make sure you get application security right from the start.
Article 1—3 describes the preconditions you need to create strong access control, a central part of any system built on the defense in depth principle.
Article 4 shows how we deal with an API request and what layers of protection we need for a secure application.
The additional article Secure APIs in ASP.NET shows how we implement an API that has defence in depth and is secure by design.
We apply a few architectural security principles to a reference architecture and discuss the implications in article Secure Architecture.
Defence in Depth - how to build secure systems.
Part 1: Identity Modeling
In the first article of the article series we focus on how to model identities and create and manages user rights. We also show how Open ID Connect and OAuth2 can be used to build a secure system.
Part 2: Claims-based access control
The second article focuses on how you transfer information about the user identity using token and claims and how we transform them into user rights. This article gives you the foundation of a robust access control.
Part 3: Clients and sessions
In this article we sort out how to access a token on the client side. We also look the flows that OAuth2 and OpenID Connect gives us and which flow is best suited for your client.
Part 4: Secure APIs
Our first three articles were about designing and getting an access token. We also established a model for how we move from identity and scopes to the rights that we base all further access control on.
Are you a developer and curious on what Omegapoint has to offer?
Feel free to contact us!
Application Security
How do we build secure applications?
Omegapoint has broad experience in building secure applications in multiple business lines. It provides us with a unique opportunity to perform in-depth and complete security reviews of systems. Our team of experienced security experts offers the following services:
Offensive penetration test
Defensive review of architecture and implementation
Structured way of working for secure systems over time
Our penetration test consists of manual work by our engineers, code reviews, and vulnerability scanning. We combine this with a review of architecture, infrastructure, data, implementation, and processes for development and operations.
Based on the results from review and penetration tests, we provide recommendations in the form of actionable advice aligned with your development team. Often, vulnerabilities that the penetration test reveals originate from architecture decisions and processes. This means that our recommendations also improve your way of working.
A security review also identifies a proportional level of security, i.e., a "Security Baseline" that you can align with security frameworks like ISO 27000 and CIS Controls.
Together, we find a structured way of working for your team that results in a more secure system over time.