Categories
Conferences Security

Okta/Auth0’s developer day: “Auth for All” – Tuesday, Aug. 24!

Tired of writing the login part of your application? Would you rather work what your API actually does rather than work on securing it? Want to know what identity, authorization, and authentication are, and how you can use them to create applications that give your users great, secure experiences?

Then you’ll want to attend Okta’s and Auth0’s virtual developer day, Auth for All, which happens on Tuesday, August 24! The theme will be “Build the future of identity with us,” and it’ll be a day of celebrating developers around the world while learning how identity empowers builders of all kinds to innovate.

And in case you were wondering…

The agenda

WhenSession
1:00 p.m. EDT /
10:00 a.m. PDT
Platform + Chat Room Opens
1:30 p.m. EDT to
2:15 p.m. EDT / 10:30 a.m. PDT to
11:15 a.m. PDT
Opening Keynote: Build the Future of Identity with Us

In today’s keynote, we’ll kick off Developer Day by celebrating developers like you building for the web, mobile, cloud infrastructure, and everywhere else code runs around the world. Then, lifelong hacker and security expert Alyssa Miller will share updates from the world of cyber security that will help you build your apps and infrastructure with
2:30 a.m. EDT to
3:00 p.m. EDT / 11:30 p.m. PDT to
12:00 p.m. PDT
Traveling Through a Secure API in Python

In this talk, we will see how you can use Python and Auth0 together to build your very own “Where Have I Been” map! I will walk you through all the steps we will need starting from scratch. From building the first API endpoints, protecting the endpoints that create new markers, all the data manipulation, and even deployment!
2:30 a.m. EDT to
3:00 p.m. EDT / 11:30 p.m. PDT to
12:00 p.m. PDT
Auth for IOT: Securing Your Smart Home

Have you moved into a new house and want to automate all the things? Sounds pretty cool, right? Just one tiny concern: how secure is it to use “smart home” devices? Should you create your own software to control your blinds? What about hacking your cameras? The world of IoT (Internet of Things) has so many options to choose from but very little guidance about how secure they are, and how you as a developer can prevent unauthorized access. In this session, we will go over what you can do with existing platforms like Alexa and roll your own DIY projects to lock down who can use them – YOU.
2:30 a.m. EDT to
3:00 p.m. EDT / 11:30 p.m. PDT to
12:00 p.m. PDT
OAuth: Past, Present, and Future

OAuth is the foundation of most of modern online security, used everywhere from signing in to mobile apps to protecting your bank accounts. Despite its ubiquity, there are still many misconceptions about OAuth and OpenID Connect in the wild.

In this session you’ll learn about the background and original motivations that drove the creation of OAuth, how OAuth and OpenID Connect are used today to provide secure online experiences, as well as the latest developments and future work within the OAuth and OpenID Connect communities.

This session will cover the many new RFCs that have been published since the original draft of OAuth 2.0, which both add and remove functionality from the core spec. These include OAuth 2.0 for Native Apps, Proof Key for Code Exchange, OAuth 2.0 Security Best Current Practice, as well as some in-progress and experimental drafts such as JWT Access Tokens, Rich Authorization Requests, and various Proof of Possession techniques. This session will cover the current status of this ongoing work and what you need to know to be prepared for the future.
3:15 p.m. 3:15 p.m. EDT to
3:45 p.m. EDT / 12:15 p.m. PDT to
12:45 p.m. PDT
Authenticating Your Next(js) Jamstack App
3:15 p.m. EDT to
3:45 p.m. EDT / 12:15 p.m. PDT to
12:45 p.m. PDT
Inclusive Digital Identity and Web Monetization for Earning Online

Digital IDs controlled by the users enables users to seamlessly onboard to any web app or platform. With Web Monetization, users can earn freely and spend freely from their digital Identity connected wallets. This talk with highlight two open standards, the Verifiable Credential Standard and the Web Monetization Standard and show how developers can build with them today.
3:15 p.m. EDT to
3:45 p.m. EDT / 12:15 p.m. PDT to
12:45 p.m. PDT
Seamlessly Integrate Identity Into Your APIs with Okta and Kong

Learn how to implement powerful new authentication and authorization scenarios with Kong and Okta. In this demo-heavy session, we will show you how to do sophisticated API access and API management flows with OIDC and OAuth – including how to plug in Identity into your CI/CD pipelines.
4:00 p.m. EDT to
4:30 p.m. EDT / 1:00 p.m. PDT to
1:30 p.m. PDT
Shift-Left DevOps for Your APIs with Okta and JFrog

With Okta and JFrog, strengthen your shift-left DevSecOps strategy by validating the security of your application’s REST API endpoints before you release to production and to your customers. Learn how you can use Okta and JFrog to automate the validation of your authentication and authorization policies for your REST APIs.
4:00 p.m. EDT to
4:30 p.m. EDT / 1:00 p.m. PDT to
1:30 p.m. PDT
OAuth for Game and XR Developers

Gaming and XR technology represent a wild west for identity security. The industry itself is one of the most highly targeted and breach prone in all of tech, yet security is commonly prioritized last. Often user experience is emphasised over security and best practice standards are not always a perfect fit for some target platforms such as consoles or headsets. With constantly increasing demand for interconnected experiences in gaming, growing reliance on cloud based backend solutions, and the increased collection of player data occurring as players become the product, security has become paramount for game developers. In this talk, we will deep dive into how game and XR developers can balance experience and security using the security best practice standard OAuth. We will discuss the basics of OAuth, designing experiences for different target platforms, and using a player’s authorization to interact with other cloud based backend solutions. This session is intended for game/XR developers, or developers who are interested in game/XR development, and assumes a basic level of development knowledge with related engines and tech. Existing experience with identity security best practices and OAuth are not required.
4:00 p.m. EDT to
4:30 p.m. EDT / 1:00 p.m. PDT to
1:30 p.m. PDT
Securing Authorization In Your Web Apps
4:45 p.m. EDT to
5:15 p.m. EDT / 1:45 p.m. PDT to
2:15 p.m. PDT
Closing Keynote with Cassidy Williams
7:00 p.m. EDT / 4:00 p.m. PDTChat Room Closes

Once again, I remind you…

This image has an empty alt attribute; its file name is auth-for-all-600x143.png

Register now!

Categories
Conferences Current Events Security Tampa Bay

“Most Wanted: Women in Cyber Careers”: Thursday, March 11 at 7 p.m. EST

Tampa’s security guild, The Neon Temple, along with The Prowess Group, is hosting their 2021 International Women’s Day Symposium with the title Most Wanted: Women in Cyber Careers. It takes place online tomorrow, Thursday, March 11th at 7:00 p.m. EST (UTC-5).

If you’re interested in cybersecurity or women in tech, you should catch this session! Register to attend, as well as to get details about how to view it online.

The panelists

Kelly Albrink Kelly Albrink (GCIH, GSEC, OSCP, GWAPT) is a Senior Security Consultant at Bishop Fox, where her areas of expertise are in network penetration testing, hardware security, and wireless technologies.

Courtney Jackson


Courtney H. Jackson,
MSISA, CISSP, CISM, CEH, CHFI is the Founder and CEO of Paragon Cyber Solutions, LLC, a woman, minority, veteran-owned small business headquartered in Tampa, FL. Courtney has more than 20 years of certified hands-on experience in Information Technology, encompassing both executive leadership and entrepreneurship. Through her work, she helps government agencies, startups, and commercial companies to protect the integrity of their business operations through specialized cybersecurity and risk management solutions.

Sunny Wear Dr. Sunny Wear is a Web Security Architect and Penetration Tester. She provides secure coding classes, creates software, and performs penetration testing against web/API and mobile applications. Sunny has more than 25 years of hands-on software programming, architecture and security experience and holds a Doctor of Science in Cybersecurity. She is a published author, “Burp Suite Cookbook”, a developer of mobile apps, specifically, the “Burp Tool Buddy”, and is a Pluralsight content creator, “Burp Suite for Beginners/Advanced/Writing Plugins”. She regularly speaks and holds classes at security conferences such as Defcon, Hackfest, and BSides.

About The Neon Tample

The Neon Temple is Tampa Bay’s security guild.

Among their number are SOC analysts, penetration testers, programmers, ’80s Wardialers, CISOs, and even the occasional intelligence collector or federal agent. Their members vary from novices just getting started, to seasoned veterans who’ve been in the trenches since before the word “cyber” was invented. They care about cybersecurity, national security, and the right to privacy, and their aim is to spread their message and mentality globally.

Once again, the 2021 International Women’s Day Symposium, Most Wanted: Women in Cyber Careers, takes place on Thursday, March 11 at 7 p.m. EST (UTC-5). To attend, register for the event here.

Categories
Security Tampa Bay What I’m Up To

The Undercroft and their cybersecurity course, UC Baseline

Photo: The Undercroft sign, featuring the Undercroft’s “mascot” — a stag standing upright in a suit, leaning jauntily against an umbrella, walking stick-style.One of the silver linings of my job evaporating due to the pandemic is that I suddenly had a lot of free time to try some new things. The best of those new things by far was my five weeks in The Undercroft’s inaugural UC Baseline cybersecurity course.

What is The Undercroft?

The Undercroft was recently featured in the Tampa Magazine article, The Latest on Tampa’s Tech Scene. Here’s the relevant excerpt:

Over the past year, a number of notable out-of-state tech companies have chosen to open offices in or relocate to Tampa. Last December, Tampa beat out other up-and-coming tech hubs like Denver and Atlanta as the new home of Boston-based Drift, a marketing technology platform. Information technology training franchiser New Horizons moved its headquarters from Pennsylvania to Tampa in January. And that same month, D.C.-based technology company TheIncLab expanded to Ybor City. TheIncLab opened an “Artificial Intelligence Experience Lab” in The Undercroft, a cybersecurity incubator that launched last summer with the hopes of turning the historic Ybor into a tech industry hotspot.

“At The Undercroft, we’re focusing on the supply side of cybersecurity,” says CEO Adam Sheffield. “How do we support more talent in this community and more people who have passion for the field?”

Initially conceived as a co-working type space where startups and members could connect, The Undercroft launched a training program, UC Baseline, in response to layoffs during the coronavirus shutdown. The UC Baseline program is designed to help educate people moving into the cybersecurity workforce or transitioning from traditional IT roles. Ten participants have signed up for the six-week program that offers courses in networking, software, and hardware, according to Sheffield Incubators and accelerators are behind much of Tampa’s recent tech growth, as nonprofits like the Tampa Bay Wave and Embarc Collective offer resources and networking opportunities for local startups, including two recent programs that focus on boosting the  representation of women and diversity in the tech industry.

To describe The Undercroft as Tampa Bay’s security guild and cybersecurity coworking space is fair, but that description doesn’t capture the spirit of the place.

A better way to paint the picture would be to call it the 21st-century cybersecurity counterpart of coffeehouses in 17th- and 18th-century England. Like those coffeehouses of old, The Undercroft is a place in a beautiful old building that functions as the home for the (often boisterous) exchange of ideas, the advancement of specialized fields of knowledge, a little deal-making, and if you pay attention, a great place to learn.

(Thankfully, The Undercroft departs from those old coffeehouses in one important way: Women are welcome in The Undercroft.)

How I ended up in UC Baseline

Back in mid-July, I’d heard about scholarships for The Undercoft’s then-upcoming cybersecurity class. I posted an article about it, which ended with this quip:

(I’ll admit it: Although I’m not likely to qualify, I applied.)

I applied, and to my surprise, I qualified, which meant that I was in this classroom a couple of weeks later:

What I did in UC Baseline

And thus began five intense weeks, which comprised the following…

Hardware 101 — Gain a thorough understanding about the devices on which all our software runs and through which all our information flows:

Networking 101 — Learn how our systems are connected and the ways in which they communicate through these connections:

Tap to view at full size.

Linux 101 — Covers the foundations of security in Linux environments, the OS on which the internet runs:

Tap to view at full size.

Windows 101 — Here’s a big challenge — learn the foundations of security for Windows environments:

Tap to view at full size.

Information Security 101 — Covers everything from core IT concepts, to cybersecurity principles, methods, and practices:

Tap to view my set of links from Infosec Week at UC Baseline.

Python 101 — If you’re doing security, you should have some coding skills to automate your work and build tooling, and Python’s an excellent language for that task:

Tap to view at full size.

 

This is not for someone who’s casually curious about cybersecurity. It’s a lot of work. As I wrote midway through the course:

If you take The Undercroft’s five-week cybersecurity course, UC Baseline, you will have to absorb a lot of material.

After one particular day, I felt like the cat in this video:

The course was taught by a team of instructors who work in the security industry when they’re not teaching. They’re also a personable bunch, and all of them went above and beyond in their efforts to ensure that we students were getting the most out of our classes.

The course ended with a career fair featuring presenters and recruiters from local and national cybersecurity organizations…

and then a Capture the Flag competition and socially-distanced barbecue:

The payoff

Did it pay off to devote 5 weeks, 5 days a week, 8 hours a day, to attend UC Baseline? I think it did.

I’m really a programmer and developer evangelist by training and experience. There’s a tendency in both these lines of work to think of security as an afterthought. Attending UC Baseline, learning from actual security professionals, getting my hands on the actual hardware and software used by the pros, and even just being in The Undercroft helped me refine my security mindset.

That in turn helped me bring my A-game when it was time to apply for a job at Auth0 and then go through their rigorous interview process (which I wrote about here).

I’m not alone — 8 out of 10 of the inaugural UC Baseline class got work around a month or so after completing the program.

My thanks to the instructors for the excellent courses:  , Koby Bryan , Michael Dorsey , George Bilbrey , Jon B , Zoran Jovic, as well as my fellow students, who made the classes more enjoyable: Hawley , Danielle True ,  , Melissa Bloomer , Alyssa Kennedy , Nicolas Claude , Ryan Butler, and Anthony Davis!

And of course, special thanks to Team Undercroft, for making such a special place — the Tampa tech scene just wouldn’t be same without you: Joy Randels, Adam Sheffield, and Chris Machowski!

Another UC Baseline in 2021!

If UC Baseline sounds interesting to you, and if you think you’re up to the challenge, there’s another one taking place in early 2021. Visit the UC Baseline page to find out more!

Find out more

Categories
Humor Security

Cybersecurity can be stressful

Just ask this practitioner…

Categories
Humor Security

I’ll admit it: This Facebook trick question impressed me.

Look at that stat: 87,672 shares. I wonder how many people posted an answer.

I should come up with a list of the other common security questions, cleverly re-phrased.

Categories
Reading Material Security Tampa Bay

My list of links from class discussions during UC Baseline’s InfoSec week

Photo: The Undercroft sign, featuring the Undercroft’s “mascot” — a stag standing upright in a suit, leaning jauntily against an umbrella, walking stick-style.During the Information Security week of the UC Baseline cybersecurity program, the instructors asked us a lot of questions whose answers we had to look up. As a way to maximize participation, we were encouraged to share lots of links of the class’ Slack channel, which also functioned as a backchannel, as well as a way to chat with the students who were taking the course online.

The links that we shared in class were valuable material that I thought would be worth keeping for later reference. I’ve been spending an hour here and there, gathering them up and even organizing them a little. The end result is the list below.

Since these are all publicly-available links and don’t link to any super-secret UC Baseline instructional material, I’m posting them here on Global Nerdy. Think of this list as a useful set of security-related links, something to read if you’re bored, or a peek into what gets discussed during the InfoSec week of the UC Baseline course!

The links

  • U.S. Department of Health & Human Services: Cyber Security Guidance Material
    A collection of “educational materials specifically designed to give HIPAA covered entities and business associates insight into how to respond to a cyber-related security incidents.”
  • DFIR — Digital Forensics and Incident Response
    “Digital forensics and incident response is an important part of business and law enforcement operations. It is a philosophy supported by today’s advanced technology to offer a comprehensive solution for IT security professionals who seek to provide fully secure coverage of a corporation’s internal systems.”
  • Understanding RPO and RTO
    “Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two of the most important parameters of a disaster recovery or data protection plan. These are objectives which can guide enterprises to choose an optimal data backup plan.”

  • The 3-2-1 backup rule
    “For a one-computer user, the VMware backup strategy can be as simple as copying all important files to another device – or, ideally, several devices – and keeping them in a safe place. However, for multiple computer systems, things can be (and usually are) much more complicated, especially when it comes to virtual environments containing thousands of virtual machines. To protect physical machines, you would need to perform Windows Server backup or Linux Server backup, which might be difficult without effective backup tools. In these cases, a comprehensive data protection plan should include the 3-2-1 backup rule.”

  • Evaluating Risks Using Quantitative Risk Analysis
    “Project managers should be prepared to perform different types of risk analysis. For many projects, the quicker qualitative risk assessment is all you need. But there are occasions when you will benefit from a quantitative risk analysis.Let’s take a look at this type of analysis: What is it? Why should we perform it? When should it be performed? And how do we quantify risks?”

  • Buffer/stack overflows
  • Here are six basic human tendencies that are exploited in social engineering attacks:
    1. Authority: An attacker may call you pretending to be an executive in order to exploit your tendency to comply with authority figures.
    2. Liking: An attacker may try to build rapport with you by finding common interests, and then ask you for a “favor”.
    3. Reciprocation: An attacker may try to do something for you, or convince you that he or she has, before asking you for something in return.
    4. Consistency: An attacker might first get your verbal commitment to abide by a fake security policy, knowing that once you agree to do so, you will likely follow through with his next request in order to keep your word.
    5. Social Validation: An attacker may try to convince you to participate in a fake survey by telling you that others in your department already have. He or she may have even gotten some of their names and use them to gain your trust.
    6. Scarcity: An attacker may tell you that the first 10 people to complete a survey will automatically win a prize and that since some of your co-workers have already taken the survey, you might as well too.
  • Social Studies – A Lesson in Social Engineering Basics
    As we have become more and more vigilant against clicking on malicious links in suspicious emails, some social engineers have gone back to the classic person-to-person approach. Their basic strategy is to prey on vulnerabilities in human nature.