Fortifying the Security of Applications

The Power of Advanced Technologies

Published in

WAES

4 min readJul 7, 2023

Staying alongside the latest security technologies and best practices may be crucial for any software engineer. We are used to widely known technologies like JSON Web Tokens (JWTs) or Multi-factor Authentication (MFA). Although, as threats are emerging, constantly starting expanding your security arsenal with modern technologies will move you ahead to safeguard your digital assets effectively.

By exploring a range of cutting-edge technologies and approaches, you can fortify the security posture of your applications and the protection of your data. So I will go beyond the industry standards (running a bit away from the demonstration of common/basic patterns, for example, OpenID Connect built on top of OAuth 2.0) and show you some of the concepts with a high-level implementation for the technologies: FIDO2, WebAuthn, BeyondCorp, Zero Trust, and Serverless Security. The focus is not to show the highest cyberpunk technologies as quantum computing but to go around what we can easily use in our day-to-day routines.

Embracing Passwordless Authentication

FIDO2 and WebAuthn

FIDO2 and WebAuthn are standards that revolutionize authentication by introducing passwordless methods. FIDO2 allows users to authenticate using public-key cryptography and devices like hardware tokens or biometric sensors. WebAuthn is a web standard developed by the W3C that enables passwordless authentication across different browsers and platforms.

Implementing these patterns for passwordless authentication requires client and server-side integration. Here’s a high-level example of how to implement WebAuthn in a web application:

// Client-side code
navigator.credentials.create({publicKey: publicKeyOptions})
    .then((credential) => {
        // Send credential to server for registration
    })
    .catch((error) => {
        // Handle error
    });

// Server-side code
if (request.getMethod().equals("POST")) {
    byte[] response = getRequestAsByteArray(request);
    AuthenticatorAttestationResponse attestationResponse = 
        WebAuthnServer.validateAttestationResponse(response, challenge, origin);
    
    // Store the attestation response and associate it with the user
}

These guys can make you enhance your security and alleviate the vulnerabilities associated with traditional password-based authentication. If you are not having a friendly experience or facing some browser-compatibility error, a solution is to use a web authentication library like webauthn4j or webauthn.io, which abstracts away the complexities of the WebAuthn protocol and ensures cross-browser compatibility.

Rethinking Security Perimeters

BeyondCorp and Zero Trust Architecture

Traditional security perimeters centered around network boundaries are no longer sufficient in the dynamic and cloud-centric environments we see nowadays. BeyondCorp and Zero Trust are security frameworks that shift the focus to user identity and context.

BeyondCorp advocates for a “zero trust” approach where access to resources is granted based on factors such as user identity, device health, and network conditions. Implementing BeyondCorp and Zero Trust principles ensures a more granular and secure access control model, irrespective of user location or network.

This approach is implemented by applying identity-driven access controls and context-based policies. Here’s an example using Google Cloud Identity-Aware Proxy (IAP):

# Cloud IAP configuration
name: iap-config
target: /* 
access_settings:
  - group: your-group@wearewaes.com
    require_iap: 'YES'
  - service_account: your-service-account@project.iam.gserviceaccount.com
    require_iap: 'YES'

Sometimes with these frameworks, you can think hard about how to ensure a seamless user experience while enforcing strict access controls. To get there, you can leverage Single Sign-On (SSO) providers like Okta or Auth0, which integrate with various identity providers and enable a centralized authentication and authorization mechanism across multiple applications.

Safeguarding Functions and Data

Serverless Security

Serverless computing has gained significant popularity for its scalability and cost-effectiveness. However, it introduces unique security challenges. Securing serverless applications involves protecting individual functions, securing data at rest and in transit, and implementing strong access controls.

Adhering to serverless security best practices, such as utilizing function-level permissions, employing encryption, and regular security testing, helps fortify serverless applications against potential threats.

To enhance this technology, it is important to follow best practices such as using environment variables to store sensitive information, implementing function-level permissions, and encrypting data at rest and in transit.

Here’s an example using AWS Lambda and AWS Key Management Service (KMS):

import boto3

def lambda_handler(event, context):
    # Access sensitive information from environment variables
    db_username = os.environ['DB_USERNAME']
    db_password = os.environ['DB_PASSWORD']
    
    # Perform database operations securely
    
    # Encrypt sensitive data using AWS KMS
    kms_client = boto3.client('kms')
    encrypted_data = kms_client.encrypt(KeyId='your-key-id', Plaintext='sensitive-data')
    
    # Perform operations with encrypted data

(Myself giving some credit to Python lovers by using this code as an example)

A challenge in serverless security is securing function dependencies and mitigating the risk of compromised external packages.

One solution for this is to use dependency vulnerability scanning tools like Snyk or Sonatype to identify and patch any vulnerable dependencies before deploying your serverless functions. Got the trick?

Conclusion

As the cybersecurity landscape continues to evolve, embracing modern security technologies is essential for developers seeking to fortify their applications. Now you can establish a robust security foundation and protect your applications and user data from emerging threats.

Stay informed, continuously update your security measures, be always ready to save your applications in the ever-changing digital world, and above everything, remember: with great power comes great responsibility. 😎👌

Do you think you have what it takes to be one of us?

At WAES, we are always looking for the best developers and data engineers to help Dutch companies succeed. If you are interested in becoming a part of our team and moving to The Netherlands, look at our open positions here.

WAES publication

Our content creators constantly create new articles about software development, lifestyle, and WAES. So make sure to follow us on Medium to learn more.

Also, make sure to follow us on our social media:
LinkedIn — Instagram — Twitter — YouTube