By Jason Macy | Date posted: May 23, 2018
Last month, another major identity management vendor revealed a significant vulnerability. This time it was Auth0.
While conducting its own research, Cinta Infinita discovered the vulnerability in Auth0’s Legacy Lock API. The security firm noted it “was able to bypass password authentication when logging into Auth0’s Management Dashboard by forging an authentication token.”
A variant of Number 4 – API HTTP Signature Attacks – on Forum Systems’ list of the “Top 10 API Threats and How to Prevent Them,” this flaw is particularly troubling in that a valid JWT signature can be “replayed” with different user credentials. Doing so eliminates the need for cross-validation of affiliated user information. With this unfettered access, bad actors can impersonate users and alter IAM settings – effectively compromising the Auth0 architecture.
Notably, because of the nature of the vulnerability, all access attempts appear authentic. That means it will be extremely difficult for Auth0 customers to differentiate malicious users from legitimate ones.
IAM (Still) Not Security
As we’ve discussed before, identity management certainly plays a key role in an overall security architecture. But, IAM is not security, it’s access control.
Moreover, IAM platforms are just that, platforms. Platforms that are put together with toolkits, agents, and adapters, and implementations that are heavily developer-centric and code-intensive. This means that repeatable security principles are not likely as the underlying product architecture and the manner of delivery puts too much reliance on developers and on the toolkit itself to deliver security.
To their credit, Auth0 worked closely with Cinta Infinita on remediation. But, given the scale of Auth0’s deployments – more than 2000 enterprises managing 1.5 billion logins/day – and all the dependencies those customers built into their apps and systems, the SDK fix was a massive undertaking. Public disclosure of the known Auth0 hack didn’t occur until six months after Cinta Infinita initially reported the vulnerability.
Agility or Security? Why Not Both?
Another disquieting aspect of this vulnerability is that in its disclosure blog, Auth0 stated that “[v]ulnerabilities are a part of life in software development.” We agree. However, where we do not agree is the manner in which sound architecture design and utilization of security product technologies can substantially reduce risks, and dramatically improve the ability to mitigate issues that arise.
In the modern, connected world of cloud and mobile technologies, innovation far outpaces security protections. In many cases, far too much trust is placed in the hands of developers to build security into the applications rather than allowing developers to solely focus on the business value of their applications.
Security and agility don’t have to be mutually exclusive. The modern revolution of APIs has forged a path toward standards-based communication among mobile, cloud, and on-premise technologies. APIs not only represent an innovation aspect that is transforming the technology landscape, but also present a means to achieve the very aspects of risk mitigation and enhanced security that should be at the forefront of every business. This is delivered through specialized technology called API Security Gateways. This technology leverages a cyber-secure product architecture to enable secure API strategies while at the same time fostering the very aspects of agility that the new dev/ops models require.
The distinction to achieving secure API and IAM capabilities is the foundation technology used to achieve it. Secure product technology is designed from the ground up with cybersecurity in mind. Conversely, frameworks, toolkits, agents, and adapters are not. This is the choice between purpose-built, or hand-coding your security.
API Security Gateways offer a path to decouple developer-centric security and identity toward a modern architecture design that combines IAM and API security in a manner that offers centralized governance and centralized issue mitigation. With this model, issue mitigation is achieved in a manner of minutes instead of months.
Hopefully, the industry can start to recognize that centralized IAM solutions such as Auth0 can be successfully deployed with minimal risk by using API Security Gateway technology to connect to the central IAM system instead of coding an SDK to do it.