/id

📖 CloudSecList Issue 304 just got released, w/ content from @Cloudflare @permisosecurity @salesforceben @trailofbits @slashid_dev and more! cloudseclist.com/issues/issue-3…

I can't stop thinking about this blog post where they replaced Redis with SQLite—and surprisingly, SQLite was faster! What's interesting is that Redis was running locally, SQLite was storing the data on disk. So it was memory (Redis) vs disk (SQLite), but Redis needed to communicate through IPC.

Collection of insane and fun facts about SQLite. Let's go! SQLite is the most deployed and most used database. There are over one trillion (1000000000000 or a million million) SQLite databases in active use. It is maintained by three people. They don't allow outside contributions.

Show me you have no idea how to build an application auth control that can detect and prevent excessive auth attempts, without showing me

/me reads this and weeps like a small child who cannot play fortnite past 7pm. Thank you Verizon for showing how shoddy appsec is today.

📖 CloudSecList Issue 227 just got released, w/ content from @slashid_dev @NetSPI @infracloudio @ramimacisabird @PaloAltoNtwks @plerionhq and more! cloudseclist.com/issues/issue-2…

@jaredhanson We are! And we try to use Tink wherever possible

What are the best practices for securing secrets used to sign/encrypt web session cookies and OAuth access tokens? At the high security end, are people using Secure Enclaves for key protection and cryptographic operations?

The recent issues with OAuth 2.0 in Microsoft Azure AD and Google are a stark reminder of this protocol's complexity. Flickr, Booking.com, Grammarly, and Kayak are just a few platforms that have experienced OAuth2.0-related account takeover vulnerabilities in the past year. We've written a blog post summarizing the security best practices for implementing Single Sign-On (SSO) using OAuth 2.0 and OpenID Connect (OIDC) flows. slashid.com/blog/oauth-sec…

We’re excited to announce first-party Remix support in SlashID with @slashid/remix. We've borrowed the power of our React SDK and aligned it with Remix's unique design patterns. slashid.dev/blog/remix-sdk…

We wrote a brief blog post on a user enumeration vulnerability we found in Google Identity Platform and Firebase Authentication a few months back. Google released a workaround for this on September 15th, we recommend enabling it! slashid.dev/blog/firebase-…

If you are concerned about the 300% price hike from Auth0, reach out to us here at SlashID. We have a more scalable, secure and feature-rich alternative that will save you money and will give you more capabilities. The migration is seamless and our pricing includes architectural reviews session to help. Feel free to DM us! slashid.dev

Long-lived and overly privileged API keys are one of the primary sources of data breaches today. As a result, enterprise companies' RFPs are increasingly requiring vendors to protect their APIs using two-legged or three-legged OAuth 2.0 flows with fine-grained access control. In this blog post, we'll demonstrate how to quickly add and enforce client credentials for your APIs to comply with two-legged OAuth 2.0 flow requirements, including out-of-the-box fine-grained access control. slashid.dev/blog/openapi_o…

Knowing your users is becoming increasingly important today both to increase revenue and to fend off attacks. Knowing your users is becoming increasingly important today both to increase revenue and to fend off attacks. slashid.dev/blog/context-a…

It’s time to migrate users to strong, passwordless authentication. Credential stuffing is still way too common

This is a significant improvement for Passkeys usability. Passkeys created on OS X are only stored locally in the user's Chrome profile and they are not synchronized in the cloud. Starting in Chrome 118, on macOS 13.5 or later, users will have the option to save passkeys in, and use them from, iCloud Keychain enabling cross-browser and cross-device synchronization. developer.chrome.com/blog/passkeys-…

Identity in distributed applications is hard. In large and complex environments with multiple services, a number of patterns have emerged to authenticate and authorize traffic. We've looked at the most common patterns out there and the benefits and pitfalls of each: slashid.dev/blog/auth-patt…

@kcqon @dinodaizovi Maybe we should add them to Gate :) do you have any stats on adoption?

@slashid_dev @dinodaizovi PASETO tokens (or maybe Macaroons for their good use cases) FTW :-)

JSON Web Tokens (JWTs) are one of the most common ways to transfer identity claims and prove the identity of a user or an entity. JWTs have become very popular in recent years because they are easy to use, read, and debug. However JWTs are complex and their implementations are prone to bugs, just this summer at Black Hat researcher Tom Tervoort disclosed 3 new attacks against JWTs. In this article, we discuss common risks when implementing or manipulating JWTs and our approach to avoiding them. slashid.dev/blog/jwt-risks/