Posts

Showing posts from October, 2017

Openhack Amsterdam Video

Image
And here is the official video of the recent Openhack Amsterdam that I went to, earlier this month. Enjoy! (yes I am the one on the right end of the screen in the picture) :)

Automating Azure Active Directory: Provision Users and Apps

Image
Some time ago I wrote about User App Provisioning in Azure , which can be achieved manually through the Azure Portal . But if you happen to have already an application that you use to manage your users and permissions, and you want to deploy such application to  Azure , you might want to automate things a bit more. At a high level, this is the Graph API flow: Find the User in AAD Invite the User to AAD Find the App to Assign in AAD Find existing App Assignment for the User Assign the App to the User This is the flow diagram (a bit more detailed): The Management App  (green color) is the main application where you already manage users and permissions, which did not require AAD integration so far. However, once the application is deployed to Azure , AAD integration becomes essential. This is the place where you would want to integrate this POC application. The POC application is represented by the App Provision App (yellow color), and it manages the...

Scoring bad at Pentest... thanks to Azure :)

Image
As part of a security compliancy, we had our application (deployed in Azure ), scanned with a Pentest by an external company. I just received the Scan Reports , and I was surprised to see issues that I was sure we fixed (such as OWASP  XSS (Cross Site Scripting)  just to name one.. Well, after a quick analysis of the reports, it turns out that most of those issues belong to Azure resources! By having our API s behind Azure API Management , its  Developer Portal was scanned as well, and resulted in a few issues (between Low and Medium , nothing critical). The AAD login page , has a few of those issues as well, and because of the automatic redirect they seem caused by our app during the scan.. Obviously those resources are out of our control, and we can't do anything to fix those issues, maybe Microsoft will. At the same time it is nice to find out that the hard work to secure our app paid off, and only a few minor issues were found that actually belong t...

Openhack Amsterdam Day 3

Image
Last Day. Challenge completed. New Stuff learned. Thanks Microsoft. Openhack Amsterdam

Openhack Amsterdam Day 2

Image
Keep hacking... Openhack Amsterdam

Openhack Amsterdam Day 1

Image
Having fun with Containers and Minecraft at Openhack Amsterdam :)