thank you everybody for coming it’s my first django come I’m pretty excited to be here got a wonderful band going on and the first thing to do is fix the title I don’t know how many people know what an SS o is but that actually stands for a single sign-on so before proceeding just a quick heads-up we work we mark this I marked it out for everybody and it’s true I think that every body regardless of level can take insightful things from from our experience but some bits might be a bit in death or a bit too security SHhhh so don’t worry we’ll hope that by the end it all holds up and you can say I didn’t lie so let’s get started about me briefly a computer engineer I’m CTO and co-founder at octobot I’m a big football soccer fan and I work enact about an hour talked about we design develop and deploy custom software solutions we use Django primarily for for our back-end development and we really enjoy transforming ideas into products people love so both the company and myself are from your way you are pretty you should feel free to do not know where your way is because it’s a small very small country right down there it’s about six thousand months of something up here hooray for planes and we are um what I’m here to present today it’s a project that we undertook for the Hawaiian government in which we created a single account for all services and that can be expanded into other so I know some stuff about the US and I’m guessing you have users for or credentials for IRS the MBE your health provider banks and so on and all of those have different levels of assurance of who you are you cannot create an account online if the bank does not know who you are so what we did we created a single sign-on for you our n government in which you have one account that you will use for either public services and also some other private services that need some form of assurance of who you are if they don’t need that they can also use your service so a bit of what we are going to talk about today I’m going to give you a brief context about your ROI mainly because it’s not that much popular about the challenge that we face and what was and what were the peculiarities of it the solution that will apply that part will be the first part within about security mostly then we’ll take a pic a slight peek under the hood and I’ll present something that we did that we found interesting to share with you guys and some takeaways so let’s just start it away we are three and a half million people down there when you’re under five you will you like to count that half million people we have a centralized government it’s not a federal government a centralized government around 70% of citizens there are Internet users I would say it’s a bit more but nonetheless that third-party assessment there are very good access to broadband and 4G throughout the country there are no complex geography or something like that so it’s pretty available and there’s also a high availability of well of web capable devices so pretty much everybody or can access either a cell phone that has well capabilities or small laptops or something like that okay

so digital you weigh all of that background actually place your eye on the road – for the last 10 years pushing through in becoming one of the that’s a leading digital nations regarding a government it’s right now one of the nine countries in the d9 countries it’s a network of collaborative countries that push efforts to improve citizens lives throughout technology we have a national ID card we have like forever had a national ID card and number each your wiring has a primary key let’s say right now that card is electronic so it has some things that we’ll see right now and there is is a government agency called a classic whenever I said this word Ocasek I’m actually saying those letters so follow me please Anna Cossack takes care of regulation and guidelines for laws and decrees and stuff like that and also execution and orchestration of project through third parties they do not get involved directly into projects executing that we would like to thank them for collaboration on this table so a bit about the the ID card and what information is there there’s like a sample ID card where you have last names first names rate of birth and that nein nein nein nein nein nein nein it’s our primary key and this card reveals some stuff about what the registration procedure is so that car actually because for you to take that card you have to give your fingerprints you got fingerprint scan you got a picture taken and and they give you this card that and you set up in you can actually set up in in on the car and you can create digital signature so do we have a registration a high confidence on who that person is and the registration that’s a standard procedure that was a brief mention about that so the government as part of digital initiatives and so on establish goals so there are many of them but the three that concern us for this talk today are well first they wanted to have a single point of contact a single digital point of contact for all the services its provides to be available for every Seaton’s is citizens to perform their procedures and operations digitally and remotely so they can from the house do whatever it’s necessary with the government and also provide church services and assets for third parties such as a single sign now so what’s the challenge here regarding the single sign-on so the challenge is authentication why well because we must do assistance that can provide easy and secure easy secure and accessible authentication for all citizens you cannot leave users outside your system you have to support them all in fact people that might have the hardest time using digital systems are probably the ones that can take most advantage of performing things remotely and from their houses we also want to provide different integration protocols to reach out to as many organizations as possible this is a win-win scenario let’s say if a lot of organizations are the citizens have a single sign-on to use on multiple organization public and private if the if a lot of organizations use that system the the citizen will have the organization’s will have a trustworthy source of information regarding who that user is and how it perform authentication to reach out to their systems so a lot of things went into the decision pipeline but at one point they decided that they do not want it to go with an off-the-shelf solution that they wanted to build a single sign-on provider so what what should it provide so but this should what should this solution provide so first it should provide multi-factor accessible single

signal citizens should be able to provide who they are in an accessible way and secure way use standard open protocol implementation so don’t go around bending different stuff provide some basic profile information name last name maybe an email will be nice and finally one of the things that triggered this custom-built is well you must do you must implement some way to to register on your system that yes this guy is who he says he is this user is who he says he is and also use custom authentication factors our ID cards are capable of doing digital signature I should be able to use my digital signature as a way of authenticating with the system so all that had to be custom made now how should it be those are like their requirements but how should it be order non functional requirements well it should be reliable so it must be secure citizen must trust the system the company the organization that integrates with the system must trust the system to the scalable it should not have down times it should not suffer from unexpected and synchronize user usage for instance if tax deadline is coming up you don’t want that ID system without the authentication system to go down it should be adaptable things change and this is in a lot of ways uncharted territory so it’s pretty important to be make it a solution adaptable should be open the government should be able to see what’s going on in that system and it should be accessible both in a maybe more classic disabilities way but also regarding devices so we want to out reach out to as many people as possible and that is and that implies providing support for as many devices as possible so with all of this in mind the government said okay call for proposals who can do this so several providers went in and we said we can totally build this with Chang so we worked with Django regularly and we said we have never worked with the government before but this is something that we can do so yeah they say the same thing this these proposals have a an evaluation phase and so on not everybody was awesome board as other teams so the product owners were really thrilled to be working with Django and us but that was not maybe the perception across the organization particularly given that this was a cornerstone project for them so the solution I’m by the way I’m here giving this talk so it went to write the solution there it is you can actually go online if you have your passport and you know Spanish you can actually create your account if not you can go and become a citizen and you’ll be fully enabled to access the solution it’s really a web app and I’m not going to show it because people have recommended me not doing demo with conference Wi-Fi and so on but you can go there I hope we hope that you you see something that’s worse so some numbers right now there are about 350,000 citizens in the platform that’s about 10% of our country so yay but about a third of them are certified account so you know when Twitter shows you the tick so those are certified accounts that have either gone in presence to send certain stations where they can certify themselves or use their digital ID card to perform verification and we have about those daily interactions so what’s in the back it’s not that complex products and I want to see these right now because we’re going to do a bit of security and I want just to say it’s not that complex product it’s not the it’s not a complex domain the reality is not that much complex models are not that much complex so

there are two react apps one the one you’ll see in that domain the other are before back office and certification purposes and there is the Shango project serving all of this as notable mentions we have celery doing some stuff and of course Django rest framework should mention it’s a must mention that library that basically provides you with an out-of-the-box open Ida connect provider by 25 that’s actually a crow is a neighbor from Argentina I believe so it’s a great library you should check it out if you ever face in your you’re ever faced with this situation so security one of the important things about security is understanding threats and avoiding incidents particularly understanding threat so I’m guessing most of you are developers and not construction site workers if there are you might not be surprised what follows but for you developers you go around and you’ll see the signs on a construction site and says wear a helmet wear work boots and for us it’s pretty evident that you should do that say yeah of course why why wouldn’t somebody wear a hat in a construction site things go off all the it’s because you have to remind that because people that is there an everyday environment it’s like normal for them like thanks for it doesn’t happen to me it’s okay no worries but there should be signs like this in software development companies now why aren’t those there because the risks are not that evident so you’re faced with situations that are not that like yeah you know what that huge crane might fall and if I don’t have my helmet on I’m surely dead this is like yeah I couldn’t deploy that so I disabled this flag over here we’re fine you’re not so avoiding insecurities incident it’s about understanding the risks and also doing some stuff that also construction sites do that is preparing or working in a safer environment first its understanding so with it threat modeling first important thing threatening understand what you’re facing regarding security second do security by design make your your product as secure as possible from the get-go do not mmm do things that might introduce problems in concrete perform useless privilege and security in in depth those are security principles and also finally that’s something that applies to construction site workers as well as someone no one else is checking your work you are the last line of defense in security this is for all developers that were working on this project is like you are the last line of defense it’s security it’s up to you eventually there will be checked by others we pentesting reviews security scanning sub so on but assume that can fail you are the last line of defense so I’m going to speak about fraud modeling briefly what we did from an exaggerated process to identify problems with possible points of vulnerability we find out that improves risk perception and vulnerability awareness so developers are much more aware of what the problems really are how called attacks work and were vulnerable it might pop up provides an in-depth understanding of the security settings that goes for Shango and the protocol so you can you can start to see why ok this token is sent over here and you can it’s announced so it don’t use it twice because you start to get a sense of why things are there and it has become a must do security exercise for for software projects from from our experience there there are several techniques one is elevation of privilege it’s a car game we think it’s a fun approach to threat modeling it’s based on a strive classification of vulnerabilities go check it out it’s very good you need a bit of you need a bit of a security background

but not that much and it’s open access my Microsoft you can download it and print it and I think you can buy them as well so what security practices came out of this well first establish non-default restrictive global use non-default restrictive global settings so don’t go with the defaults if you don’t know where what they are make endpoint declarations explicit in axis when you declare an APR an endpoint be sure that you know who has access to use that operation this implies keeping permission granular and semantic you know when you write that permission being run and semantics don’t go about reinventing the wheel so use a standard crypto usest and our protocols do not repeat yourself you probably are introducing vulnerabilities if you are repeating code practice security in depth right the deployment configuration know what’s going to run and what the communication paths are in your back-end deployments perform extra checks even if it’s in inner communication apply the list privilege principle you should provide only the necessary data and operations to a user to perform the necessary transfer transaction and last but not least don’t forget a lot of a liability one of the most common attacks is denial of service and don’t make an attackers life easier in five failure points and implement protections such as throttling or good scalability guide so these are the security practices that arise from threat modeling and security by design we’ll go out and how they impacted specifically different aspects such as architecture we regularly use like always twelve factors go check it out feed on Odin I place this for because are the most important in our work for this project in this case it allows us to evaluate good integrations avoid setup mismatches and other problems that might introduce security vulnerabilities regarding the API we didn’t use micro-services it’s not a complex reality we will rest rest framework we did group the API by availability and scalability requirements so the authentication endpoints it’s actually much more used that the management 8.4 authentication factors like change your password you don’t do that off don’t use the false aerolizer be explicit about the serialization you’re using and actually be slim about those realizers well and you struggling we said that already regarding development we use git it’s easier to handle if you have multiple environments like test station station to liberal and pro for our experience it’s it’s a better way to handle that without having a cold differences use we use a static code analysis at all levels front and back end at sim force at CI so we are looking at the cold as it goes into the repo we use docker dev environment there was a talk about this here so go check it out please go scripts as in not go the language but code scripts check it out there are pretty good made like my plant it about us CI a dev environment mismatches so we have this the CI and their team run exactly the same scripts and commands so that’s pretty useful to avoid introducing vulnerabilities and we do peer reviews finally log smart log carefully log plenty will you have to be careful about which data you’re logging you have to be you have to log plenty of information because you want to be to have audit capabilities and perhaps detecting suspicious behavior but you have to look carefully because you don’t want to let people’s data in in an open accessible way so infrastructure brief mention this is run on open shift it’s a Coronet based solution by it’s run on a government cloud there is an operator’s team for the production environment so we don’t actually have access to that regarding the deployment guidelines but we did to actually address one problem that might arise or eliminate abilities up the deployment configuration being written by the dev team so we actually write the deployment template and we cannot generate the different deployment files combining the template that’s given by us the parameters that given by business people

and the secrets that’s given by the operator so database passwords and so on it enables a formal communication between developer and operation developers and operators so briefly and because they cover minutes left I wanted to cover some of the under the some appeal of what’s going on under the hood regarding one point particularly that is the stateless multi-factor authentication so no default authentication I’m hoping I’m guessing I’m hoping that everybody has used multi-factor authentication once but you actually have to provide not just a password a password a token one-time password that such as Google Authenticator something like that or in our case our users citizens have authentication factor and a login is the completion of all necessary factors for a given context so if you have been on a travel you know that if you log in with Google somewhere else Google is going to start asking for different stuff that can happen but what’s important is that there is a variable factor list it’s not always the same list and it depends on the user so a given user and one point Mike are just a password asks and in on a system but in another context it may have a different set of challenges require so how do you keep track of a stateful transaction in a stateless scaleable request environment so one thing is using sessions and keep tracking the session of what’s going on with the user whenever the first request comes I’d set your session here you go and I’ll start keeping track of that interaction in the session that goes to the DB the other alternative is using st. Olga’s so sign tokens will enable us to actually keep track of what’s going on by sharing a token with the user on each request we will see that how that works right now so it’s a challenge based authentication the user I hope the that size is readable from from the back the user will say ok I’m trying to log in here is the my reply for the username challenge there were candles say okay what are the list of your authentication factors so say ok you need to send in the password so we can send me what’s the next request for me to handle and also will send me a token saying relevant stuff in this case what says it’s that I have personal challenges yet so I got my token next step I’ll send you my password I have I’ll send you what’s the challenge I’m replying to its password what’s my password that’s not my password and also what’s the token that you sent me before so that token is sign so they can actually the backend can actually know hey I got this guy yeah you need now totp so but you have now pass the password charge and that token is also sign so the next one is okay here is my totp my token the left token yourself that’s already passed chatter so the back end now says ok because we discussed skype has passed qtp and password challenges you’re good to go and that with that goal I can follow up on open ID connect authentication strategy so the benefits of this we avoid the database until necessary so we’ll provide a session once the user has fulfilled all necessary challenges this also helps us avoid heavy queries because when we have to retrieve maybe profile that and so on it’s a bit heavier and there’s no affinity it really doesn’t matter which back-end instance running handles my request to wrap up briefly in one minute takeaways well first I don’t know if you have had to sell Django recently but if you go on the side it will say things like Django is reassuring with ridiculously fast fully loaded reassuringly secure and well it is we know that but for instance people in the government did not know now did not know that and they have gotten to know it business people love their ability that the solutions have and that is in great part because of Django button technology and operators love availability and scalability we are

from their world where the best behaved citizen of their cluster finally jungle security is reassuring Django is real secure we have been already and stuff like that but it’s important to know why try elevation of privilege it will help you do some thread Molony understand security settings avoid assembling checks of course set not default the global configuration so if you’re going with the defaults at least look at them or copy and paste them on your settings make your colon annotation explicit be semantic be clear somebody’s going after you to look at the call it has to know from the from from the description and what’s there who has access to that and work on availability were you using salary for because we the tasks for instance we have to retrieve certificates that have been revoked for because if you get your national ID stolen you go to a police department say I’ve been stolen and they’ll cancel that idea so we have to regularly retrieve that list and perform some updates for instance that’s great thank a was the bottleneck well there’s we really anticipated more than maybe that’s actually they’re actually scalability scalability has been working right so far and even with things such as the our local IRS saying from one day to another here you have one week to fulfill this and you have to do you have to use this authentication factor so everybody was like on a couple of hours traffic jump 10-4 and no calls no anything so that’s great that’s in great part because of 12 factors we really think that it’s a it’s a great path to to scalability it’s about it’s a lots of pain points there yes thank you for that talk it was excellent given how mission-critical they’re so sames how many automated tests did you write around this and and and if any I’m sure he did what type of tests so there are there was a testing bit on this that is true on the plane over here but we used the default that everything is unit tested we use the default Django test that jungle test framework for react we use just great talk how do you handle production support sorry how do you handle production support since you guys have we are not operators so there the it’s actually handled there is we are the third line so the first line is the government they have this a system support then there’s the specific our product owners support and there there’s us so we can do nine to five let’s say there are no special needs regarding that great talk thank you so you mentioned that 10% of the population is using the service and just above 70% of the population is connected to the Internet so that’s about 14% I was wondering if you envision that number increasing over time yes and if so how and like how can you drive that level of adoption okay disclosure yes that number I forgot to mention it greeting it’s risen it’s been increasing steadily besides IRS southern requests and so on it’s been increasing steadily from the fact that new organizations and new procedures and jumping into the the platforms or new use for instance if you want to travel to Brazil you need to get to get the yellow fever vaccination and to get kill off to get that vaccine you need to get a number where they require to so every holiday season with rapid and we needs increase and it keeps increasing and it increases coverage we don’t actually have a saying or an interest besides the marvelous things that you can do regarding user increase we are not driving commercially you know but this seems like a very critical system where you guys involved in some penetration testing or some third-party evaluation of

yeah actually Isaac higher we did the work but they called texting teams they had penetration testing team we had security audits team in production systems are running that doing other checks for instance in traffic and so on I’m not going to say a lot about that yeah they did penetration testing from third parties yeah thanks for the talk do you see yourself working on other projects at the government or country level yes actually we are right now working on the let’s say next step it’s not actually the next step I just associate the project that’s regarding authorization so you you will be able to provide observation to organizations or public and private access to your personal data for instance you go to health institution and a different one and they’ll ask your previous health provider to access your health records so you will be able to provide on the authorization platform consent for that it’s very tightly related is the depth or accession part this is the authentication part it’s in that country this has any point for different level the open data like some data is accessible by Garmin and other like companies and some of us use some of the data only wish to restrict to yourself it could not understand your question colleges it’s a nice common point is that for the the data has different level the different level open data for the different parties so there is open data initiative back home it does not work there is also a privacy protection enforcement so that’s not actually combined the true and I don’t know if that answers your question I’m nervous we can discuss it later in the whole wave if you thank you okay thank you thank you [Applause]

You Want To Have Your Favorite Car?

We have a big list of modern & classic cars in both used and new categories.