Name: Beginner's guide to SSO (mis)configuration | Omnipresent Biometric Surveillance
Start: 2024-02-07T18:30:00+01:00
End: 2024-02-07T20:30:00+01:00
Location: New Work SE

Dear folks,

late happy new year!

We'll present another event, taking place @ New Work (formerly known as XING).

We present two talks; Adina will talk about intricacies of SSO and IdPs. Matthias will present useful insights on his research and privacy implications on several aspects of facial recognition. Both talks will be held in English.

Doors are open on 18:00 CEST on and we will begin with the presentations at 18:30 CEST!

**In a nutshell**
Location: Strandkai 1, 20457 Hamburg
Start: Doors open @ 6:00 CEST, February 7th. 6:30 pm sharp start the talks
Title: *A beginner's guide to SSO (mis)configuration* by Adina Bogert-O'Brien
Title: *Omnipresent Biometric Surveillance* by Matthias Marx
Networking: Stay there or depending on our mood we'll have an after-talk beer somewhere in the vicinity of the venue

**Abstract: A beginner's guide to SSO (mis)configuration**
SSO is sold as a way to

* centralize managing your organization’s users,
* make life easier for your colleagues, and
* enforce consistent security standards.

But SSO protocols are just ways for an identity provider to share information about an authenticated identity with another service. Me having a way to tell my vendor “yeah, that’s Bob” doesn’t tell me what the vendor does with this information, or if the vendor always asks me who’s coming in the door.
A bad SSO implementation can make you think you’re safer, while hiding all the new and fun things that have gone wrong.
To get the most out of implementing SSO, I need to know what I’m trying to accomplish and what steps I need to follow to get there. To illustrate why SSO needs to be set up carefully, for each of the things you need to do right, I’ll give you some fun examples of creative ways you and your vendor can do this wrong. We all learn from failure, right???
I’m sharing this info because this year I got deeply involved in the SSO setup for several vendors at work. It turns out that I’m good at asking weird questions, and it’s an extremely valuable thing to do. If you know how things should be, then you know where they could be broken, and you can ask your vendors (and your colleagues!) “weird questions” before an adversary does.
I'm especially interested in what the OWASP Hamburg group has to say about these misconfigurations: how does OWASP documentation cover things like this?

**Abstract: Omnipresent Biometric Surveillance**
Biometric surveillance is ever-present in Germany and many of us have not realized this. Facial recognition search engines like Clearview AI and Pimeyes feed our faces to their gigantic search indexes without our explicit consent. Matthias shares his experiences attempting to uphold privacy through GDPR, shedding light on the associated challenges.

**Our OWASP "Stammtisch"**
Our meeting is about web applications and their (in)security and/or about IT security in general. People come together who care as a hobby or in their job about information security: developers, managers, pen testers and everybody else who's interested. The atmosphere is open and relaxed. Who's coming to sell products or services: Move on, this is not the right place. OWASP is about education and sharing (mostly) technical information. Feel free to forward our meetup URL to your colleagues or friends. They are welcome, too. Participation is free and open -- as the O in OWASP.

Cheers, Dirk & Björn

Dirk Wetter

OWASP Hamburg Meeting

OWASP® Foundation 

Technology

Education & Technology

Computer Security

Cloud Security

Software Security

Application Security

Information Security

Network Security

Web Security

White Hat Hacking

Web Application Security

OWASP

Ethical Hacking

**Bio:** Hey, I’m Adina! I am incessantly curious, work in renewable energy, and sometimes find vulnerabilities when I’m bored. I co-founded a hackerspace over a decade ago but have only just accepted that security is more than a hobby. At work, I’m a business architect with security leanings working in knowledge management for a major renewable energy company.

**Bio:** Matthias is IT security researcher from Hamburg. He runs Tor exit nodes, enjoys reporting data leaks, and is not a fan of face search engines.



Adina | Matthias 

Beginner's guide to SSO (mis)configuration | Omnipresent Biometric Surveillance

New Work SE

Share

OWASP Hamburg Meeting

Beginner's guide to SSO (mis)configuration | Omnipresent Biometric Surveillance

OWASP Hamburg Meeting

Details

Members are also interested in