Zach Newton is the Senior Manager of the Global Adversarial Engineering and Operations team at Okta, who are focused on adversary simulation and offensive-driven detection research. Prior to joining Okta, Zach worked in a variety of offensive and defensive roles across financial services, telecommunications and retail.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/wNSXK3ik5gdGgY2gFU1Yv/ad8668990c94990af8e82dd16018b58b/Zach_Newton_Headshot.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/wNSXK3ik5gdGgY2gFU1Yv/ad8668990c94990af8e82dd16018b58b/Zach_Newton_Headshot.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/wNSXK3ik5gdGgY2gFU1Yv/ad8668990c94990af8e82dd16018b58b/Zach_Newton_Headshot.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/wNSXK3ik5gdGgY2gFU1Yv/ad8668990c94990af8e82dd16018b58b/Zach_Newton_Headshot.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/wNSXK3ik5gdGgY2gFU1Yv/ad8668990c94990af8e82dd16018b58b/Zach_Newton_Headshot.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/wNSXK3ik5gdGgY2gFU1Yv/ad8668990c94990af8e82dd16018b58b/Zach_Newton_Headshot.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/wNSXK3ik5gdGgY2gFU1Yv/ad8668990c94990af8e82dd16018b58b/Zach_Newton_Headshot.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/wNSXK3ik5gdGgY2gFU1Yv/ad8668990c94990af8e82dd16018b58b/Zach_Newton_Headshot.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/wNSXK3ik5gdGgY2gFU1Yv/ad8668990c94990af8e82dd16018b58b/Zach_Newton_Headshot.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#d8e8e8","width":58,"height":58}}}],"title":"Detect and Prevent Cross Device Authentication","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Trusted App Filters accounts for Identity-based attacks arising from compromised hardware. This blog article provides insights and resources on preventing and detecting Cross Device Authentication (CDA) authentication attacks."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"So, you recently implemented phishing-resistant authentication policies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Firstly, congrats! You’ve significantly raised the bar for potential threat actors and have a far better chance of detecting a compromise going forward. This will force threat actors to shift their focus to compromising your end-user devices. So what does this actually look like and what else can you do?\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Even with phishing resistant authentication in place, there are several techniques a threat actor could employ that leverage a compromised endpoint to successfully authenticate to Okta-protected resources. The threat model for FIDO authentication, for example, notes that there are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-ps-20220523.pdf\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"limits to how much protection\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" an authenticator offers if the hardware it operates on is compromised.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"One such example of this is what we call a ‘Cross Device Authentication (CDA) attack’ - this is when an attacker connects to a protected resource from their machine and forwards the required authentication flow through a machine they have previously compromised to gain unauthorized access.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I won't go into all the details here, as this technique has previously been proposed and documented by other researchers (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://blog.xpnsec.com/identity-providers-redteamers\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"XPNSec\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://gitlab-com.gitlab.io/gl-security/security-tech-notes/red-team-tech-notes/okta-verify-bypass-sept-2024/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"GitLab\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\").\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Combatting CDA Attacks\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Prevention\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Steve Lind recently published a great blog, ‘\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2025/04/stay-secure-with-fastpass-and-trusted-app-filters/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Stay secure with FastPass and Trusted App Filters\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"’, which details what \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/identity-engine/authenticators/trusted-app-filters-for-fastpass.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trusted App Filters\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" are and how they can be used to protect against Cross Device Authentication (CDA) attacks, so be sure to check it out.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Detection\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In this blog post, I would like to provide some potential detection ideas off the back of Trusted App Filters. When you authenticate with FastPass using the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"LOOPBACK\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"APPLE_SSO_EXTENSION\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" binding methods (i.e. the phishing-resistant methods), you will find in the associated user.authentication.auth_via_mfa event, under the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"‘AuthenticatorContext’\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" object, a variety of information about the process that initiated the authentication is logged.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"5nOYAureGL8o2VgpyUZNiZ\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"These values are particularly useful from a detection perspective, as they give you visibility into what process the authentication request was initiated from, and can be used to detect unexpected or anomalous processes initiating authentication in your environment. Our Identity Defence Operations team have put together an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/okta/customer-detections/blob/master/detections/fastpass_auth_via_suspicious_binary.yml\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"example query\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that you can use to identify authentication requests that are not initiated by a browser using System Log. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Leveraging \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/xpn/OktaPostExToolkit/tree/master/oktarealfast\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Adam Chester’s\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" lightweight proxy on our attacker machine and an SSH reverse proxy on the compromised machine, when we authenticate to an Okta protected resource from the attackers machine, the authentication request is forwarded over the reverse proxy to FastPass on the compromised machine. Looking in the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"‘AuthenticatorContext’ \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"object we can see that the initiating process is SSH.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"22PJ0fQyvgLoiHxlErinkx\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Another potential avenue for detecting Cross Device Authentication (CDA) attacks is via anomalies in the session establishment. During the authentication flow a user.session.start event and a user.authentication.auth_via_mfa event are generated. Leveraging the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://sec.asqula.com/articles/rootsessionidroottokenid/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"root_session_id\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", we can tie these events together. Next we can extract the client IPs from each event, looking for when they don't match. In an attack scenario, the IP in the user.session.start event will be the attacker and the IP in the\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[{\"type\":\"italic\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"user.authentication.auth_via_mfa event will be the compromised device. We can then layer techniques like impossible travel, conflicting ASNs or changes in User Agents to identify suspicious events. At times, (depending on your environment) these methods can be prone to false positives, so combining this with an anomalous calling process can help filter out the noise and turn this into a robust detection opportunity. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"62whkyYfYxMvF1CSQdAmSF\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Closing comments\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To find out more, I highly recommend checking out Steve Lind’s recent \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2025/04/stay-secure-with-fastpass-and-trusted-app-filters/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"blog\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", which covers Trusted Application Filters more in-depth. If you can’t get enough after that, check out our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/oktane/2024/sessions/back-to-the-future-the-re-emergence-of-device-based-attacks/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Oktane on Demand 2024 session\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", where Steve and I include a demo on how Trusted App Filters can thwart Cross Device Authentication (CDA) attacks.\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-04-09T16:56:16.284Z","slug":"/articles/2024/04/how-responsible-disclosures-are-shaping-a-safer-cyberspace","node_locale":"en","date":"2025-04-09T00:00","secAuthor":[{"name":"Carmen Girardin","slug":"/hackers/carmen-girardin","jobTitle":"Manager, Security Communications","id":"2f88c41e-3abf-5fcc-9a06-9ed78081f8e2","bio":{"bio":"Carmen Girardin is a Manager, Security Communications at Okta. Backed by over a decade of experience in the fintech sector, Carmen is a proficient technical writer with domain expertise in Identity and Access Management (IAM). She is passionate about delivering engaging, timely customer communications on the cybersecurity ecosystem and the evolving threat landscape, to help our customers gain the most value from Okta. Carmen spends her downtime traveling, thrifting for treasures and reading.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#b8b8b8","width":58,"height":58}}}],"title":"How Responsible Disclosures are Shaping a Safer Cyberspace","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"What was once considered a controversial topic has gained widespread appeal as a crucial practice in the ongoing fight against threat actors and vulnerability exploitation. Ethical hackers and security researchers are revolutionizing today’s vulnerability management programs and reducing online risks by participating in Bug Bounty programs and disclosing vulnerabilities responsibly."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A staggering 40,003 total CVEs were \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nvd.nist.gov/vuln/search\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"recorded\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" by the National Vulnerability Database (NVD) in 2024. Technology advancements and the rate at which features are continually released undoubtedly contribute to these rising numbers, which represent a 39% increase from 2023. Prioritizing security from the start by employing secure coding and development practices is key to mitigating vulnerabilities.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The cybersecurity risk landscape continues to evolve rapidly with the rise of threat actor sophistication and tooling. In 2024, attacks involving the exploitation of web application vulnerabilities increased significantly — by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.verizon.com/business/resources/reports/dbir/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"180%\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" — nearly triple that of the previous year.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Benefits of ethical hacking\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What was once considered a controversial topic has gained widespread appeal as a crucial practice in the ongoing fight against threat actors and vulnerability exploitation. Ethical hackers and security researchers are revolutionizing today’s vulnerability management programs and reducing online risks by participating in Bug Bounty programs and disclosing vulnerabilities responsibly.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta supports and actively participates in responsible disclosure practices including a Bug Bounty program, which contributes to a safer online community by reducing the number of active vulnerabilities that could be exploited by threat actors with malicious intent. Industry benefits of responsible disclosures continue to grow for software vendors and technology users alike.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Industry inclusivity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Traditional approaches to cybersecurity predate modern-day responsible disclosures and other notable programs such as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.bugcrowd.com/bug-bounty-list/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"BugCrowd\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://googleprojectzero.blogspot.com/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Project Zero\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". Organizations can now leverage the skillset of the hacker community to improve their security posture. Ethical hackers are provided an environment to learn, test, and responsibly disclose security issues to technology vendors.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Improved security\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The more testing, the better. Ethical hackers who attempt to discover software vulnerabilities with the intention of closing security gaps improve security posture. However, a Bug Bounty program should not replace a full-time security team; dedicated, internal talent, including Offensive Security or Product Security, is highly advisable. Ethical hacking programs should complement a comprehensively robust security program.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cost savings\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Bug Bounty programs offer organizations additional security safeguards while awarding monetary rewards to ethical hackers for successfully discovering and reporting bugs or vulnerabilities to the software vendor. The cost of an exploited vulnerability resulting in a data breach will far outweigh any Bug Bounty reward.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Transparency\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Trust starts with transparency: technology vendors are granted opportunities to be transparent with their customers, given the identification of vulnerabilities. Responsible disclosure programs aim to socialize ethical hacking practices further and improve vendor transparency by avoiding silent patching. Organizations are subject to NVD standards when remediating and communicating vulnerability-related information to customers and users.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta and BugCrowd\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta is proud to offer Bug Bounty programs through BugCrowd which create direct connections to the global security researcher community. Okta welcomes submissions and believes that community participation plays an integral role in protecting our clients’ systems and data.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On any given day, thousands of lines of code are written, and hundreds of thousands are released into production for the Okta and Auth0 platforms. These programs are a supplementary security practice to our standard \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/resources/whitepaper-secure-development-lifecycle/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Secure Development Lifecycle\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (SDL) methodologies which include in-depth reviews at various stages of development.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"embedded-asset-block\",\"data\":{\"target\":{\"sys\":{\"id\":\"2sW9AK8hIViLNpOnHf7a9K\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"We invite you to review Okta’s defined \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/vulnerability-reporting-policy/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Vulnerability Reporting Policy\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", which details the do’s and don’ts of security research for our Identity platforms and includes additional helpful guidance.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Watch \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/oktane/2024/sessions/bug-bounty-at-okta/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Oktane 2024 On Demand\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to deep dive into Okta’s BugCrowd programs from our own Product Security experts. To learn more, including how to participate, read on about \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://bugcrowd.com/engagements/okta\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s BugCrowd\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" and \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://bugcrowd.com/engagements/auth0-okta\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Auth0’s BugCrowd\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" Bug Bounty programs.\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-03-26T17:52:14.529Z","slug":"/articles/2025/03/cybersecurity-next-gen","node_locale":"en","date":"2025-03-26T00:00","secAuthor":[{"name":"Carmen Girardin","slug":"/hackers/carmen-girardin","jobTitle":"Manager, Security Communications","id":"2f88c41e-3abf-5fcc-9a06-9ed78081f8e2","bio":{"bio":"Carmen Girardin is a Manager, Security Communications at Okta. Backed by over a decade of experience in the fintech sector, Carmen is a proficient technical writer with domain expertise in Identity and Access Management (IAM). She is passionate about delivering engaging, timely customer communications on the cybersecurity ecosystem and the evolving threat landscape, to help our customers gain the most value from Okta. Carmen spends her downtime traveling, thrifting for treasures and reading.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#b8b8b8","width":58,"height":58}}},{"name":"Caroline von Konigsmark","slug":"/hackers/caroline-von-konigsmark","jobTitle":null,"id":"b9b8fd15-ef20-5964-84b5-33227017531e","bio":{"bio":"Caroline von Konigsmark is a Senior Security Culture Analyst at Okta. She champions a human-centered approach to security that moves beyond checkboxes and fear-based messaging to create a culture of shared responsibility. With a background in communications and experience in a regulatory cyber role, Caroline brings a unique lens to the challenge of driving behavioral change. She designs engagement strategies grounded in empathy, clarity, and storytelling, helping people feel informed, empowered, and invested in security.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2aSk0IoKCi4O0jCqesigDQ/4c37469dfa746231be167be4d5c1d3af/b0f1b21b-81e5-42ef-9f91-743f43a71106.jpeg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2aSk0IoKCi4O0jCqesigDQ/4c37469dfa746231be167be4d5c1d3af/b0f1b21b-81e5-42ef-9f91-743f43a71106.jpeg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2aSk0IoKCi4O0jCqesigDQ/4c37469dfa746231be167be4d5c1d3af/b0f1b21b-81e5-42ef-9f91-743f43a71106.jpeg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2aSk0IoKCi4O0jCqesigDQ/4c37469dfa746231be167be4d5c1d3af/b0f1b21b-81e5-42ef-9f91-743f43a71106.jpeg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/2aSk0IoKCi4O0jCqesigDQ/4c37469dfa746231be167be4d5c1d3af/b0f1b21b-81e5-42ef-9f91-743f43a71106.jpeg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2aSk0IoKCi4O0jCqesigDQ/4c37469dfa746231be167be4d5c1d3af/b0f1b21b-81e5-42ef-9f91-743f43a71106.jpeg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2aSk0IoKCi4O0jCqesigDQ/4c37469dfa746231be167be4d5c1d3af/b0f1b21b-81e5-42ef-9f91-743f43a71106.jpeg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2aSk0IoKCi4O0jCqesigDQ/4c37469dfa746231be167be4d5c1d3af/b0f1b21b-81e5-42ef-9f91-743f43a71106.jpeg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2aSk0IoKCi4O0jCqesigDQ/4c37469dfa746231be167be4d5c1d3af/b0f1b21b-81e5-42ef-9f91-743f43a71106.jpeg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#181818","width":58,"height":58}}}],"title":"Cybersecurity’s Next Gen","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Cyber safety begins with healthy cybersecurity habits. Early adoption of good habits can protect our youth from online threats like cyberbullying, exposure to inappropriate content, and identity theft. This blog article introduces Okta's Cyber Kidz program, which was launched earlier this year in Sydney, Australia. Okta’s commitment to security from the ground up is demonstrated by empowering the next generation with essential cybersecurity skills. "},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Children are diving into the digital world earlier than ever, making it essential to instill good cyber habits from the start. This year, a staggering \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.emarketer.com/content/data-drop-5-charts-on-childrens-internet-habits\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"80%\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" of internet users under the age of 11 will use a tablet at least once a month. However, many young users explore the online world without fully understanding its risks. As technology becomes a staple in childhood, teaching kids how to safely navigate the internet is more important than ever.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cyber safety begins with healthy cybersecurity habits. Early adoption of good habits can protect our youth from online threats like cyberbullying, exposure to inappropriate content, and identity theft. Okta’s commitment to security from the ground up is demonstrated by empowering the next generation with essential cybersecurity skills.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Cyber Kidz\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Earlier this year, Okta’s Security Culture team launched its Cyber Kidz program in Sydney, Australia. The program is designed to empower children to stay safe through hands-on learning, interactive games, and real-world cybersecurity challenges. Our goal is to equip our youth with essential digital skills, fostering cybersecurity awareness and education in a fun, family-friendly environment that promotes practical cybersecurity habits across generations.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The in-person holiday event encouraged our little learners to recognize online threats, protect their personal information, and develop strong cyber habits, all while having fun! To best engage our Cyber Kidz, we tailored activities to their age groups with targeted, age-appropriate activities.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Building the Defenders of Tomorrow\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Our cyber adventurers had an incredible time diving into the world of cybersecurity through hands-on activities and interactive challenges. They explored key cyber concepts with fun games like interactive hangman and a scavenger hunt, all while making new friends along the way. Creativity flowed as they built robots and circuit boards, experimented with coding games, and worked on arts and crafts.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For those ready to advance their skill set, the adventure continued with ethical hacking, cracking ciphers, and cyber sleuthing. They kicked the day off with an engaging session from the Australian Federal Police on online safety before testing their skills in an epic capture-the-flag challenge—cracking codes, crafting phishing emails, picking locks, and even attempting to socially engineer Okta employees.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The success of our program came down to one simple approach: our team took the time to step into the digital world of each participant, designing activities that genuinely engaged and educated them. Cyber safety isn’t just about the next generation — it’s a responsibility for all of us. As we equip young minds with the skills to navigate the online world safely, it's equally important for parents and caregivers to stay informed. Keeping up with the latest technologies and understanding evolving cyber threats is key to fostering a culture of security at home and beyond.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-2\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Expanding our Reach\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Building on this success, we’re excited to take our cybersecurity education program global at Okta! To reach even more young minds, the program will tackle real-world cybersecurity issues such as: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"misinformation and fake news,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"social engineering, and \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"the lasting impact of a digital footprint. \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Through interactive cyber simulations designed for different skill levels, participants will learn to critically assess online information, recognize manipulation tactics, and understand how their digital actions shape their online identity. To make learning even more immersive, we’re incorporating Amazing Race-style capture-the-flag challenges, where participants will race against time to solve puzzles, decode clues, and apply their cybersecurity knowledge in fast-paced, high-energy competitions.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"By making cybersecurity education more accessible and engaging, we’re empowering the next generation of digital defenders—wherever they are in the world. If you’re interested in learning more about our global initiative or want to explore how this program can benefit your organization, contact us at \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"mailto:securityculture@asqula.com\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"securityculture@asqula.com\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". We’d love to share more about how we can work together to create a safer digital future.\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-03-24T07:19:38.658Z","slug":"/nextjs-CVE-202529927","node_locale":"en","date":"2025-03-24T00:00","secAuthor":[{"name":"Okta","slug":"okta","jobTitle":"","id":"1e934185-d220-5cf6-915f-afe21369ab6b","bio":{"bio":""},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2mSwf13fQ5aH31DZNddqtd/0855adabe0c07ddc9ceaa460ebd1d935/Okta_Aura_CMYK_Black.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#f8f8f8","width":58,"height":58}}}],"title":"Next.js CVE-2025-29927","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"On March 21, 2025, Vercel disclosed a critical security vulnerability (CVE-2025-29927) which makes it possible to bypass authorization checks within a Next.js application if the authorization check occurs in middleware. Note: The Okta service is not affected by this vulnerability.\n"},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"On March 21, 2025, Vercel disclosed a critical security vulnerability (\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/advisories/GHSA-f82v-jwr5-mffw\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"CVE-2025-29927\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\") which makes it possible to bypass authorization checks within a Next.js application if the authorization check occurs in middleware.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Note\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\": The Okta service is not affected by this vulnerability.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Action for nextjs-auth0 SDK customers\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"For Auth0 customers using Next.js applications with the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/auth0/nextjs-auth0\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"nextjs-auth0\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" SDK we recommend auditing your codebase for any logic where authentication or authorization decisions are \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"exclusively\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" made in middleware functions. Below are examples of this logic in v4 and v3 of the SDK.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#middleware\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"v4 of the SDK\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\":\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"import { NextRequest, NextResponse } from \\\"next/server\\\"\\nimport { auth0 } from \\\"@/lib/auth0\\\"\\nexport async function middleware(request: NextRequest) {\\n const authRes = await auth0.middleware(request)\\n if (request.nextUrl.pathname.startsWith(\\\"/auth\\\")) {\\n return authRes\\n }\\n const session = await auth0.getSession(request)\\n if (!session) {\\n // user is not authenticated, redirect to login page\\n return NextResponse.redirect(new URL(\\\"/auth/login\\\", request.nextUrl.origin))\\n }\\n // the headers from the auth middleware should always be returned\\n return authRes\\n}\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"\\n\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/auth0/nextjs-auth0/blob/v3/EXAMPLES.md#protecting-pages-with-middleware\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"v3 of the SDK\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\":\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"// middleware.js\\nimport { withMiddlewareAuthRequired } from '@auth0/nextjs-auth0/edge';\\nexport default withMiddlewareAuthRequired();\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"\\n\\n\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"// middleware.js\\nimport { withMiddlewareAuthRequired, getSession } from '@auth0/nextjs-auth0/edge';\\nexport default withMiddlewareAuthRequired(async function middleware(req) {\\n const res = NextResponse.next();\\n const user = await getSession(req, res);\\n …\\n})\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"\\n\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you are using any other third-party library (for example, NextAuth.js) we also recommend you review your application for similar logic. For example, \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://next-auth.js.org/configuration/nextjs#middleware\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"only relying on a middleware\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to protect your application:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"export { default } from \\\"next-auth/middleware\\\";\\nexport const config = {\\n matcher: [\\\"/dashboard\\\"]\\n};\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"\\n\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Remediation\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"To remediate this vulnerability, upgrade to one of the following versions of Next.js:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"table\",\"data\":{},\"content\":[{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next.js 15\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"15.2.3\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next.js 14\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"14.2.25\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next.js 13\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"13.5.9\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"table-row\",\"data\":{},\"content\":[{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Next.js 12\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"table-cell\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"12.3.5\",\"marks\":[],\"data\":{}}]}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If upgrading Next.js is not an option, the official recommendation is to block external requests which contain the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"x-middleware-subrequest \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"header.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Not Affected\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\\nYour application is not affected under the following conditions:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications hosted on Vercel\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications hosted on Netlify\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications deployed as static exports\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications that do not exclusively rely on the Next.js Middleware for authentication and authorization. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Applications that perform additional authentication for all Server Rendered Components, Page Routes, or API Routes. This can done by invoking \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"auth0.getSession()\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" in v4 or by using \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"getSession()\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" , \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"withApiAuthRequired\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" or \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"withPageAuthRequired\",\"marks\":[{\"type\":\"code\"}],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" in v3.\",\"marks\":[],\"data\":{}}]}]}]}]}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Additional Resources\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nvd.nist.gov/vuln/detail/CVE-2025-29927\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://nvd.nist.gov/vuln/detail/CVE-2025-29927\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://github.com/advisories/GHSA-f82v-jwr5-mffw\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://github.com/advisories/GHSA-f82v-jwr5-mffw\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://nextjs.org/blog/cve-2025-29927\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://nextjs.org/blog/cve-2025-29927\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developers.cloudflare.com/changelog/2025-03-22-next-js-vulnerability-waf/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"https://developers.cloudflare.com/changelog/2025-03-22-next-js-vulnerability-waf/\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" \",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2025-03-19T17:23:31.201Z","slug":"/articles/2025/03/cso-conversations-matthew-hansen","node_locale":"en","date":"2025-03-19T00:00","secAuthor":[{"name":"Matthew Hansen","slug":"/hackers/matthew-hansen","jobTitle":"Regional CSO, Americas West","id":"06b9e469-2cb0-5dc7-a6c5-e46c9a367857","bio":{"bio":"Matthew Hansen is a Regional CSO for Okta’s Americas West region. As a leader in security risk management, his accolades include MBA, CISA, and CCSK. Backed by over 15 years of experience in consulting, internal audit, IT governance and risk management, Matthew provides security program support to Okta’s customers. During his downtime, he enjoys travelling the world, experiencing new cultures, and attending Formula 1 races.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/2vOslCjVk2xgZ4BuG12HVw/aa9c0b6973bb44bbd633811d7476dbea/1740433904939.jpeg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#d8d8d8","width":58,"height":58}}}],"title":"CSO Conversations: Matthew Hansen, Regional CSO of Americas West","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership.\",\"marks\":[{\"type\":\"italic\"}],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What motivated you to pursue a career in cybersecurity?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"I started my career working in the risk consulting practice for a Big 4 firm and learned that cybersecurity was a critical component for customers in highly regulated industries. A significant influence on shaping my career in risk management was primarily focusing on the financial services, pharmaceuticals, aviation, and oil and gas industries, each of which has unique regulatory and security requirements.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How has your past audit and regulatory compliance experience shaped your approach to cybersecurity today?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"My journey of risk management consulting and internal audit has given me broad exposure to a number of industries, frameworks, and regulations. But I believe it presents a common theme: companies have implemented the Three Lines of Defense framework. Often, operationally speaking, employees still overlook risk management as “not their problem.” I’m motivated to be an agent of change and help companies address their risk through an Identity risk-based lens.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What are your thoughts on the importance of vulnerability management in cybersecurity?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Like everything in the tech world, the vulnerability management landscape is constantly evolving. Organizations need to prioritize not only how they protect their businesses and stakeholders but also how they tactically respond to weaknesses before attackers can exploit them. With budget and resource constraints putting more emphasis on automation efficiency and AI, we see organizations scaling at incredible speeds in reducing their risk of exposure or attack.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"If you could provide a few short cybersecurity words of wisdom to Okta customers, what would they be?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"When looking at your organization's identity evolution, don't just “throw the kitchen sink” as the only solution. Instead, try to create specific, measurable, achievable, relevant, and time-bound goals to methodically tackle cybersecurity problems.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In your opinion, what is the impact of cybersecurity awareness in today’s organizations?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The First Lines of Defense in any organization are its people. Throughout my career, I’ve found that cybersecurity maturity and security awareness among your employees must be in unison for a strong fabric of cybersecurity DNA. You cannot have one without the other. The level of maturity and strength of your security culture can have a double-down effect on increasing accountability, promoting ownership, and strengthening how your organization manages risks. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In what ways do you demonstrate \",\"marks\":[{\"type\":\"bold\"}],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/blog/2024/04/the-story-behind-oktas-values/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s corporate values\",\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in your day to day?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s core values are deeply rooted principles that guide our day-to-day decisions and actions. This translates to a unique set of tenets that drive our interactions with customers to help build trustworthy relationships, uplift their identity posture, reduce security friction, and produce positive security outcomes. To make Okta and our customers the most secure companies in the world, we’re placing big bets to deliver on our \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"OSIC\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" initiatives and elevate Okta as the industry leader in Identity and cybersecurity.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In your opinion, does achieving compliance equate to a strong security posture?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Yes, and no! Let me explain… For SaaS companies like Okta, our maturity measurement is gauged both internally through various compliance frameworks like SOC2, ISO27001, NIST CSF, etc. and also by our customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"But what you read and what you see can have disparities. For example, suppose your company completes a SOC2 attestation with a clean opinion and no control exceptions. In that case, it's a sign of success based on those controls your organization has defined and implemented. Or is it just a piece of paper that shows an independent audit firm assessed your controls based on prescriptive guidance but with no substantive value to the organizations receiving the report? Therein lies a core problem, your controls were assessed with a subjective assessor.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Regulators are starting to pick up on the quality of attestations and are putting more emphasis on third-party risk functions to objectively observe control execution with their own eyes. Attestations are still needed and are a great tool to measure your internal control effectiveness. But perception is a two-way street and if we want to elevate the measurement of success in the cybersecurity industry, we need to cast a broader net to our audiences to truly understand what a strong security posture should look like.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"From your perspective, what is the most fulfilling part of your role as Regional CSO?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"As a self-proclaimed ‘Agent of Change,’ the most fulfilling part of my role is participating in security and compliance discussions and helping our customers tackle the challenges head-on. While every customer engagement has a different look and feel, at Okta, we’re all working towards a common goal to elevate the Identity industry and make Okta and our customers the world’s most secure companies.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"How do you describe your Regional CSO role to non-technical friends and family?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In the words of my amazing wife, “Matthew helps protect our daughters' data and privacy.” \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"What key challenges do you predict the cybersecurity industry will face this coming year?\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"While Artificial Intelligence is buzzing in everyone's mind and will become a game changer for organizations, I believe the risk concentration in the cybersecurity supply chain will be the next layer of scrutiny organizations accelerate with. With the adoption of large enterprises investing more in Cloud-based solutions over the last 5-10 years, we’ve seen the evolution of attacks become more persistent and successful. While this reliance on Cloud-based tools can enhance operations, many of those tools depend on open-source components, opening the door to compromise thousands of users at once.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Concentrate that risk with large vendors, handling thousands of customers, and the attack vector can disrupt entire industries. For example, you buy a smartphone, and the supplier that manufactures the processor has identified a security flaw. The phone manufacturer can check its Software Bill of Materials (SBOM) to see which models use that processor and issue a fix or recall the device. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Organizations need to work with their critical vendors and assess the supply chain. SBOMs are important tools in your risk management program that help improve transparency, so organizations know exactly what they’re using and can address security issues before they become problems.\",\"marks\":[],\"data\":{}}]}]}"}},{"updatedAt":"2026-06-02T10:00:33.266Z","slug":"/articles/2025/03/empowering-security-with-customer-trust-solutions","node_locale":"en","date":"2025-03-12T00:00","secAuthor":[{"name":"Lydia Le","slug":"/hackers/lydia-le","jobTitle":"Associate Analyst","id":"fa04ab47-82af-5c37-83c0-2a2a861a79f8","bio":{"bio":"Lydia Le is an Associate Analyst at Okta, providing Assurance support to the Security Customer Trust team. Her commitment to continuous learning and keen attention to detail supports Okta’s mission by securing digital Identities and strengthening customer trust. Outside of work, Lydia enjoys reading, traveling, and exploring new cuisines - always eager to broaden her horizons and learn differing perspectives.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/4UqwT1r4PKuCRxpLI1bACF/6f9650ead38a1cc0785134df4f3c0ab5/profile.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#c8c8c8","width":58,"height":58}}}],"title":"Empowering Security with Customer Trust Solutions","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"This is the second blog publication in our series on Security Customer Trust. In our first blog, we explored how Okta’s Security Customer Trust team proactively maintains transparency and introduced our mission: to bolster security outcomes for Okta and the communities we serve. In this blog, we’ll touch on how we’ve introduced efficiencies in supporting these challenges through enablement, automation and self-service accesses."},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"This is the second blog publication in our series on Security Customer Trust. In our first blog, \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sec.asqula.com/articles/2024/09/unveiling-essence-security-customer-trust\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Unveiling the Essence of the Security Customer Trust Function,\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" we explored how Okta’s Security Customer Trust team proactively maintains transparency and introduced our mission: \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"to bolster security outcomes for Okta and the communities we serve\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\".\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"At Okta, trust is fundamental to how we provide support. In alignment with \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/secure-identity-commitment/?_gl=1*1onpm9o*_gcl_aw*R0NMLjE3Mzc1ODA2MTAuQ2owS0NRaUF5OEs4QmhDWkFSSXNBS0o4c2ZUY0draGtGdkpOTWFpcFVrVFhCOG1jOUw5NGNjMHpKZXdOZjRXOUNUZzBxN1FFOUx5bnF3TWFBamtIRUFMd193Y0I.*_gcl_au*MTA4NzgyODQ1Ny4xNzM2ODIyNzEz*_ga*MTkzMzAxMTAxOS4xNzM2NzkzNzAy*_ga_QKMSDV5369*MTczOTMwNDc5Ny4xNS4xLjE3MzkzMDUyMDcuMy4wLjA.\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta’s Secure Identity Commitment\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" (OSIC), we continuously invest in making security information more accessible and transparent for our customers. A key component of upholding trust is equipping both our internal teams and our customers with the necessary tools and resources to succeed.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Given today’s numerous regulators, rigorous compliance certifications and internal policy adherence, we recognize that accessing key compliance documentation and obtaining timely responses to security inquiries is challenging and time-consuming. In this blog, we’ll touch on how we’ve introduced efficiencies in supporting these challenges through enablement, automation and self-service accesses. We continue to enable empowerment to enhance customer trust, drive efficiency, and reinforce customer confidence in the security of Okta’s products.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Common compliance challenges\\t\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"While security certifications and frameworks establish a solid foundation, ensuring seamless access to security information for customers and prospects is a common cybersecurity challenge. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The absence of a Trust Center adds several complexities for requestors seeking to obtain the required documentation. From a lack of a centralized source of truth to the back-and-forth with common security questions, customers will recognize inefficiencies when working with auditors and regulators for their compliance-related activities. In addition, messaging inconsistencies are likely a result of manual efforts and the lack of RSS functionality. Timeliness is a significant challenge without a security customer trust solution - customers and prospects will often find themselves experiencing response delays.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Essential solutions for Security Customer Trust\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"When strategizing, we prioritized scalability, seamless integration capabilities, and ease of use for both our solutions and technology. Enablement and automation solutions are fundamental to strengthening security and customer trust. By empowering our teams with ongoing training, a centralized knowledge base, and technology automation, we ensure they have the resources and confidence needed to navigate customer support requests effectively.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Enablement\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"A core component of our security toolkit is a comprehensive, centralized knowledge base. This internal knowledge base serves as the source of truth for security policies, compliance certifications, and security-related Q&A, which helps streamline questionnaire responses to customer or prospect inquiries.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"A knowledge base ensures field teams have quick access to up-to-date information. It also provides a repository of common questions and answers to efficiently resolve repeat inquiries. By enabling self-service resources, we equip internal teams to succeed independently, reducing reliance on our security professionals for less complex inquiries.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Automation\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Playing a crucial role in improving operational efficiency regarding security and customer trust is automation. By automating key repeat processes, we minimize manual effort and accelerate response times to our customers. Automation introduced streamlined workflows, ensuring consistency in addressing common security challenges faced in the industry, like:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Providing timely responses to security questionnaires and compliance assessments,\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Issuing important customer-centric messaging and communications,\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Keeping field teams informed with the latest security updates.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"At Okta, we utilize no-code workflow tools for automation use cases, which include ticket creation, streamlined audit processes, and standardizing engagement between field and security teams.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"These automated workflows allow us to respond quickly and accurately, ensuring critical tasks are executed in real-time. For use cases such as penetration test and vulnerability information requests, we’ve implemented automated workflows for submission, tracking, and reporting. This ensures that security assessments are conducted efficiently and comprehensively, with timely customer responses. We’re committed to continually refining our policies and processes to enhance security assurance and privacy controls.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Security Trust Center benefits\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Last year, Okta introduced efficiencies by launching a new \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"http://security.asqula.com\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Security Trust Center\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", offering our customers and prospects real-time, on-demand access to Okta’s security and compliance documentation. Okta provides access to widely recognized industry-standard questionnaires via the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"http://security.asqula.com\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Security Trust Center\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", such as the following and more:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"CAIQ (Consensus Assessments Initiative Questionnaire),\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"SIG (Standardized Information Gathering Questionnaire),\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"SIG Privacy (Standardized Information Gathering – Privacy Questionnaire),\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"},{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"HECVAT (Higher Education Community Vendor Assessment Toolkit). \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"list-item\"}],\"nodeType\":\"unordered-list\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The on-demand availability of industry-standard questionnaires helps streamline security assessments and effectively communicate an organization’s security controls, ensuring transparency and facilitating compliance discussions. In turn, organizations can streamline questionnaire responses, ensuring accurate and efficient turnaround times. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We invite you to explore our frictionless, transparent \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"http://security.asqula.com\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Security Trust Center\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" to learn more about our transparency and security practices. \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"For more information on accessing Okta's Security Trust Center, visit our \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/accessing-okta-s-security-trust-center?language=en_US\"},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta Docs\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\".\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Stay updated\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The essential solutions and technologies detailed in this blog article enable Okta to provide efficient, around-the-clock support to internal teams and external customers and prospects, focusing on security and customer trust.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Okta leverages the contact information of the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/okta-contact-definitions?language=en_US#:~:text=Definition%3A%20A%20Primary%20Security%20Contact,security%20and%2For%20privacy%20incident\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Contact\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" for targeted messaging and automated approval for access to the efficient \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"http://security.asqula.com\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Security Trust Center\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". To ensure we have the most current security contacts for your organization, enabling you to stay informed on the latest critical security updates, we encourage our customers to reach out to their account teams to validate that the appropriate \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://support.asqula.com/help/s/article/super-admins-leverage-the-okta-help-center-to-review-and-update-your-companys-primary-security-contact-and-cio-ciso-contact?language=en_US\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Contacts\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" are on file. As we continue to enhance our offerings with security and customer trust at the forefront, stay tuned for more.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"}},{"updatedAt":"2025-03-05T17:47:28.426Z","slug":"/articles/2025/03/putting-security-first-with-secure-development","node_locale":"en","date":"2025-03-05T00:00","secAuthor":[{"name":"Carmen Girardin","slug":"/hackers/carmen-girardin","jobTitle":"Manager, Security Communications","id":"2f88c41e-3abf-5fcc-9a06-9ed78081f8e2","bio":{"bio":"Carmen Girardin is a Manager, Security Communications at Okta. Backed by over a decade of experience in the fintech sector, Carmen is a proficient technical writer with domain expertise in Identity and Access Management (IAM). She is passionate about delivering engaging, timely customer communications on the cybersecurity ecosystem and the evolving threat landscape, to help our customers gain the most value from Okta. Carmen spends her downtime traveling, thrifting for treasures and reading.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/gBvc42utKRh6jJpgLjxrt/fb5e38cd4c6043a5e888850b4b2c2df4/IMG_8061.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#b8b8b8","width":58,"height":58}}}],"title":"Putting Security First with Secure Development","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"At Okta, prioritizing security at the earliest stages of technology development and throughout the Software Development Lifecycle (SDLC) is of utmost importance. This blog article introduces our new Secure Development Lifecycle (SDL) whitepaper and highlights the importance of secure development practices throughout the technology lifecycle."},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"At Okta, prioritizing security at the earliest stages of technology development and throughout the Software Development Lifecycle (SDLC) is of utmost importance. This blog article introduces our new \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/resources/whitepaper-secure-development-lifecycle/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Secure Development Lifecycle (SDL) whitepaper\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and highlights the importance of secure development practices throughout the technology lifecycle. As our \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/blog/2024/04/the-story-behind-oktas-values/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"core values\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" indicate, we’re committed to the highest standards of security with the goal of being \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"Always Secure. Always On.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Security from the start\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Developing and enhancing our products and services with security at the outset helps produce outcomes more resistant to emerging cyber threats. We strategize from the outset to develop and release products that are \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://sec.asqula.com/articles/cisasecurebydesign1/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"secure by design\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". By incorporating a security-centric approach to development, technology risks are reduced and limited in impact. We incorporate security from the start through secure coding practices, routine security testing, threat modeling, and other methodologies to proactively address potential security gaps.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Today’s tech landscape comes with stringent regulations and compliance requirements, so it’s important for organizations to leverage technologies that employ secure development practices. Customer trust is not only an objective we strive for, and it’s at the very core of our customer relationships. We are dedicated to safeguarding customer interests and maintaining the highest standards of security, quality and integrity. By leveraging securely developed technology, organizations gain added assurance against various Identity threats.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Introducing a new whitepaper\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We’re committed to taking action against Identity attacks, as outlined in our long-term initiative, the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Secure Identity Commitment\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". This commitment includes hardening our corporate infrastructure and product suite by accelerating our investment to further protect against Identity-based threats.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Our new resource, the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/resources/whitepaper-secure-development-lifecycle/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Secure Development Lifecycle (SDL) whitepaper\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", encompasses Okta’s security practices, methodologies, and requirements. In this whitepaper, we provide insight into our multi-layered secure practices that are incorporated in both the Product Development Lifecycle (PDLC) and Software Development Lifecycle (SDLC).\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The Secure Development Lifecycle (SDL) whitepaper provides an overview of security-centric considerations, including our comprehensive security practices. Okta’s teams leverage industry best practices within each stage of development, as detailed in the whitepaper.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Continuous improvement\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-3\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Last year, Okta was recognized by Gartner as a \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/resources/gartner-magic-quadrant-access-management/?utm_source=google&utm_campaign=amer_mult_can_all_wf-it_dg-ao_a-wf_search_google_text_kw_it-brand-exact_utm2&utm_medium=cpc&utm_id=aNK4z0000004Dm5GAE&utm_term=why%20okta&utm_page=%7Burl%7D&gad_source=1&gclid=Cj0KCQiAwtu9BhC8ARIsAI9JHak5gaHprkNb3OAGpDDyiLBjxoyAeLXeZ6BR4HFjQJ7OP1eETW7YmVsaAgqXEALw_wcB\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Leader in the December 2024 “Magic Quadrant for Access Management.”\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" This marks the \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"eighth year in a row\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" that Okta has been recognized in this capacity. Okta was also recognized in \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/resources/analyst-research-okta-recognized-as-a-2024-gartner-peer-insights/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"April 2024 as a Gartner Peer Insights Customers’ Choice for Access Management\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\". To maintain this status, we’re always looking to improve our secure practices and, in turn, our products and services. Our practices are subject to routine review in order to further improve our high security standards.\\n\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We continue to prioritize customer trust by spotlighting customer needs in our product innovation. Our vision of building a world where anyone can safely use any technology powered by their Identity\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\" \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\"continues to guide us. To learn more about Okta’s Bug Bounty program and how you can contribute to a safer technology landscape, visit \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://bugcrowd.com/engagements/okta\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta platform BugCrowd\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://bugcrowd.com/engagements/auth0-okta\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Auth0 platform BugCrowd\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\".\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"}},{"updatedAt":"2025-04-17T15:26:36.135Z","slug":"/rootsessionidroottokenid","node_locale":"en","date":"2025-03-03T06:00","secAuthor":[{"name":"Dan Dennhardt","slug":"/hackers/dan-dennhardt","jobTitle":"Group Product Manageer","id":"bc35d36e-0acc-5cdf-b3b0-82936842a105","bio":{"bio":"Dan is a Group Product Manager, responsible for Okta's product data platform. Dan has spent the last 14 years in the enterprise software space in roles across both go-to-market and product management. He holds a bachelor's degree in electrical engineering from Case Western Reserve University.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5wVwNMsIlx1wQjZnfiMWfE/f2c80703330283505d57fb4e3ae8109d/dand.png?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5wVwNMsIlx1wQjZnfiMWfE/f2c80703330283505d57fb4e3ae8109d/dand.png?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5wVwNMsIlx1wQjZnfiMWfE/f2c80703330283505d57fb4e3ae8109d/dand.png?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5wVwNMsIlx1wQjZnfiMWfE/f2c80703330283505d57fb4e3ae8109d/dand.png?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5wVwNMsIlx1wQjZnfiMWfE/f2c80703330283505d57fb4e3ae8109d/dand.png?w=58&h=58&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5wVwNMsIlx1wQjZnfiMWfE/f2c80703330283505d57fb4e3ae8109d/dand.png?w=15&h=15&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5wVwNMsIlx1wQjZnfiMWfE/f2c80703330283505d57fb4e3ae8109d/dand.png?w=29&h=29&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5wVwNMsIlx1wQjZnfiMWfE/f2c80703330283505d57fb4e3ae8109d/dand.png?w=58&h=58&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5wVwNMsIlx1wQjZnfiMWfE/f2c80703330283505d57fb4e3ae8109d/dand.png?w=116&h=116&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#e8e8e8","width":58,"height":58}}},{"name":"Vadim Spector","slug":"/hackers/vadim-spector","jobTitle":"Principal Software Engineer","id":"ce5c6303-da17-5bcb-8917-7592d3c88ac7","bio":{"bio":"Vadim has 15+ years of experience in web application development, with expertise in identity management and access control frameworks, application security, secure software development, and cryptography. Outside of work, Vadim enjoys biking, hiking, playing the guitar, reading, and solving mathematical puzzles.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6WhyV4HRXrSvjK0ReOlrtt/652205e0620e9613548bdc7df33c2068/vadims.jpeg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6WhyV4HRXrSvjK0ReOlrtt/652205e0620e9613548bdc7df33c2068/vadims.jpeg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6WhyV4HRXrSvjK0ReOlrtt/652205e0620e9613548bdc7df33c2068/vadims.jpeg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6WhyV4HRXrSvjK0ReOlrtt/652205e0620e9613548bdc7df33c2068/vadims.jpeg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/6WhyV4HRXrSvjK0ReOlrtt/652205e0620e9613548bdc7df33c2068/vadims.jpeg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/6WhyV4HRXrSvjK0ReOlrtt/652205e0620e9613548bdc7df33c2068/vadims.jpeg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6WhyV4HRXrSvjK0ReOlrtt/652205e0620e9613548bdc7df33c2068/vadims.jpeg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6WhyV4HRXrSvjK0ReOlrtt/652205e0620e9613548bdc7df33c2068/vadims.jpeg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/6WhyV4HRXrSvjK0ReOlrtt/652205e0620e9613548bdc7df33c2068/vadims.jpeg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#484838","width":58,"height":58}}},{"name":"John Murphy","slug":"john-murphy","jobTitle":"Manager, Defensive Cyber Operations (EMEA)","id":"b006f4e2-a177-55cd-a2ee-ff041e6ece35","bio":{"bio":"John leads the EMEA node of Okta's Detection and Response Engineering team.
\n\nHis team develops detections and supplementary automations to protect Okta from threat actors, which in turn inform our rotational response and threat hunting missions.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3156PfzPum7cu577jTvWv5/fda95a934e6567e0d6f41e6ce1da8c56/johnmurphy.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#d8d8c8","width":58,"height":58}}},{"name":"Dinko Bajric","slug":"/hackers/dinko-bajric","jobTitle":"Software Architect","id":"8f5a8df8-9538-59df-b948-3cf6f2d2168d","bio":{"bio":"Dinko Bajric is a Software Architech on Okta's Engineering team. Over the past 15 years, Dinko has had experience in diverse areas, including backend engineering, UI/UX, security, telemetry and analytics, performance and reliability, and management. His broad range of expertise helps him approach challenges from different perspectives, aiming to deliver reliable and efficient outcomes. Outside of work, Dinko enjoys tinkering with home automation hardware and software, but when he wants a break from technology, he builds furniture.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/hmcQwZra3FSYIEp1DQtJ7/7c196e254f942f623c262892b53a4e6f/Dinko.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/hmcQwZra3FSYIEp1DQtJ7/7c196e254f942f623c262892b53a4e6f/Dinko.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/hmcQwZra3FSYIEp1DQtJ7/7c196e254f942f623c262892b53a4e6f/Dinko.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/hmcQwZra3FSYIEp1DQtJ7/7c196e254f942f623c262892b53a4e6f/Dinko.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/hmcQwZra3FSYIEp1DQtJ7/7c196e254f942f623c262892b53a4e6f/Dinko.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/hmcQwZra3FSYIEp1DQtJ7/7c196e254f942f623c262892b53a4e6f/Dinko.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/hmcQwZra3FSYIEp1DQtJ7/7c196e254f942f623c262892b53a4e6f/Dinko.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/hmcQwZra3FSYIEp1DQtJ7/7c196e254f942f623c262892b53a4e6f/Dinko.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/hmcQwZra3FSYIEp1DQtJ7/7c196e254f942f623c262892b53a4e6f/Dinko.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#a8a898","width":58,"height":58}}}],"title":"One trick finds the root of any Okta troubles","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Use these two System Log queries to see every event during a given user session, or every event that used a given API token."},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Whether you’re troubleshooting a technical issue or performing a forensic investigation in your \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/workforce-identity/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Workforce Identity\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" org, this article introduces a couple of new queries that can quickly get you to the root of the problem. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"They arise from the addition of two new key/value pairs in a large number of \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://developer.asqula.com/docs/api/openapi/okta-management/management/tag/SystemLog/#tag/SystemLog\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta System Log\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" events, designed to help administrators, auditors and incident responders get their job done faster.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"These helpful tricks are brought to you by the letters O, S, I and C. If you haven’t heard, this acronym stands for The \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/au/secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Secure Identity Commitment\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", which is Okta’s long-term initiative to lead the industry in the fight against Identity attacks.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"All events using an API token\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The first object to take note of is the RootApiTokenId. A RootApiTokenId will first appear as the target.id when you create an API token, irrespective of whether it’s a management API token or an OAuth token in Okta:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"code\"}],\"value\":\"eventType eq \\\"system.api_token.create\\\" and target.id eq \\\"[RootApiTokenId]\\\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"From that point on, the same RootApiTokenId will be stamped in the transaction.detail.rootApiTokenId value of every logged event that arises from the use of that API token.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"If that token were ever compromised, or causing you some other manner of trouble, you’re able to find all logged API actions performed using that token using a single query:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"code\"}],\"value\":\"transaction.detail.rootApiTokenId eq \\\"[insert RootApiTokenId value]\\\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{\"target\":{\"sys\":{\"id\":\"7xnhvFwAwMDrxF28Fv8TbF\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[],\"nodeType\":\"embedded-asset-block\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\\n\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"One thing to note, however: Okta management API tokens, sometimes referred to as static or \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://developer.asqula.com/docs/guides/create-an-api-token/main/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"SSWS Tokens\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", are often long-lived. They expire if an administrator revokes or rotates them or they aren’t used for 30 days. A token created more than 90 days ago is outside the retention period of Okta System log events, in which case you’ll only find the token \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"creation\",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[],\"value\":\" event if you have been streaming these events to your SIEM and archiving them there. You can otherwise find all active tokens listed in the Okta Admin Console under \",\"nodeType\":\"text\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Security > API > Tokens.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We recommend eschewing static tokens for \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/apiservice/api-service-integrations.htm\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"OAuth2.0 tokens\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" in production applications, given the latter are \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://developer.asqula.com/blog/2023/04/24/api-integrations\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"short-lived\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", sender-constrained, and can operate independently of the account used to create them. If for any reason OAuth 2.0 is infeasible, static tokens should be created using a dedicated \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/security/custom-admin-role/custom-admin-roles.htm\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Custom Admin Role\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" that is only granted the minimum permissions required for the integration to function, and use of the token should be allowlisted to a specific IP or IP range where Okta should expect API calls for this app to originate from.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"All events during a user session\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The second object of interest is the RootSessionId. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Much the same logic applies as with our method of tracking the use of an API token, only now we’re applying the same method to an interactive user session. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The RootSessionId will first appear as the authenticationContext.rootSessionId value when an interactive user successfully validates their identity at primary authentication:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"code\"}],\"value\":\"eventType eq \\\"user.session.start\\\" and authenticationContext.rootSessionId eq \\\"[RootSessionId]\\\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"From that point on, the same RootSessionId will be stamped in the authenticationContext.rootSessionId value of every logged event during the user’s interactive session.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"If you ever have cause to suspect that session was compromised, you’re able to find all user actions performed using that token using a single query:\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"code\"}],\"value\":\"authenticationContext.rootSessionId eq \\\"[insert RootSessionId value]\\\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{\"target\":{\"sys\":{\"id\":\"4o3JJCwiQDXh4tK3E69HFA\",\"type\":\"Link\",\"linkType\":\"Asset\"}}},\"content\":[],\"nodeType\":\"embedded-asset-block\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Wait, this sounds familiar\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-2\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"So what’s the difference between the externalSessionID and the RootSessionId? It sort of sounds like they do the same thing, right? \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Well, almost the same thing. The distinction is that some user actions result in creation of a new externalSessionId. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"If a user performs some form of factor lifecycle event, for example, they will be challenged to verify their identity using an existing pre-enrolled factor. Once they successfully perform this action, they have effectively commenced a new session. That makes logical sense, but when you’re troubleshooting or in response mode and want to see the bigger picture, searching with only the externalSessionId can result in missed events. The RootSessionId value, by contrast, is added to every user action up until the session expires or the user signs out.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The only exceptions to that rule are system generated events (that is, actions taken by the Okta platform in response to user generated events, but not initiated by a user), or events sourced in or triggered by Okta Workflows, Okta Privileged Access, and Okta Access Requests, which have their own unique identifiers.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"To catch any potential edge cases, we suggest that any analysis of session activity also includes a sweep of actions by the IP address or actor in question. The following query can be used to identify any actions that correspond to a given criteria, but without a rootSessionId value.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"code\"}],\"value\":\"not(authenticationContext.rootSessionId pr) AND
Stephen McDermid, CSO EMEA has led and been responsible for several enterprise-wide transformations ranging from National Government transformation projects to ISO27001 and PCI-DSS accreditation across multiple sites. He's taken his hands-on knowledge and expertise and used them to help organizations manage security across a broad range of disciplines and ensure senior stakeholders understand the risks and, more importantly, the opportunities available to their business. Stephen has worked with some of the largest organizations across military, banking, government, and enterprise sectors, to enable business transformation and growth. Stephen spends a lot of time on or near water, not just because of the rain; he holds a powerboat license and loves exploring the West Coast waters of Scotland.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=29&h=30&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=58&h=59&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=116&h=118&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=58&h=59&q=50&fm=png","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=15&h=15&q=50&fm=png 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=29&h=30&q=50&fm=png 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=58&h=59&q=50&fm=png 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/3dK8xXUsNpD0udBFZ9FyRL/c7b20c4103a0b02e73c8167676403f89/Stephen-McDermid.png?w=116&h=118&q=50&fm=png 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#b8c8d8","width":58,"height":59}}}],"title":"CSO Conversations: Stephen McDermid, Regional CSO of EMEA","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership."},"body":{"raw":"{\"data\":{},\"content\":[{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"italic\"}],\"value\":\"CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What motivated your career pursuit in cybersecurity?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"While working as Head of IT, the business needed to achieve ISO27001 in order to meet our government contractual requirements. It was an area I had always had an interest in, and so we brought in some external consultants to help us achieve the certification, but also to educate us on the ISO approach. After we delivered ISO27001, I was then asked to deliver PCI-DSS for our much larger Tier-1 parent company who had acquired us the previous year, and so this brought a whole new dimension to understanding our application, infrastructure and security challenges. As part of agreeing to do this and successfully delivering the certification, I asked the business to offer me the recently-vacant Information Security opportunity and this led to my first Information Security role!\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"Are there any emerging trends or technologies that have you particularly interested?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"It’s impossible to avoid the rise of AI and specifically, AI Agents. By the end of 2025, we’ll be living in a world with billions of autonomous AI Agents acting on our behalf. There are important questions that the cybersecurity industry needs to answer - what are these bots doing? What information do they have access to? And, how do we set and control the conditions and parameters around what information they can share, with who, and under what circumstances?\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"What’s interesting is that right now, all these questions are up in the air. These bots don’t have the benefit of basic cybersecurity awareness training. They don’t have that human sixth sense that tells us something just might not be right. They can’t think for themselves. All it takes is one rogue prompt for an AI Agent to mistakenly share sensitive, personal or financial information with another agent, and things could quickly escalate. \",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"How has your previous experience in cloud computing shaped your approach to cybersecurity today?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Having a background in on-prem and cloud technologies definitely helps when it comes to cybersecurity. Threats span across technology stacks and so understanding how these threats can affect different elements is key. However, understanding the protections and benefits that cloud computing can bring is just as important and so being able to help our customers understand both sides is pivotal to my role.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What are your thoughts on traditional passwords in today’s technology landscape, given modernized threats?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"I think I’m aligned with most when I say the sooner we can get rid of them, the better. I don’t think it’s the catch-all, but certainly when we see over 80% of breaches coming from compromised passwords, it’s time for change! I think they will always be needed in some areas of technology, but the governance and visibility has advanced massively over recent years and so we need to ensure tighter controls around them. Not just the typical complexity and policies, but where they are used from, when they are used, during use and even after use, we can apply a lot more governance!\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What trends are you seeing in cybersecurity relating to your region?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"It’s hard to see beyond the buzz of AI and all that it brings, but with the heavy regulation we have in the European Union, we have a number of new regulations such as the EU AI Act that adds additional levels of protection and complexity. Everyone has a lot of questions of how they can be compliant and how suppliers and partners can help. We’re seeing a growing trend of compliance automation and engineering to navigate these challenges and the more we can simplify the regulations and evidence compliance, the better.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"In \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.computerweekly.com/news/366617120/The-Security-Interviews-Stephen-McDermid-Okta\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"your recent interview\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\", you referred to the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"},{\"type\":\"bold\"}],\"value\":\"Secure Identity Commitment\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\" and Okta’s transparency. How important is it to be transparent in your role as Regional CSO?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Transparency is a critical pillar of our cybersecurity strategy and how we work with our customers. Even though we have people who are incredible security experts at Okta, ultimately, security is a people business. It’s hearts and minds, and our focus on being transparent, especially in times of crisis, is a key differentiator here.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"To ensure Okta has a strong security culture, we’ve spent a lot of time explaining the why behind the changes we are making, how it will affect our teams, and importantly, how it will benefit our customers. Ensuring everyone is on the same page internally is vital to ensuring we deliver consistent messaging and communications to customers. In the many hundreds of conversations I’ve had with customers, they’ve recognized, appreciated and thanked us for our openness and collaboration.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"If you could provide a few short cybersecurity words of wisdom to Okta customers, what would they be?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Identity is part of every project, from application modernisations, to infrastructure migration, to business operations and staff training! It’s important to understand how identities in these projects tie into your strategic goals, and more importantly, how you are applying governance, control and visibility of what’s happening across them. It’s in these dark corners of IT transformation that dangers lie and shining a light on them thoroughly and regularly ensures confidence against identity attacks.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What are some healthy cybersecurity habits you’ve gotten your friends and/or family to adopt?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"The idea that every website needs to know your date of birth, your address or even your real name has always been alien to me. Using aliases, fake dates of birth and addresses across the multiple website registrations of today's world has always been something I’ve recommended. Obviously, applications like banking or governmental sites being the exception, but that website that you sign up to for a newsletter doesn’t need the real data! So my advice has always been to consider what you're sharing and with who, especially in today's world now where so many applications or websites are free, which means the cost to use their service is your personal data.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"bold\"}],\"value\":\"What do you think may be some key changes the cybersecurity industry sees this coming year?\",\"nodeType\":\"text\"}],\"nodeType\":\"heading-4\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We need a mindset shift across the cybersecurity industry with far more collaboration between industry players. We face an unprecedented threat environment, and this is before the potential risks that AI Agents bring to the table.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"We need to agree to more standards, best practices, and frameworks around cloud applications and how they communicate with each other so that they are secure by default. A single cybersecurity vendor cannot achieve this alone. We’ve already started on this by working with others in the Interoperability Profiling for Secure Identity in the Enterprise (IPSIE) working group in the OpenID Foundation to help standardize secure identity management across SaaS solutions and vendors.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"},{\"data\":{},\"content\":[{\"data\":{},\"marks\":[],\"value\":\"Stephen McDermid was recently interviewed by \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.computerweekly.com/news/366617120/The-Security-Interviews-Stephen-McDermid-Okta\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Computer Weekly\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" on how Okta is championing a secure-by-design approach, emphasizing the \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.asqula.com/secure-identity-commitment/\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"Okta Secure Identity Commitment (OSIC)\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\" and the importance of building a strong security culture. Stephen was also featured by \",\"nodeType\":\"text\"},{\"data\":{\"uri\":\"https://www.itpro.com/business/policy-and-legislation/a-csos-perspective-on-dora-compliance-and-where-to-go-from-here\"},\"content\":[{\"data\":{},\"marks\":[{\"type\":\"underline\"}],\"value\":\"ITPro\",\"nodeType\":\"text\"}],\"nodeType\":\"hyperlink\"},{\"data\":{},\"marks\":[],\"value\":\", capturing a CSO’s perspective on DORA compliance.\",\"nodeType\":\"text\"}],\"nodeType\":\"paragraph\"}],\"nodeType\":\"document\"}"}},{"updatedAt":"2025-03-05T14:35:48.605Z","slug":"/articles/2025/02/content-security-policy-in-a-complex-environment","node_locale":"en","date":"2025-02-19T00:00","secAuthor":[{"name":"Mihai Iacob","slug":"/hackers/mihai-iacob","jobTitle":"Software Engineer","id":"81ed5b4f-5c86-51c2-b040-63d849a0f90c","bio":{"bio":"Mihai Iacob is a Software Engineer on the Engineering Security team at Okta. His extensive background in cybersecurity includes secure software development, encryption and key management, audit, authorization model, web security, and content security policy. He contributes to the development and implementation of robust security measures that safeguard our users’ data and privacy. Mihai’s interests include participating in Okta’s internal bug bounty program and hackathons.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5eXScMSnppzUzRz81kzfvr/53ca739875b6b09e70613b52abb483f3/IMG_-nw9dov.jpg?w=15&h=15&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5eXScMSnppzUzRz81kzfvr/53ca739875b6b09e70613b52abb483f3/IMG_-nw9dov.jpg?w=29&h=29&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5eXScMSnppzUzRz81kzfvr/53ca739875b6b09e70613b52abb483f3/IMG_-nw9dov.jpg?w=58&h=58&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5eXScMSnppzUzRz81kzfvr/53ca739875b6b09e70613b52abb483f3/IMG_-nw9dov.jpg?w=116&h=116&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/5eXScMSnppzUzRz81kzfvr/53ca739875b6b09e70613b52abb483f3/IMG_-nw9dov.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/5eXScMSnppzUzRz81kzfvr/53ca739875b6b09e70613b52abb483f3/IMG_-nw9dov.jpg?w=15&h=15&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5eXScMSnppzUzRz81kzfvr/53ca739875b6b09e70613b52abb483f3/IMG_-nw9dov.jpg?w=29&h=29&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5eXScMSnppzUzRz81kzfvr/53ca739875b6b09e70613b52abb483f3/IMG_-nw9dov.jpg?w=58&h=58&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/5eXScMSnppzUzRz81kzfvr/53ca739875b6b09e70613b52abb483f3/IMG_-nw9dov.jpg?w=116&h=116&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#181818","width":58,"height":58}}},{"name":"Bryan Honan","slug":"/hackers/bryan-honan","jobTitle":"Manager, Customer Assurance EMEA","id":"f62bb825-00bd-5b3f-8231-5c52be7327cc","bio":{"bio":"Bryan Honan is the Manager, Customer Assurance, EMEA region at Okta. The Customer Assurance team working in Security Trust & Culture is responsible for providing support to Okta’s growing customer base on inquiries pertaining to Security and Compliance. Backed by CISSP and CCSK, he leverages 10+ years of IT and Security experience. Having worked for companies in several different industries, he is able to advise Okta’s customers from both a technical and business perspective. In his downtime, he enjoys traveling around Europe.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://downloads.ctfassets.net/kbkgmx9upatd/3GRebaQAYbzK6Ov5wXvWfN/c1d62a925b98b09b09e00242c8e5f3af/IMG_5201_2.jpg?w=15&h=10&q=50&fm=webp 15w,\nhttps://downloads.ctfassets.net/kbkgmx9upatd/3GRebaQAYbzK6Ov5wXvWfN/c1d62a925b98b09b09e00242c8e5f3af/IMG_5201_2.jpg?w=29&h=20&q=50&fm=webp 29w,\nhttps://downloads.ctfassets.net/kbkgmx9upatd/3GRebaQAYbzK6Ov5wXvWfN/c1d62a925b98b09b09e00242c8e5f3af/IMG_5201_2.jpg?w=58&h=39&q=50&fm=webp 58w,\nhttps://downloads.ctfassets.net/kbkgmx9upatd/3GRebaQAYbzK6Ov5wXvWfN/c1d62a925b98b09b09e00242c8e5f3af/IMG_5201_2.jpg?w=116&h=78&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://downloads.ctfassets.net/kbkgmx9upatd/3GRebaQAYbzK6Ov5wXvWfN/c1d62a925b98b09b09e00242c8e5f3af/IMG_5201_2.jpg?w=58&h=39&fl=progressive&q=50&fm=jpg","srcSet":"https://downloads.ctfassets.net/kbkgmx9upatd/3GRebaQAYbzK6Ov5wXvWfN/c1d62a925b98b09b09e00242c8e5f3af/IMG_5201_2.jpg?w=15&h=10&fl=progressive&q=50&fm=jpg 15w,\nhttps://downloads.ctfassets.net/kbkgmx9upatd/3GRebaQAYbzK6Ov5wXvWfN/c1d62a925b98b09b09e00242c8e5f3af/IMG_5201_2.jpg?w=29&h=20&fl=progressive&q=50&fm=jpg 29w,\nhttps://downloads.ctfassets.net/kbkgmx9upatd/3GRebaQAYbzK6Ov5wXvWfN/c1d62a925b98b09b09e00242c8e5f3af/IMG_5201_2.jpg?w=58&h=39&fl=progressive&q=50&fm=jpg 58w,\nhttps://downloads.ctfassets.net/kbkgmx9upatd/3GRebaQAYbzK6Ov5wXvWfN/c1d62a925b98b09b09e00242c8e5f3af/IMG_5201_2.jpg?w=116&h=78&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#181808","width":58,"height":39}}},{"name":"Arun Kumar Elengovan","slug":"/hackers/arun-kumar-elengovan","jobTitle":"Sr. Software Development Manager, Engineering Security","id":"ea48a12c-95dd-5fbd-acfc-7e87829aef98","bio":{"bio":"Arun is a Senior Manager, Engineering Security at Okta. As a founding member of this team, he’s familiar with driving security strategy and execution across the company’s engineering organization. With 15+ years of experience, Arun specializes in security architecture, secure software development, risk management, and security operations. He holds CISSP, CEH, and an Advanced Cloud Security Practitioner credential, with expertise in web security, cloud infra security, cryptography, and secure identity frameworks. Arun has successfully led large-scale, cross-functional security initiatives, integrating security seamlessly into agile development and is passionate about building scalable security frameworks and empowering teams to achieve security excellence. Outside of work, Arun enjoys flight simulation and refining his virtual piloting skills, driven by his passion for the skies.
"},"image":{"gatsbyImageData":{"images":{"sources":[{"srcSet":"https://images.ctfassets.net/kbkgmx9upatd/33cawOQQoY7WXgyS1f4emK/0e8108436d3fee48a46e4f640377c7cc/Image_from_iOS.jpg?w=15&h=16&q=50&fm=webp 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/33cawOQQoY7WXgyS1f4emK/0e8108436d3fee48a46e4f640377c7cc/Image_from_iOS.jpg?w=29&h=31&q=50&fm=webp 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/33cawOQQoY7WXgyS1f4emK/0e8108436d3fee48a46e4f640377c7cc/Image_from_iOS.jpg?w=58&h=62&q=50&fm=webp 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/33cawOQQoY7WXgyS1f4emK/0e8108436d3fee48a46e4f640377c7cc/Image_from_iOS.jpg?w=116&h=124&q=50&fm=webp 116w","sizes":"(min-width: 58px) 58px, 100vw","type":"image/webp"}],"fallback":{"src":"https://images.ctfassets.net/kbkgmx9upatd/33cawOQQoY7WXgyS1f4emK/0e8108436d3fee48a46e4f640377c7cc/Image_from_iOS.jpg?w=58&h=62&fl=progressive&q=50&fm=jpg","srcSet":"https://images.ctfassets.net/kbkgmx9upatd/33cawOQQoY7WXgyS1f4emK/0e8108436d3fee48a46e4f640377c7cc/Image_from_iOS.jpg?w=15&h=16&fl=progressive&q=50&fm=jpg 15w,\nhttps://images.ctfassets.net/kbkgmx9upatd/33cawOQQoY7WXgyS1f4emK/0e8108436d3fee48a46e4f640377c7cc/Image_from_iOS.jpg?w=29&h=31&fl=progressive&q=50&fm=jpg 29w,\nhttps://images.ctfassets.net/kbkgmx9upatd/33cawOQQoY7WXgyS1f4emK/0e8108436d3fee48a46e4f640377c7cc/Image_from_iOS.jpg?w=58&h=62&fl=progressive&q=50&fm=jpg 58w,\nhttps://images.ctfassets.net/kbkgmx9upatd/33cawOQQoY7WXgyS1f4emK/0e8108436d3fee48a46e4f640377c7cc/Image_from_iOS.jpg?w=116&h=124&fl=progressive&q=50&fm=jpg 116w","sizes":"(min-width: 58px) 58px, 100vw"}},"layout":"constrained","backgroundColor":"#080808","width":58,"height":62.00000000000001}}}],"title":"Content-Security-Policy in a Complex Environment","sys":{"contentType":{"sys":{"id":"secBlogpost","linkType":"ContentType","type":"Link"}},"type":"Entry"},"summary":{"summary":"Content-Security-Policy (CSP) is essentially allow-list policy that dictates what a web page can load. CSP is complex to implement and rollout - even a minor mistake could mean that important parts of the page will not load, which in Okta’s case could mean trouble authenticating. This blog article aims to provide a glimpse into our secure implementation journey and guidance for the industry based on lessons learned."},"body":{"raw":"{\"nodeType\":\"document\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/settings/customizations-configure-csp.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Content-Security-Policy\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (CSP) is a web security mechanism that helps protect against various types of cybersecurity attacks by defining and enforcing a set of policies regarding the content that a website can load and subsequently execute.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Essentially, it’s an allow-list policy that dictates what a web page can load. CSP is complex to implement and rollout - even a minor mistake could mean that important parts of the page will not load, which in Okta’s case could mean trouble authenticating. This blog article aims to provide a glimpse into our secure implementation journey and guidance for the industry based on lessons learned.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta values web security\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta employs various defenses against Cross-Site Scripting (XSS) attacks such as input validation and output encoding to increase security assurance against emerging threats. With \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"MITRE and CISA’s confirmation of XSS as 2024’s top threat\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", it’s highly probable that an application is vulnerable to XSS at some point in time. Content-Security-Policy is effectively a gate-keeper that dictates to the browser which sources of scripts and content are secure, trusted, and can be executed. Okta’s environment is complex, and as such, our CSP header is constantly being improved upon.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Implementation challenges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A key pillar of the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/secure-identity-commitment/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Secure Identity Commitment\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (OSIC) includes raising the bar for the industry - here, we’re sharing our industry learnings, tips, tricks, and more. Upon configuration of CSP policies at Okta, the Engineering Security team encountered the following challenges throughout the implementation. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Complexity\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The nature of \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.asqula.com/workforce-identity/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta Workforce Identity\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" is that it operates in an environment with multiple application connections, varying feature combinations, and html pages that are customizable by \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/en-us/content/topics/security/administrators-admin-comparison.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta administrators\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\". It becomes evident quickly that building and rolling out even a basic Content-Security-Policy can be challenging.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configuration challenges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The most prominent determination in CSP configuration is whether or not the application in question returns endpoints that contain customizable content by Okta administrators. The following three detailed approaches include our recommendations in configuring CSP:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"1. The interceptor approach\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A common approach is to use an \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/HandlerInterceptor.html\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"interceptor\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" to add the CSP headers. At the time, this best fit our model at Okta, so this is where we started. But there are some challenges here, such as:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"unordered-list\",\"data\":{},\"content\":[{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An addition of correct policy for endpoints that return \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/settings/customizations-configure-csp.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"user customized html content\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\",\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Caution with the interceptor order: the CSP headers need to be added as close to the beginning of the order of interceptors, in case some interceptors break the interceptor chain early.\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The preHandle() and postHandle() are not always known if the content-type is html, but can be indicated by using annotations at the endpoint level to determine the response type,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Commitment of response via \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"XHR\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" in the preHandle(), which cannot be modified as the postHandle() is executed,\",\"marks\":[],\"data\":{}}]}]},{\"nodeType\":\"list-item\",\"data\":{},\"content\":[{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Database calls in an interceptor may be cached, and the time response has been committed afterCompletion().\",\"marks\":[],\"data\":{}}]}]}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"2. The filter approach\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"An alternate approach to adding a CSP header when the application returns html content is to apply the header when the content type of the endpoint is known. The following example displays a method of CSP generation as a filter in a spring web application, based on the content-type header that is returned to only apply the CSP for html:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" protected void doFilterInternal(HttpServletRequest request,\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" HttpServletResponse response,\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" FilterChain filterChain) throws ServletException, IOException {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" @Override\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" public void addHeader(String name, String value) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" super.addHeader(name, value);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" if (HttpHeaders.CONTENT_TYPE.equalsIgnoreCase(name)) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" setCSPHeaders(value);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" @Override\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" public void setHeader(String name, String value) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" super.setHeader(name, value);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" if (HttpHeaders.CONTENT_TYPE.equalsIgnoreCase(name)) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" setCSPHeaders(value);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\\n\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" @Override\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" public void setContentType(String type) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" super.setContentType(type);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" setCSPHeaders(type);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" private void setCSPHeaders(String contentType) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" if (StringUtils.isNotEmpty(contentType) && StringUtils.containsIgnoreCase(type, MimeTypeUtils.TEXT_HTML_VALUE) {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" LOG.debug(\\\"Content-Type header={}\\\", contentType)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" // the code to build the Content-Security-Policy-Report-Only and Content-Security-Policy headers\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" };\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" filterChain.doFilter(request, wrapper);\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"3. The edge approach\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Scott Helme details this approach in his \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://scotthelme.co.uk/csp-nonces-the-easy-way-with-cloudflare-workers/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"blog post\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\", where he leverages the edge to intercept HTTP traffic and inject the CSP policy. In his particular example, he uses the Cloudflare Service workers, as an “easy” way to implement the generic CSP policy. One advantage of this method is that it can be applied to multiple applications, which gives you a single maintenance point for maintaining the CSP policy. Though generic, this approach can be added to any application without changing its code.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Configuration considerations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Violation reports\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s application range is quite large and has many endpoints, which resulted in too many violation reports. The reporting URI to which CSP tells the browser to forward the violation reports will quickly produce a large amount of data. And, it’s mostly the same violations repeated multiple times per page load. The reporting vendor may have a way to ignore certain violations that are expected since they should not be in the policy. Reporting vendors aren’t incentivized to ignore features, since they receive the reports and have to process them. Okta’s method in tackling this problem was to implement a sampling of violation reports on the server side where the CSP headers are added. We provided knobs to control the requests that will receive the CSP headers, ultimately reducing the traffic sent to our reporting endpoint. An alternative to this method could be to build an in-house solution to receive the reporting data and dismiss repeated violations at the receiving end. \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sample violation: Where Content-Security-Policy (CSP) did not intercept:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"csp-report\\\": {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"effective-directive\\\": \\\"connect-src\\\",\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"original-policy\\\": \",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\"[truncated]\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"blocked-uri\\\": \\\"https://mail.google.com/mail/feed/atom/\\\",\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"source-file\\\": \\\"user-script\\\",\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"line-number\\\": 5,\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"column-number\\\": 16842\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"}\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-5\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Sample violation: Where Content-Security-Policy (CSP) intercepted: \",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Content-Security-Policy securely blocks known malicious scripts such as \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://hackerdose.com/malware/scriptcdn-net-malware/\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"this one\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" that was reported to us by report-uri. The example below illustrates a truncated excerpt CSP interception, adding to the environment’s security assurance posture:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"{\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"csp-report\\\": {\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"effective-directive\\\": \\\"script-src-elem\\\",\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"Original-policy\\\":\",\"marks\":[],\"data\":{}},{\"nodeType\":\"text\",\"value\":\" [truncated]\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"blocked-uri\\\": \\\"https://3001.scriptcdn.net/code/static/1\\\",\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"line-number\\\": 7,\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"column-number\\\": 47,\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" \\\"status-code\\\": 200\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\" }\",\"marks\":[{\"type\":\"bold\"}],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"}\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Internal forward requests\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"A request may go through the interceptor chain several times when forwarded internally. This can create complications if CSP headers are computed each time, especially if the computed header changes or is removed, since it cannot be unset once set. Complications arise when a page that is customizable by administrators is forwarded to a page that is not customizable or the other way around, as each page requires a different CSP. In our use case, we rolled out a base policy containing frame-ancestors which was used as a way to revert an incorrectly-computed policy due to forwards.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Testing\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In order to set a specific policy for a specific customer to perform thorough live testing and debugging, we leverage \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://www.baeldung.com/java-management-extensions\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Java Management Extensions\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (JMX) because it gives us the ability to modify the CSP policy live in the application while on a discovery call with customers.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Selenium tests are considered to be of great importance - without these tests, something is likely to break in production when one least expects it. We built a framework that allows us to fail a selenium test if a CSP error was present in the browser console of a selenium test.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Customized content\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Okta’s admin console user interface (UI) allows the admin to customize the \",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://help.asqula.com/oie/en-us/content/topics/settings/customizations-configure-csp.htm\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"Content-Security-Policy\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\" (CSP) for customizable pages. This encourages the creation of CSP that allows their customizations to execute and toggle that policy between Content-Security-Policy-Report-Only and Content-Security-Policy. Also, they have the option to provide their own reporting URL for browser-based violation reports.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Directives\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Navigational directives such as “\",\"marks\":[],\"data\":{}},{\"nodeType\":\"hyperlink\",\"data\":{\"uri\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\"},\"content\":[{\"nodeType\":\"text\",\"value\":\"frame-ancestors\",\"marks\":[{\"type\":\"underline\"}],\"data\":{}}]},{\"nodeType\":\"text\",\"value\":\"” should always be added to prevent a malicious actor from attempting to iFrame not only html content, but also APIs. We recommend fetch directives only for endpoints that return html content, considering the downside of non-html content causing an increase in network traffic due to larger header size in the response.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Header size limitations\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"API gateways such as AWS API, Google Cloud Apigee API and Kong API Gateway all have limitations on the response header size ranging from 4KB to 128KB. With the introduction of nonces to tackle unsafe-inline, the response header size can surpass 4KB. Special consideration must be taken with customers using API gateways to allow for a higher response size.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-3\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Rollout Challenges\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"In an effort to share our lessons learned, the following subsections capture rollout challenges encountered throughout each of the three above-listed configuration methods:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Unsafe-eval\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Tackling unsafe-eval is the first step in putting a stop to new code that is not templated. The next step is to track each existing violation and to remove all the exemptions from the linting allow-list. The last step is to remove the unsafe-eval keyword from the policy.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"heading-4\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Unsafe-inline\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"Expect a significant impact if unsafe-inline is removed from the policy. One key risk in the removal is a high probability of user impact if the policy is incorrect. Impacts could include blocking an inline-script or inline-style on a page which creates a bad user experience (UX) or even cause a page not to load properly. For third-party integrations that require unsafe-inline for inline-script or inline-style, it’s best to request the vendor to fix their code to not require unsafe-inline, otherwise, you’re stuck with inherited poor practices. If an integration is required such as Pendo or Mapbox, it may take time for the vendor to implement a fix which removes the unsafe-inline/unsafe-eval requirement.\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"The approach we preferred was to empower each team to rollout their endpoints by using annotations which control whether adding a nonce to script-src and style-src for both Content-Security-Policy-Report-Only and Content-Security-Policy. The following CSP example can be untimely but assures a lower risk in testing independently:\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"@RequestMapping(value = “/api/v1/object, method = RequestMethod.GET)\",\"marks\":[],\"data\":{}}]},{\"nodeType\":\"paragraph\",\"data\":{},\"content\":[{\"nodeType\":\"text\",\"value\":\"@ScriptSrcNonce(policy = {ScriptSrcNoncePolicy.SCRIPT_SRC_NONCE_REPORT_ONLY, ScriptSrcNoncePolicy.SCRIPT_SRC_NONCE_ENFORCED}, switchProperty = \\\"team.