Kevin Hakanson

Camp Counselor

Fine-Grained Authorization in Modern Software Applications

Event Logo

Thursday, August 1, 2024 - 7:30 PM UTC, for 1 hour.

Regular, 60 minute presentation

Room: African 20

authorization
open-source
access-control
application development

Authentication (AuthN) and Authorization (AuthZ) are critical for most software applications. The increased adoption of standardized frameworks for AuthN has improved overall security posture. “Broken Authentication” was #2 risk on the OWASP Top 10:2017 list but slid in 2021 to be part of a rescoped #7. AuthZ is trending the wrong direction with “Broken Access Control” the #1 security risk on 2021 list. This session discusses how open-source policy languages and evaluation engines can improve access control in applications. The key acronyms are reviewed for background: JWT concepts (claims, scopes); access control models (RBAC, ABAC, ReBAC), data-flow model of XACML (PAP, PDP, PEP, PIP). Examples of applications requiring fine-grained authorization are modeled using different open-source solutions (Cedar, OpenFGA, OPA) focusing on their policy language and evaluation engine integration. This session spans high-level architecture to low-level code, and sprinkles humor (and acronyms) throughout.

Prerequisites

Anyone that has used a software application requiring permissions (even file or photo sharing applications) can follow along the discussion.

Take Aways

  • Learn how open-source policy languages and evaluation engines can improve access control in applications.
  • See how fine-grained authorization is modeled using different open-source solutions.
favorited by:
Tim Kempster Rebecca Von Ruden John Martin Jacob Netz James McCollum Dustin Collins Chris Weinert Edward Lichtman Jacob Graf Dan Willman Jordan Bleu Adam Kerr Brett Allenstein Robert Derman Matthew Ives Ryan Holmes Nick Heidke Shaq Mughal Sam Patterson Jimmy Zhao Christopher Baker Matt Netkow Dustin Ewers Elizabeth Groom William Schaeffer Tristan Dalgety YURSHIA XIONG Kevin Hakanson