Fine-Grained Authorization in Modern Software Applications
Thursday, August 1, 2024 - 7:30 PM UTC, for 1 hour.
Regular, 60 minute presentation
Room: African 20
Authentication (AuthN) and Authorization (AuthZ) are critical for most software applications. The increased adoption of standardized frameworks for AuthN has improved overall security posture. “Broken Authentication” was #2 risk on the OWASP Top 10:2017 list but slid in 2021 to be part of a rescoped #7. AuthZ is trending the wrong direction with “Broken Access Control” the #1 security risk on 2021 list. This session discusses how open-source policy languages and evaluation engines can improve access control in applications. The key acronyms are reviewed for background: JWT concepts (claims, scopes); access control models (RBAC, ABAC, ReBAC), data-flow model of XACML (PAP, PDP, PEP, PIP). Examples of applications requiring fine-grained authorization are modeled using different open-source solutions (Cedar, OpenFGA, OPA) focusing on their policy language and evaluation engine integration. This session spans high-level architecture to low-level code, and sprinkles humor (and acronyms) throughout.
Prerequisites
Anyone that has used a software application requiring permissions (even file or photo sharing applications) can follow along the discussion.
Take Aways
- Learn how open-source policy languages and evaluation engines can improve access control in applications.
- See how fine-grained authorization is modeled using different open-source solutions.