Session Spotlight

Kevin Hakanson

Camp Counselor

Fine-Grained Authorization in Modern Software Applications

Event Logo

Thursday, August 1, 2024 - 7:30 PM UTC, for 1 hour.

Regular, 60 minute presentation

Room: African 20

authorization
open-source
access-control
application development

Authentication (AuthN) and Authorization (AuthZ) are critical for most software applications. The increased adoption of standardized frameworks for AuthN has improved overall security posture. “Broken Authentication” was #2 risk on the OWASP Top 10:2017 list but slid in 2021 to be part of a rescoped #7. AuthZ is trending the wrong direction with “Broken Access Control” the #1 security risk on 2021 list. This session discusses how open-source policy languages and evaluation engines can improve access control in applications. The key acronyms are reviewed for background: JWT concepts (claims, scopes); access control models (RBAC, ABAC, ReBAC), data-flow model of XACML (PAP, PDP, PEP, PIP). Examples of applications requiring fine-grained authorization are modeled using different open-source solutions (Cedar, OpenFGA, OPA) focusing on their policy language and evaluation engine integration. This session spans high-level architecture to low-level code, and sprinkles humor (and acronyms) throughout.

Prerequisites

Anyone that has used a software application requiring permissions (even file or photo sharing applications) can follow along the discussion.

Take Aways

  • Learn how open-source policy languages and evaluation engines can improve access control in applications.
  • See how fine-grained authorization is modeled using different open-source solutions.
favorited by:
Tim Kempster John Martin James McCollum Chris Weinert Edward Lichtman Brett Allenstein Robert Derman Matthew Ives Elizabeth Groom YURSHIA XIONG