SecAppDev 2020 Lecture Details

Modern access control policy enforcement

Jim Manico
Wednesday March 11, 09:00 - 10:30
Short description

This talk will discuss security principles that will help developers build modern access control solutions that are flexible enough to satisfy almost any complex access control security requirement.

Abstract

Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the critical access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, direct object reference issues, and "fail open" access control mechanisms, to name a few.

In reviewing these and other access control anti-patterns, we will come up with a series of positive access control principles that will provide flexible security capability needed for modern applications. These positive patterns include data contextual, activity based, configurable, flexible, multi-tenant, and deny-by-default policies - among other positive design attributes that make up a robust access-control mechanism for any web or API based application.

Key takeaway

It's well past time to migrate access control policy enforcement points in your code from roles to capabilities.

Content level

Deep-dive

Target audience

Web and API software developers

Prerequisites

None


SecAppDev is the most immersive application security course you have ever seen

Book your seat now

Jim Manico

Jim Manico

CEO, Manicode Security

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences, and BitDiscovery. Jim is a frequent speaker on secure software practices, is a Java Champion, and is the author of "Iron-Clad Java - Building Secure Web Applications" from Oracle Press. Jim also volunteers for OWASP as the project co-lead for the OWASP ASVS and the OWASP Proactive Controls.

Full speaker profile


Related identity and access management sessions

OAuth 2.0 Security Reinforced

Lecture by Dr. Torsten Lodderstedt

OAuth 2.0 has become the standard for API authorization. Practical experience and security research have shown a need for updated security guidelines that will be presented in this session.

Identity and access management Wednesday March 11, 16:00 - 17:30

Advanced OAuth for security-sensitive applications

Lecture by Dr. Torsten Lodderstedt

OAuth has become the standard for API authorization because of its simplicity and versatility. This talk will present battle-proven patterns and OAuth extensions that should be used when building security-sensitive applications.

Identity and access management Thursday March 12, 14:00 - 15:30

A practical introduction to OIDC (and OAuth 2.0)

Lecture by Dominick Baier

OIDC and OAuth 2.0 have become the de facto standard to implement authentication and authorization in modern applications. This session introduces their features, such as authentication, sessions, and protocol flows.

Identity and access management Wednesday March 11, 11:00 - 12:30

OIDC and OAuth 2.0 – Tips from the trenches

Lecture by Dominick Baier

Building an API-based system with OIDC and OAuth 2.0 raises quite a few questions. In this session, we answer these questions using common patterns and anti-patterns derived from real-world scenarios.

Identity and access management Thursday March 12, 11:00 - 12:30

Making smart choices from the authentication cookbook

Lecture by Philippe De Ryck

Modern applications need to authenticate users and services in various scenarios. This session focuses on helping architects and developers understand the different authentication mechanisms and their purpose.

Identity and access management Tuesday March 10, 11:00 - 12:30