Location: Kaapelitehdas, Helsinki, Finland
Recording: https://youtu.be/d8lshOV9aCk
Abstract:
The top 1 security risk in OWASP’s latest API Security Risks lists is “Broken Object Level Authorization”, and the third one “Broken Object Property Level Authorization”. Thus, helping developers mitigate these risks through best-practices and frameworks can be highly beneficial for our community.
This talk will discuss some means that could be applied to build API servers (or more generally, control plane) in a way they are less susceptible to these attacks: through
* uniformity of API server structure (this is probably quite known to most security professionals, but good to cover), and
* relation-based access control (ReBAC), a superset of both RBAC and ABAC, which allows for finer-grained and declarative access control.
This gives us, a way to avoid “oops, I forgot to implement the authorization if check for this API resource (or field)” and escape the inevitability of an unmaintainable amount of imperative if checks in the API servers such as “if the authenticated user belongs to a group with magic string ‘employees’, it should have access to all documents with prefix /company_public”.
A declarative model of the authorization model, and a graph based structure of the authorization state can be audited, visualized and pentested more easily than custom code for each resource in the API.
In the end, Lucas will do a demo of this paradigm working in action. All code is open source and fully reproducible for anyone. The audience will after this talk have practical knowledge about how they can formalize their access control in an extensible, uniform and auditable way for their projects.