A presentation at Snowfroc (OWASP Denver) in in Denver, CO, USA by Daniel "phrawzty" Maher
Modern authorization has grown from simple Unix file permissions into a maze of distributed systems across cloud providers and edge locations. This increasing complexity and scale has opened the door to new classes of security incidents. Looking at academic research and real-world incidents at companies like Meta, Microsoft, and Okta, we’ll dig into what went wrong and see how our fancy distributed architectures can create fun and exciting new ways for things to break.
The session will walk through practical approaches to securing token-based authorization, dealing with role explosion, and building solid testing strategies. You’ll come away understanding how authorization systems work and what it takes to build them securely—or at least with a healthy fear of policy management and the horrors it can wreak.
