Lately I've been working on designing authentication (authN) and authorization (authZ) services for an API Gateway layer sitting on top of a collection supposedly RESTful APIs written by a diverse and disconnected population of developers. One of the many challenges I've faced is that it turns out that "REST" means different things to different people. I've been looking for a simple way to explain to developers what a high quality RESTful API looks and functions like. While I have found some good material, I felt I needed pull together a few different concepts, so I wrote this. Why is being fully RESTful important? Turns out that poorly designed and implemented, RESTful APIs are harder to design authentication and authorization services. First I want to discuss RESTful APIs in general, so we can agree on what they are and are not. Then I will explain why weakly RESTful APIs are harder to implement authN/Z. Reading the documentation for supposedly "RE
The data is beginning to paint an interesting picture about the relationship between security and developer happiness. The 2020 DevSecOps survey from Sonatype indicates that happy developers are 3.6 times less likely to neglect security in their code. And 2.3 times more likely to set up automated security tools, and 1.3 times more likely to follow open source security policies. In addition, developers working within a mature DevOps practice are 1.5 times more likely to enjoy their work, and 1.6 times more likely to recommend their employer to their peers. These last conclusions about the relationship between DevOps maturity and developer happiness are also supported in multiple versions of the DORA State of DevOps survey data. Businesses actually want five things from developers, but usually only ask for one and assume the other four take care of themselves. What they want, and ask for the most are new features. The next ask is improvements in new feature velocity. Rarely do they ask
Least Privilege is kind of like the Holy Grail of security. Everyone wants it, but it remains elusive. Those that have mounted serious efforts to achieve it have had varying degrees of success "Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job."— Jerome Saltzer, Communications of the ACM Peter J. Denning, in his paper "Fault Tolerant Operating Systems" , set it in a broader perspective among four fundamental principles of fault tolerance. Dynamic assignments of privileges was earlier discussed by Roger Needham in 1972. 1,2 Okay so luminaries have written about it and that means it's probably a thing. But how to achieve it with AWS Lambda? Let's start with facing the biggest challenges in general: The effort required to pare down permissions to the minimum necessary is significant. As developers add features, policy enforcement just gets in their way, and using
Comments
Post a Comment