Broken Object Level Authorization is the number one in OWASP’s API security top 10.
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.
What is Authorization? Decide if an action can be taken.
Can Alice view document #123? Can Alice view document #123 at 16:30 on Tuesday, 11 June, 2024? Can Bob edit document #123 in China? Can Bob edit document #123 in China, when authenticated with MFA? Can a manager create document #456 We can always identify the following:
...
Broken Object Level Authorization is the number one in OWASP’s API security top 10.
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.
What is Authorization? Decide if an action can be taken.
Can Alice view document #123? Can Alice view document #123 at 16:30 on Tuesday, 11 June, 2024? Can Bob edit document #123 in China? Can Bob edit document #123 in China, when authenticated with MFA? Can a manager create document #456 We can always identify the following:
...
What is MFA Multi-factor authentication (MFA) is a security process that requires users to verify their identity using two or more distinct factors. Each factor can be from one of the following categories:
Something you know (e.g., a password) Something you have (e.g., a security token or mobile device) Something you are (e.g., a biometric such as fingerprint or face recognition) For an authentication method to be secure, it should validate at least two factors.
...
Principles Let’s first describe some principles that should in order of importance.
1. Pragmatic Security When creating an API the primary goal is to solve a problem for a user or organisation. But we don’t want to create new problems by introducing vulnerabilities.
When designing or implementing a new feature always consider how it could be abused and strive for security by design.
Be pragmatic, solve problems don’t create new ones.
...
In the classic XCAML based fine grained authorization ([[fga]]) architecture, the Policy Decision Point or PDP is responsible for deciding weather a subject such as a user is allowed to do an action on a specific resource.
But in many real world architecture this pattern is difficult to apply. Let’s look the following simple example. We want to built an application that shows a simple list of all documents a user has access to.
...
FOSDEM 2026 Main track Free as in Burned Out: Who Really Pays for Open Source? FOSS in times of war, scarcity and (adversarial) AI DEFCON 33 All your keyboards are belong to us! Cosic PQCSA Workshop Brussels 2026 https://www.youtube.com/watch?v=fLcyN2SM1Tk
NDC Copenhagen 2025 (Azure) Modern Architecture 101 for New Engineers & Forgetful Experts - Jerry Nixon - NDC Copenhagen 2025