This post contains the notes that I took during FOSDEM 2026. The big new topics this year seemed to be on AI & digital sovereignty. But off course the main subject matter of the conference will always be beer open source. The following notes are some ramblings combining what the speakers said and thoughts I had while listening. I took them for future references and decide to publish them because 🤷 why not. ...
Notes on day 1 Identity and Access Management Devroom This room is cursed. – The video volunteer when entering the room in the morning. Day two stared of great with a some great presentations in the IAM devroom. I woke up early so I could get a seat on the front row and was happy that I did. Thomas Darimont giving a presentation on OpenID’s shared signals framework. ...
Broken Object Level Authorization is the number one in OWASP’s API security top 10. APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user. What is Authorization? Decide if an action can be taken. Can Alice view document #123? Can Alice view document #123 at 16:30 on Tuesday, 11 June, 2024? Can Bob edit document #123 in China? Can Bob edit document #123 in China, when authenticated with MFA? Can a manager create document #456 We can always identify the following: ...
Broken Object Level Authorization is the number one in OWASP’s API security top 10. APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user. What is Authorization? Decide if an action can be taken. Can Alice view document #123? Can Alice view document #123 at 16:30 on Tuesday, 11 June, 2024? Can Bob edit document #123 in China? Can Bob edit document #123 in China, when authenticated with MFA? Can a manager create document #456 We can always identify the following: ...
What is MFA Multi-factor authentication (MFA) is a security process that requires users to verify their identity using two or more distinct factors. Each factor can be from one of the following categories: Something you know (e.g., a password) Something you have (e.g., a security token or mobile device) Something you are (e.g., a biometric such as fingerprint or face recognition) For an authentication method to be secure, it should validate at least two factors. ...
Principles Let’s first describe some principles that should in order of importance. 1. Pragmatic Security When creating an API the primary goal is to solve a problem for a user or organisation. But we don’t want to create new problems by introducing vulnerabilities. When designing or implementing a new feature always consider how it could be abused and strive for security by design. Be pragmatic, solve problems don’t create new ones. ...
In the classic XCAML based fine grained authorization ([[fga]]) architecture, the Policy Decision Point or PDP is responsible for deciding weather a subject such as a user is allowed to do an action on a specific resource. But in many real world architecture this pattern is difficult to apply. Let’s look the following simple example. We want to built an application that shows a simple list of all documents a user has access to. ...