Do you have a responsible security disclosure program? There are definitely some issues with this approach.
Also, AWS SES is pretty cheap and easy to use, it provides 62k emails per month for free: https://aws.amazon.com/ses/pricing/
It's hard to compete with that.
So, how is our authorization code secure and prevent others to use up the service-quota? Well, as long as the API is called from the configured Web Application, we are good!
The most common lifecycle of a resource flows from Creation, to Updates, to Deletion. When a resource is created access must be given to the user so that they can read and write to it afterwards. By default new resources in an application don’t imply access control. If creation is when access records are created, then reads and updates are when access records are verified. There are many examples of these in the available SDKs.
It’s already old news at this point to be talking about two-pizza teams. You can find a myriad of articles on Google discussing what they are and why you want them. I’m going to be talking about the innovation in team management that supersedes two-pizza teams and that’s the wolf-pack team.
(Just a quick note here, I know that not all wolves form packs, nor are the packs they form most optimal in every situation, however…)
Having two-pizza team amounts to somewhere between 3 and 7 team members, where all aspects of the team are handled by that team. It…
Just writing down my list of things that are problematic with TF. While you don’t have agree, it’s good to put the list down and begin that conversation.
The importance of data security has not been left off anyone’s radar. And, in the wake of unauthorized access to the US Capitol building the approach for some is to wipe everything. Potentially malicious attackers on premise, able to access user data and user sessions left unlocked. The historical lack of sufficient technical experts in leading government areas have left reasonable controls out of the picture. The lack of attention to data security in some of the most critical areas results from a number of antiquated mindsets and overall deficit in talent.
However, many companies also find themselves, while not…
Being in a leadership position for a while now there are a couple of things that I can help point to. While there is some good advice in this post which could help, I first want to focus on the misconceptions:
Applications that provide first class APIs require more than simple authentication, they require api keys. API keys generated by your users allow their programmatic services to interact with your apis. These must be generated in a safe way and have different requirements than UI tokens.
In most cases with authentication, you’ll have JWTs to identify and authorize a user. These JWTs are coming from your authentication provider. Internally, you may also have api keys to authenticate your internal services from one to another. However having to authenticate users and service client differently causes issues:
Authentication more frequently works as identity aggregation. This means that it provides a central point to combine any number of user identity management or federated login providers in a single place. For example Google and Facebook login. Providing a solution that works with just one is easy, but to support both and then normalize the data, this becomes more complex.
Providers such as Authress normalize these providing standard OIDC complaint JWTs which includes secure session management.
In this guide we’ll use Google login as an example of how to connect. Setting up authentication requires the following parts:
Securing a web application or api requires actually validating the access token that is being used. When using JSON web tokens (JWTs), there are two mechanisms for doing this. But the core of the solution requires inspecting that JWT, understanding who the authority is, and using that authority for verification.
The properties or fields in a JWT are called claims. JWTs contain an ISS claim. This is the Issuer. The issuer is the authorization server (AS) which is marked by the issuer. As such the AS provides a full document about how JWTs are constructed and how to verify them…
Implementing data security within application can be done with various access control strategies. The access control determines if a given user is allowed to perform a particular action on a requested resource. Do they have access to see the data, make updates, or delete it? The answer to that lies within your access control policies. There are different ways to implement security each with its own benefits and detractors. Finding the right one for your application can be the difference between happy users with secure, private data, and a disastrous data breach.
Depending on the types of applications or services…
CTO and Founder at Rhosys, where we use AI security to protect applications. I share how to continually innovate and stay ahead in the technology domain.