Collaborate Disseminate
In a layered enterprise security architecture with a Web Application Firewall (WAF) deployed in the DMZ, should there be shared responsibility between the WAF and application layer/ microservices for mitigations the WAF supports, specifica… Continue reading WAF vs. Application Layer for Bot Mitigation
An organisations has multiple service tiers. One of the services in a core tier exposes APIs to the tier above. The core tier services do RBAC, consequently an end customer token is required in order to access their APIs.
There are 2 cat… Continue reading RBAC for system to system access
Consider a scenario in which you offer service access based on a hierarchy of authority. i.e., a HEAD can register his subordinates. The authenticated HEAD has the previledge to read and update data from all of his subordinates. Is there a… Continue reading Authorise access to hierarchical data
Traditionally, we used either path-based access control or a separate DNS for public and private content segregation. In the modern era of standard-based auth, what are the best auth strategies for segregating anonymous and secure access t… Continue reading Strategies for segregating anonymous and secure access to APIs
Please consider the following scenario.
The system has a set of business owners (i.e. users of the system)
Each business owner is mapped to a set of customers
The business owners login to the system in order to manage their… Continue reading Harden against privilege escalation in Microservices