Technical help

Basics

Authorization

Authentication

Spotlight

It's not worth gambling on data privacy of your users

Why companies gamble on user data privacy

Despite GDPR, we still hear about embarrassing data leaks, often at big tech companies. What is so difficult about protecting your users data? Turns out, it's just business...

 Authorization may seem simple but always ends up more complex than you guess

So you want to build your own authorization?

When writing new software, it's hard to notice complexity creeping in. Authorization is one of the aspects where things start deceptively simple and before you notice, you end up in a zoombombing scandal.

 What's the difference between authentication and authorization?

To authenticate or to authorize - what is the difference?

Authentication vs authorization - which one is which? Even experienced software developers confuse the two. Let’s make it crystal clear once and for all - what is the difference and why it matters.

 Choosing an auth provider that's best for you

How to pick the best auth solution

Finding an auth provider that suits your needs is tricky. Product pages are loaded with SEO keywords that mean little in practice. Comparison websites can't distinguish between authentication and authorization. Let me help.

 Multitenant architecture comparison

How to secure a multitenant application architecture

Get help creating an application where multiple users share one account.

 Keep your application secure

Choosing the best access control strategy

A comparison of different access control strategies such as role-based access control (RBAC) and others, using a simple document repository as a example.

 Unlocking JWT security in web apps

Validating JWTs in Web APIs

Securing a web application or api requires actually validating the access token that is being used. When using JWTs, there are two mechanisms for doing this.

 Creating API authentication for an application

API Authentication - Creating service client API keys

Learn about how to create authentication for any application API. Create service client api keys and convert them to secure JWTs for consistent authentication across services.

 API deleting resources

Security for deleting resources

Removing an application resource is easy, a quick DB Delete. However, handling the clean up of the access records control policy statements is the challenge.

 API Client secret vault

Securely store client ids and secret access keys

API access is provided through client ids and secret access keys and because of the authority attached to these credentials they must be secured as safely as possible.

 Selecting the right HTTP error code

Choosing the right error code 401, 403, or 404

Here we’ll break down the most common HTTP error responses used for the purposes of API security.

 Magic links and passwordless login

Magic links and Passwordless login

Making user signup and login easy is critical to having a successful app. Magic links and passwordless login helps, however it can create many problems longer term, and not ones that have easy solutions.

 Long running transactions with refresh tokens

Handling security of long running transactions

A deep dive into security of long running offline transactions using refresh tokens and service client tokens.

Case studies

Authorize Gitlab to access AWS without access keys

AWS + Gitlab - Leveling up security of your CICD platform.

Stop using aws access keys and secrets today!

 Capitol building cybersecurity vulnerabilities

Breach - Enabling emergency data protection

In the wake of unauthorized access to the US capitol building presents a unique cybersecurity opportunity to reexamine best practices in this data security case study.

 Case study of Zoombombing

Zoombombing - a case study of data protection

Zoombombing is a relatively recent phenomenon, although underlying causes aren't new. In this case study, I take a look at what went wrong and how a company can protect itself from similar issues.