Stories
Slash Boxes
Comments

SoylentNews is people

How Oso's Security-as-Code Approach to Authorization Might Change How You Think About Security

posted by hubie on Thursday October 06 2022, @04:49PM   Printer-friendly
from the cloud-will-bring-me-some-security dept.

upstart writes:

Most developers aren't particularly good at building authorization into their applications, but would they trust a third-party provider like Oso?:

It's increasingly evident that for security to work, security must be baked into the development process — not a bolt-on afterthought that a dedicated security team manages. This newfound appreciation for developers' roles in security has given rise to things like DevSecOps as well as open source projects like Oso.

Oso, which just announced today the general availability of Oso Cloud, offers an open source policy engine for authorization that represents security as code so developers can express security as a natural extension of their applications.

[...] Authorization is hard to get right, and while crucially important, it's not necessarily central to anyone's business. As such, authorization tends to be something that every company requires yet often goes about in ineffective ways. Arguably, it's time we stop thinking about authorization, or security in general, as an off-the-shelf product that someone can buy, and more about a new model or mindset that developers must apply.

[...] This brings us to authorization. Authorization has so far evaded becoming a third-party service offering, largely because no one has been able to make it generic enough to be broadly relevant while still being flexible enough to be useful. Oso thinks it has cracked that code.

[...] Some developers, Neray said, may have heard of RBAC or ABAC. More cutting-edge developers may have heard of Google's Zanzibar. None of these really handle the core problem. What does work, Neray continued, is to think of authorization as composed of three core abstractions — logic, data and enforcement — and "once you understand how each of them works, you can build (or adopt) structured solutions that let you bend authorization to your will."

In practice, this means it's a bit like SQL, where if you put your data in a standard format and give it a schema, you can then query it arbitrarily. In a similar manner, in Oso you put your authorization data in a standard format, write arbitrarily simple or complex authorization logic, and then can ask any question you want.

[...] But really, it comes down to whether a little bit of trust is worth the removal of a lot of bother from your application infrastructure. As Oso co-founder and CTO Sam Scott stressed: "Our vision is to decrease the amount of time and brain calories that developers spend thinking about authorization by 10x in the next 10 years."

Original Submission

 
This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
How Oso's Security-as-Code Approach to Authorization Might Change How You Think About Security | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.