Happy new year! Here's what we've been up to in January:
As you can probably tell, we've updated our look! Check out our new website and dashboard.
We've realized that good authz resources and content are hard to come by, so we put together a curated 'awesome-authorization' list of our fav articles and resources on Github. Check it out, star it and feel free to add your favs!
I'm excited to announce that Warrant now has built-in support for Role Based Access Control! 🥳 RBAC is one of the most widely used forms of access control, so we wanted to make it as easy as possible for developers to add robust RBAC to their apps. We also know that access control isn't a "set it and forget it" type of problem. Applications evolve over time, whether it's through new features or other changes, so we've made some major updates to the Warrant Dashboard to make it easier to manage RBAC in a live application.
Insecure Direct Object Reference (shortened as IDOR) is one of the most common forms of broken access control which OWASP recently listed as the number one application security issue in 2021. A quick search for "IDOR" on Hacker One's Hacktivity feed shows that many top tech companies (and even the U.S. Department of Defense) have fallen victim to IDOR, in some cases paying out well over $10,000 per bug bounty. In this post, I'll explain what IDOR is, what causes it, and ways to protect your application against it.
Here's what we've been up to in November:
By popular demand, ‘group’ is now a pre-installed object type. ‘Groups’ can be used to easily group users and implement role based access control.
Lots of usability improvements and new functionality in the dashboard, including a new on-boarding flow with pre-filled code snippets that you can directly copy and paste into your code. You can also completely manage your app's object types and warrants from the dashboard and perform test access checks to check your work.
The topic of authorization has seen a recent resurgence in interest from developers and security folks alike. The OWASP Foundation, a trusted voice on web application security, just updated its Top 10 Web Application Security Risks and for the first time rated 'Broken Access Control' as the top vulnerability facing developers. Also this year, Airbnb, Carta, and Intuit each separately published deep-dives detailing their newly built internal authorization services.
Authorization is by no means a new security concept. So why this renewed attention to it? In this post, we’ll look at authorization as it stands today, what's changed in the landscape, and go over some best practices developers should follow.
Access Control is the process of allowing (or disallowing) user access to specific resources or actions in a software system. For example, only allowing certain users access to internal admin pages on a website or only allowing paying users access to a premium feature. There are many approaches to implementing Access Control, but Role Based Access Control (RBAC) is one of the most popular and widely used. In this guide, we'll cover a standard way to implement RBAC and discuss some best practices for implementing Access Control in APIs and web applications.
At Warrant, we're building APIs and infrastructure to help developers add authorization and access control to their apps in less than 20 lines of code. Warrant handles the complexity of managing authorization so engineering teams can focus on building their core products.
Turn your code into this.