ARTICLES

Application Authorization in a Single Management Plane

By now it’s well understood that software applications are too valuable for businesses to leave insecure, either during the development process or after they’re deployed in production. The security lifecycle management of applications is of critical importance, and every security professional knows the potentially harmful repercussions of writing an insecure application. It’s why security teams have been trying to get into DevOps for over a decade and why a whole plethora of new tools have been and are being created on the daily.

Most of the current tools on the market, especially those developed by developers-turned-security-entrepreneurs, are focused on finding flaws in code through the lens of the OWASP Top Ten. Between these and the MITRE Common Weaknesses Enumeration Top 20, there are a lot of issues developers have to focus on when writing hardened code. By most accounts, developers would much rather spend their time building apps, designing features and functionalities that make the app work well, than authoring security policies and fixing flaws. These reasons, combined, are why secure development is so problematic.

Authorization as the focus

build.security, a startup based in Tel Aviv, is taking a more focused approach to application security. By focusing on authorization, one of application security’s biggest problem areas, build.security simplifies the code hardening process for modern development lifecycles by offering authorization policy as code. Through a single control plane, build.security’s platform has been designed to improve overall authorization policy management beyond RBAC and ABAC, which are insufficient on their own, for quicker, simpler, and better application security.

Access controls and authorization are a critical part of ensuring applications’ security postures. Still, most security products—AppSec or otherwise—lean toward authentication as their primary mechanism for protection, not authorization.

We’ve written about multi-factor authorization before, and we at TAG Cyber believe it will be an important security consideration in the future, but this article, today, is going to look at application authorization and how build.security approaches the problem of restricting authorization to least privilege using fine-grained control.

In speaking with build.security’s co-founder and CEO, Amit Kanfer, he explained that the company’s platform is built to allow authors (i.e., developers, engineers) to define their own policies with decoupled logic and opt to enforce them in real time wherever they are working—in clusters, APIs, containers, or the cloud. The platform is built on top of the Open Policy Agent (OPA), an open source project that empowers developers to build better access controls directly into cloud native apps within minutes.

A sidecar-managed solution

build.security offers API and function-level authorization in a sidecar-managed solution that can be deployed on premises in a customer’s cloud or beside an application in a service mesh. The platform automatically pulls in real-time data from multiple sources—databases, cloud services, ticketing systems, and more—to help users quickly author their access controls. Within the dashboard, users can see a full list of user roles and permissions, review suggested policy improvements, and mitigate overly permissive access controls or risky configurations.

“Developers can continue to write and check their own policies if they wish,” said Kanfer, “but I know from firsthand experience how time-consuming and menial authorization is. We take the process of identifying and managing application access policies off developers’ plates and make it easier for them to manage everything from one central control plane.”

This method tackles the age-old question of build versus buy: what is the cost-benefit analysis of purchasing a commercial solution versus building your own policies, tracking them, and managing them as part of the development lifecycle? Certainly, open source tools, like OPA or Casbin are very popular with developers. They are both offered as a library/service to help with RBAC and ABAC, built-in functions, policy storage, conflict resolution, distributed authorization, and more. But the developer/engineer must author all policies and be ready to manage them themselves if they’re using an open source platform.

Buy vs. build to automate

With a commercial platform like build.security, users pay to outsource this part of development and achieve improved authorization management. And this is a nice option. As build.security is newer to the market, we also expect that the company will enhance functionality over and above what an open source tool can provide; there is only so much people/businesses will pay to simply outsource a job that can reasonably done in house. An app with exploitable access permissions can lead to system or data breach, service disruption, or supply chain consequences. In the case of AppSec, there is little reason for humans to manually tackle authorization when machines can do it faster and better. This is build.security’s most compelling value proposition.

While build.security is in nascent stages at present, we are looking forward to seeing what the company has to offer. Least privilege and fine-grained application access controls are an important piece of application security lifecycle management.