Show:
Architecture
More Architecture
Band-aids
100

What are the 3 key pieces in an app? (explain)

Backend, Database, Frontend

Frontend - what you see

Backend - logic

Database - data

100

What is latency?

how long it takes for app to respond to a request


100

What happens when you want to audit the authorization logic?

  1. Similarly, if authZ logic is just intermingled with the rest of the backend logic; and it’s spread all throughout the app…good luck to the security team responsible for checking that it’s all set up the way they intended
  2. They might have to pull out THOUSANDS or TENS OF THOUSANDS of places that authZ stuff is happening in the codebase
200

What is a request?

When you do a thing in an app, it flows through the app to make things happen

200

What is uptime?

% of time that an app responds to requests?

200

Why are there a lot of bugs in a custom authz solution

  1. Ideally, engineers would like to make small changes and test them incrementally
  2. With authz logic spread throughout the app and not modeled in any consistent way, it’s really hard to test if authorization is working as you expect — especially after you make a change
300

Can you walk me through the three parts of an application with SalesForce (or another app)?

  1. Frontend: button that says “new opportunity”
  2. Backend: logic that says “when users clicks this button, open a new page with a form on it for them to fill out about the opp”
  3. Database: then you click “save” and all that data goes into the database, neatly organized and ready for the next time you want to go back and view the opp data you just entered
300

If an app has multiple services feeding to 1 database, how painful is authorization/list filtering?

Not that painful

300

If logic is spread throughout an app, what happens when you want to add new features?

You need to find every place in the app to go and update the logic

400

How does authorization fit into the frontend?

What can a use see?

400

If an app has multiple services feeding to >1 database but not servicing the same core app, how painful is authorization/list filtering?

Not that painful

400

What are 4 hard things that happen when in a custom authz solution?

1. Hard to express logic clearly

2. Hard to maintain and add new features

3. Hard to test (bugs)

4. Hard to audit

500

How does authorization fit into the backend & database?

Backend - what can this user see?

Database - list filtering

500

Why is authorization on the critical path?

Everything in an app relies on authorization. If we're down, our customers are down

500

What happened with Intercom?

  1. Started with simple app to do customer chats on web site
  2. Started adding more and more features over time
  3. Added more and more roles over time
  4. Became the # 1 source of bugs