DevSec For Scale Podcast – Auth Security w/ Dan Moore, FusionAuth

In this episode of the “DevSec for Scale” podcast, host Jeremy Hess welcomes Dan Moore, Head of Developer Relations at FusionAuth, to discuss the intricacies of authentication (auth) and its evolution in modern computing. Dan breaks down the three main components of auth: authentication (identifying who you are), authorization (determining what you can do), and user management (provisioning users and assigning roles). He emphasizes the importance of using Identity Providers (IDPs) to handle these tasks due to the complexity and security risks associated with managing user data and credentials independently.

Dan shares his journey into the world of developer relations, highlighting his extensive background as an engineer and his transition to FusionAuth in 2020. At FusionAuth, he juggles multiple roles, from community support and product definition to post-sales engineering assistance. He explains that this diverse role allows him to identify recurring user issues and address them at scale through documentation and community engagement, enhancing the overall user experience.

The conversation then delves into the security risks inherent in building authentication systems. Dan discusses the necessity of robust testing and regression testing to ensure backward compatibility and security. He provides examples of potential vulnerabilities, such as timing attacks and the complexities of handling XML in SAML-based single sign-on (SSO) systems. He underscores the importance of minimizing dependencies and maintaining a small, well-managed dependency tree to reduce security risks.

Jeremy and Dan also explore the differences between Identity Access Management (IAM) and Customer Identity Access Management (CIAM). Dan explains that IAM is primarily concerned with managing employee access within an organization, whereas CIAM focuses on customer access and involves more sporadic but crucial interactions with various departments like marketing and sales. He highlights the need for CIAM systems to handle a larger scale of users and the importance of providing a seamless and secure user experience.

Finally, Dan offers practical tips for developers in smaller organizations to implement security practices without disrupting their workflows. He recommends familiarizing themselves with the OWASP Top Ten security risks and incorporating threat modeling into their development processes. By understanding potential security threats and integrating security considerations into their coding practices, developers can build more secure applications while maintaining productivity.

The episode concludes with Dan sharing his contact information and inviting listeners to learn more about FusionAuth through their website. This insightful discussion provides valuable perspectives on the complexities of authentication and the evolving role of security in software development.