Domain models: security as a first-class concern
Andrew Harcourt at DevSecCon24 2020
Integrating security into the development process is critical for the proper functioning of an application. API gateways, RBAC systems, service mesh sidecars etc. can all provide some elements of security but the final arbiter of who can do what and under what circumstances must be the responsibility of the domain model.
One critical aspect of application security is being able to test the application's security constraints as part of the normal domain logic, and asserting about it as part of a simple, on-workstation test suite, without recourse to external API gateways or other access control mechanisms.
In this talk we'll take a look at how to embed security in our domain models, allowing for developers to take greater responsibility for integrating security into the core of our applications. We'll see some patterns for coarse-grained and fine-grained access control as well as complex business rules about who may do what to which entity, when, and under what circumstances.
Andrew Harcourt
Solutions Architect at Octopus Deploy
Andrew is a solution architect at Octopus Deploy. Other interesting places he has been include ThoughtWorks, Readify, Zap BI, Realex Payments and TRL. Andrew is a solutions architect and software engineer with interests in large-scale, high-load, geographically-distributed systems. He specialises in project rescue, governance and development methodologies, and in creating cultures of engineering excellence. He is a fan of high-quality code, domain-driven design, event-driven architecture, continuous delivery and, most importantly, shipping reliable, secure and safe code that works and solves people's problems. Andrew's mother wrote COBOL on punch cards and he has been coding in one form or another since he was five years old.
One critical aspect of application security is being able to test the application's security constraints as part of the normal domain logic, and asserting about it as part of a simple, on-workstation test suite, without recourse to external API gateways or other access control mechanisms.
In this talk we'll take a look at how to embed security in our domain models, allowing for developers to take greater responsibility for integrating security into the core of our applications. We'll see some patterns for coarse-grained and fine-grained access control as well as complex business rules about who may do what to which entity, when, and under what circumstances.
Andrew Harcourt
Solutions Architect at Octopus Deploy
Andrew is a solution architect at Octopus Deploy. Other interesting places he has been include ThoughtWorks, Readify, Zap BI, Realex Payments and TRL. Andrew is a solutions architect and software engineer with interests in large-scale, high-load, geographically-distributed systems. He specialises in project rescue, governance and development methodologies, and in creating cultures of engineering excellence. He is a fan of high-quality code, domain-driven design, event-driven architecture, continuous delivery and, most importantly, shipping reliable, secure and safe code that works and solves people's problems. Andrew's mother wrote COBOL on punch cards and he has been coding in one form or another since he was five years old.