Make Your Security Policy Auditable

Nowadays, everybody realizes the importance of preventing undue access to one’s applications.
Many conceptual models are available: RBAC, ABAC, you name it.
Likewise, all popular stacks have frameworks and libraries to help developers implement your chosen policy access.
If your organization only has a handful of apps, that’s all fine and dandy, but problems appear at scale.

One such problem is keeping under control access configuration across dozens or even hundreds of apps.
It requires regular, if not continuous, auditing:
it’s impossible to achieve when the configuration is code, even worse if it’s a compiled language.
Open Policy Agent aims to externalize such configuration in a text format with specified semantics.

In this presentation, I’ll explain OPA in more detail and demo how to migrate from a regular Spring Boot application to an OPA-based approach in different steps.