2 posts tagged with "transparency"

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.

The XZ backdoor incident spooked a lot of people. Not all PRs are innocent—even from long-standing contributors—and this one would have created a backdoor in a utility included in almost all Linux distributions, had it not been caught.

But “open source = more vulnerable to exploits” is the wrong takeaway—being open source can actually be an advantage for security-focused products.

Access tokens make identity management and authentication relatively painless for our end-users. But, like anything to do with access, tokens also can be fraught with risk and abuse.

The recent announcement from Sourcegraph that their platform had been penetrated by a malicious hacker using a leaked access token is a classic example of this balance of tokens being great… until they are in the wrong hands.

This incident prompts all of us in the software industry to take yet another look at how our security around user identity and access can be best handled, to see if there are lessons to be learned and improvements to be made. These closer looks are not only at how our own software and users utilizes (and protects) access tokens, but also in how such incidents are caught, mitigated, and communicated.