IAM

repo: kdeldycke/awesome-iam
category: Back-End Development

Add authentication, user management, and authorization to your app with a few lines of code. </a> <br/><br/> </p>

<p align="center"> <a href="https://github.com/sponsors/kdeldycke"> <strong>Your brand → here 🚀</strong> <br/> ^{SEO is dead. Place your product here to target AI's training data.} </a> </p>

<p align="center"> <i>Trusting is hard. Knowing who to trust, even harder.</i><br> — Maria V. Snyder<sup id="intro-quote-ref"><a href="#intro-quote-def">[1]</a></sup> </p>

IAM stands for Identity and Access Management. It is a complex domain which covers user accounts, authentication, authorization, roles, permissions and privacy. It is an essential pillar of the cloud stack, where users, products and security meets. The other pillar being billing & payments 💰.

This curated list expose all the technologies, protocols and jargon of the domain in a comprehensive and actionable manner.

Contents

• Overview
• Security
• Account Management
• Cryptography
  • Identifiers
• Zero-trust Network
• Authentication
• Password-based auth
• Multi-factor auth
  • SMS-based
• Password-less auth
  • WebAuthn
  • Security key
  • Public-Key Infrastructure (PKI)
  • JWT
• Authorization
  • Policy models
  • RBAC frameworks
  • ABAC frameworks
  • ReBAC frameworks
  • AWS policy tools
  • Macaroons
  • Other tools
• OAuth2 & OpenID
• SAML
• Secret Management
  • Hardware Security Module (HSM)
• Trust & Safety
  • User Identity
  • Fraud
  • Moderation
  • Threat Intelligence
  • Captcha
• Blocklists
  • Hostnames and Subdomains
  • Emails
  • Reserved IDs
  • Profanity
• Privacy
  • Anonymization
  • GDPR
• UX/UI
• Competitive Analysis
• History

Overview

<img align="right" width="50%" src="./assets/cloud-software-stack-iam.jpg"/>

In a Stanford class providing an overview of cloud computing, the software architecture of the platform is described as in the right diagram →

Here we set out the big picture: definition and strategic importance of the domain, its place in the larger ecosystem, plus some critical features.

• The EnterpriseReady SaaS Feature Guides - The majority of the features making B2B users happy will be implemented by the IAM perimeter.

• IAM is hard. It's really hard. - “Overly permissive AWS IAM policies that allowed s3:GetObject to * (all) resources”, led to $80 million fine for Capital One. The only reason why you can't overlook IAM as a business owner.

• IAM Is The Real Cloud Lock-In - A little click-baity, but author admit that “It depends on how much you trust them to 1. Stay in business; 2. Not jack up your prices; 3. Not deprecate services out from under you; 4. Provide more value to you in business acceleration than they take away in flexibility.”

Security

Security is one of the most central pillar of IAM foundations. Here are some broad concepts.

• Enterprise Information Security - Mozilla's security and access guidelines.

• Mitigating Cloud Vulnerabilities - “This document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities)”.

• Cartography - A Neo4J-based tool to map out dependencies and relationships between services and resources. Supports AWS, GCP, GSuite, Okta and GitHub.

• Open guide to AWS Security and IAM

Account Management

The foundation of IAM: the definition and life-cycle of users, groups, roles and permissions.

• As a user, I want… - A meta-critic of account management, in which features expected by the business clash with real user needs, in the form of user stories written by a fictional project manager.

• Things end users care about but programmers don't - In the same spirit as above, but broader: all the little things we overlook as developers but users really care about. In the top of that list lies account-centric features, diverse integration and import/export tools. I.e. all the enterprise customers needs to cover.

• Separate the account, user and login/auth details - Sound advice to lay down the foundation of a future-proof IAM API.

• Identity Beyond Usernames - On the concept of usernames as identifiers, and the complexities introduced when unicode characters meets uniqueness requirements.

• Kratos - User login, user registration, 2FA and profile management.

• Conjur - Automatically secures secrets used by privileged users and machine identities.

• SuperTokens - Open-source project for login and session management which supports passwordless, social login, email and phone logins.

• UserFrosting - Modern PHP user login and management framework.

Cryptography

The whole authentication stack is based on cryptography primitives. This can't be overlooked.

• Cryptographic Right Answers - An up to date set of recommendations for developers who are not cryptography engineers. There's even a shorter summary available.

• Real World Crypto Symposium - Aims to bring together cryptography researchers with developers, focusing on uses in real-world environments such as the Internet, the cloud, and embedded devices.

• An Overview of Cryptography - “This paper has two major purposes. The first is to define some of the terms and concepts behind basic cryptographic methods, and to offer a way to compare the myriad cryptographic schemes in use today. The second is to provide some real examples of cryptography in use today.”

• Papers we love: Cryptography - Foundational papers of cryptography.

• Lifetimes of cryptographic hash functions - “If you are using compare-by-hash to generate addresses for data that can be supplied by malicious users, you should have a plan to migrate to a new hash every few years”.

Identifiers

Tokens, primary keys, UUIDs, … Whatever the end use, you'll have to generate these numbers with some randomness and uniqueness properties.

• Security Recommendations for Any Device that Depends on Randomly-Generated Numbers - “The phrase ‘random number generator’ should be parsed as follows: It is a random generator of numbers. It is not a generator of random numbers.”

• RFC #4122: UUID - Security Considerations - “Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access)”. UUIDs are designed to be unique, not to be random or unpredictable: do not use UUIDs as a secret.

• Awesome Identifiers - A benchmark of all identifier formats.

• Awesome GUID - Funny take on the global aspect of unique identifiers.

Zero-trust Network

Zero trust network security operates under the principle “never trust, always verify”.

• BeyondCorp: A New Approach to Enterprise Security - Quick overview of Google's Zero-trust Network initiative.

• What is BeyondCorp? What is Identity-Aware Proxy? - More companies add extra layers of VPNs, firewalls, restrictions and constraints, resulting in a terrible experience and a slight security gain. There's a better way.

• oathkeeper - Identity & Access Proxy and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP requests. Inspired by the BeyondCorp / Zero Trust white paper.

• transcend - BeyondCorp-inspired Access Proxy server.

• Pomerium - An identity-aware proxy that enables secure access to internal applications.

• heimdall - A cloud-native, identity-aware proxy and policy enforcement point that orchestrates authentication and authorization systems via versatile rules, supporting protocol-agnostic identity propagation.

Authentication

Protocols and technologies to verify that you are who you pretend to be.

• API Tokens: A Tedious Survey - An overview and comparison of all token-based authentication schemes for end-user APIs.

• A Child's Garden of Inter-Service Authentication Schemes - In the same spirit as above, but this time at the service level.

• Scaling backend authentication at Facebook - How-to in a nutshell: 1. Small root of trust; 2. TLS isn't enough; 3. Certificate-based tokens; 4. Crypto Auth Tokens (CATs). See the slides for more details.

Password-based auth

The oldest scheme for auth.

• The new NIST password guidance - A summary of NIST Special Publication 800-63B covering new password complexity guidelines.

• Password Storage Cheat Sheet - The only way to slow down offline attacks is by carefully choosing hash algorithms that are as resource intensive as possible.

• Password expiration is dead - Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists and MFA.

• Practical Recommendations for Stronger, More Usable Passwords - This study recommend the association of: blocklist checks against commonly leaked passwords, password policies without character-class requirements, minimum-strength policies.

• Banks, Arbitrary Password Restrictions and Why They Don't Matter - “Arbitrary low limits on length and character composition are bad. They look bad, they lead to negative speculation about security posture and they break tools like password managers.”

• Dumb Password Rules - Shaming sites with dumb password rules.

• Password Manager Resources - A collection of password rules, change URLs and quirks by sites.

• A Well-Known URL for Changing Passwords - Specification defining site resource for password updates.

• How to change the hashing scheme of already hashed user's passwords - Good news: you're not stuck with a legacy password saving scheme. Here is a trick to transparently upgrade to stronger hashing algorithm.

Multi-factor auth

Building upon password-only auth, users are requested in these schemes to present two or more pieces of evidence (or factors).

• Breaking Password Dependencies: Challenges in the Final Mile at Microsoft - The primary source of account hacks is password spraying (on legacy auth like SMTP, IMAP, POP, etc.), second is replay attack. Takeaway: password are insecure, use and enforce MFA.

• Beyond Passwords: 2FA, U2F and Google Advanced Protection - An excellent walk-trough over all these technologies.

• A Comparative Long-Term Study of Fallback Authentication - Key take-away: “schemes based on email and SMS are more usable. Mechanisms based on designated trustees and personal knowledge questions, on the other hand, fall short, both in terms of convenience and efficiency.”

• Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google - “Our analysis confirms that secret questions generally offer a security level that is far lower than user-chosen passwords. (…) Surprisingly, we found that a significant cause of this insecurity is that users often don't answer truthfully. (…) On the usability side, we show that secret answers have surprisingly poor memorability”.

• How effective is basic account hygiene at preventing hijacking - Google security team's data shows 2FA blocks 100% of automated bot hacks.

• Your Pa$$word doesn't matter - Same conclusion as above from Microsoft: “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

• Attacking Google Authenticator - Probably on the verge of paranoia, but might be a reason to rate limit 2FA validation attempts.

• Compromising online accounts by cracking voicemail systems - Or why you should not rely on automated phone calls as a method to reach the user and reset passwords, 2FA or for any kind of verification. Not unlike SMS-based 2FA, it is currently insecure and can be compromised by the way of its weakest link: voicemail systems.

• Getting 2FA Right in 2019 - On the UX aspects of 2FA.

• 2FA is missing a key feature - “When my 2FA code is entered incorrectly I'd like to know about it”.

• SMS Multifactor Authentication in Antarctica - Doesn't work because there are no cellphone towers at stations in Antarctica.

• Authelia - Open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal.

• Kanidm - Simple, secure and fast identity management platform.

SMS-based

TL;DR: don't. For details, see articles below.

• SMS 2FA auth is deprecated by NIST - NIST has said that 2FA via SMS is bad and awful since 2016.

• SMS: The most popular and least secure 2FA method

• Is SMS 2FA Secure? No. - Definitive research project demonstrating successful attempts at SIM swapping.

• Hackers Hit Twitter C.E.O. Jack Dorsey in a 'SIM Swap.' You're at Risk, Too.

• AT&T rep handed control of his cellphone account to a hacker

• The Most Expensive Lesson Of My Life: Details of SIM port hack

• SIM swap horror story

Password-less auth

• An argument for passwordless - Passwords are not the be-all and end-all of user authentication. This article tries to tell you why.

• Magic Links – Are they Actually Outdated? - What are magic links, their origin, pros and cons.

WebAuthn

Part of the FIDO2 project, and also known under the user-friendly name of passkeys.

• WebAuthn guide - Introduce WebAuthn as a standard supported by all major browsers, and allowing “servers to register and authenticate users using public key cryptography instead of a password”.

• Clearing up some misconceptions about Passkeys - Or why passkeys are not worse than passwords.

Security key

• Webauthn and security keys - Describe how authentication works with security keys, details the protocols, and how they articulates with WebAuthn. Key takeaway: “There is no way to create a U2F key with webauthn however. (…) So complete the transition to webauthn of your login process first, then transition registration.”

• Getting started with security keys - A practical guide to stay safe online and prevent phishing with FIDO2, WebAuthn and security keys.

• OpenSK - Open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

• YubiKey Guide - Guide to using YubiKey as a SmartCard for storing GPG encryption, signing and authentication keys, which can also be used for SSH. Many of the principles in this document are applicable to other smart card devices.

Public-Key Infrastructure (PKI)

Certificate-based authentication.

• PKI for busy people - Quick overview of the important stuff.

• Everything you should know about certificates and PKI but are too afraid to ask - PKI lets you define a system cryptographically. It's universal and vendor neutral.

• lemur - Acts as a broker between CAs and environments, providing a central portal for developers to issue TLS certificates with 'sane' defaults.

• CFSSL - A swiss army knife for PKI/TLS by CloudFlare. Command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates.

• JA4+ - A suite of network fingerprinting methods to facilitate threat-hunting and analysis.

JWT

JSON Web Token is a bearer's token.

• Introduction to JSON Web Tokens - Get up to speed on JWT with this article.

• Learn how to use JWT for Authentication - Learn how to use JWT to secure your web app.

• Using JSON Web Tokens as API Keys - Compared to API keys, JWTs offers granular security, homogeneous auth architecture, decentralized issuance, OAuth2 compliance, debuggability, expiration control, device management.

• Hardcoded secrets, unverified tokens, and other common JWT mistakes - A good recap of all JWT pitfalls.

• Adding JSON Web Token API Keys to a DenyList - On token invalidation.

• Stop using JWT for sessions - And why your "solution" doesn't work, because stateless JWT tokens cannot be invalidated or updated. They will introduce either size issues or security issues depending on where you store them. Stateful JWT tokens are functionally the same as session cookies, but without the battle-tested and well-reviewed implementations or client support.

• JWT, JWS and JWE for Not So Dummies! - A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.

• JOSE is a Bad Standard That Everyone Should Avoid - The standards are either completely broken or complex minefields hard to navigate.

• JWT.io - Allows you to decode, verify and generate JWT.

Authorization

Now we know you are you. But are you allowed to do what you want to do?

Policy specification is the science, enforcement is the art.

Policy models

As a concept, access control policies can be designed to follow very different archetypes, from classic Access Control Lists to Role Based Access Control. In this section we explore lots of different patterns and architectures.

• Why Authorization is Hard - Because it needs multiple tradeoffs on Enforcement which is required in so many places, on Decision architecture to split business logic from authorization logic, and on Modeling to balance power and complexity.

• The never-ending product requirements of user authorization - How a simple authorization model based on roles is not enough and gets complicated fast due to product packaging, data locality, enterprise organizations and compliance.

• RBAC like it was meant to be - How we got from DAC (unix permissions, secret URL), to MAC (DRM, MFA, 2FA, SELinux), to RBAC. Details how the latter allows for better modeling of policies, ACLs, users and groups.

• The Case for Granular Permissions - Discuss the limitations of RBAC and how ABAC (Attribute-Based Access Control) addresses them.

• In Search For a Perfect Access Control System - The historical origins of authorization schemes. Hints at the future of sharing, trust and delegation between different teams and organizations.

• GCP's IAM syntax is better than AWS's - The minutiae of permission design in GCP improves the developer's experience.

• Semantic-based Automated Reasoning for AWS Access Policies using SMT - Zelkova is how AWS does it. This system perform symbolic analysis of IAM policies, and solve the reachability of resources according user's rights and access constraints. Also see the higher-level introduction given at re:inforce 2019.

• Authorization Academy - An in-depth, vendor-agnostic treatment of authorization that emphasizes mental models. This guide shows the reader how to think about their authorization needs in order to make good decisions about their authorization architecture and model.

• Service-to-service authorization: A guide to non-user principals - Discover how assigning identities to services (non-user principals) can simplify authentication, enhance security, and streamline authorization in complex distributed systems. A useful guide for IAM teams managing microservices and APIs.

RBAC frameworks

Role-Based Access Control is the classical model to map users to permissions by the way of roles.

• Athenz - Set of services and libraries supporting service authentication and role-based authorization for provisioning and configuration.

• Biscuit - Biscuit merge concepts from cookies, JWTs, macaroons and Open Policy Agent. “It provide a logic language based on Datalog to write authorization policies. It can store data, like JWT, or small conditions like Macaroons, but it is also able to represent more complex rules like role-based access control, delegation, hierarchies.”

• Cerbos - An authorization endpoint to write context-aware access control policies.

• FerrisKey - Self-hosted, open-source, RBAC system written in Rust.

ABAC frameworks

Attribute-Based Access Control is an evolution of RBAC, in which roles are replaced by attributes, allowing the implementation of more complex policy-based access control.

• Keto - Policy decision point. It uses a set of access control policies, similar to AWS policies, in order to determine whether a subject is authorized to perform a certain action on a resource.

• Ladon - Access control library, inspired by AWS.

• Casbin - Open-source access control library for Golang projects.

• Open Policy Agent - An open-source general-purpose decision engine to create and enforce ABAC policies.

ReBAC frameworks

The Relationship-Based Access Control model is a more flexible and powerful version of RBAC and is the preferred one for cloud systems.

• Zanzibar: Google's Consistent, Global Authorization System - Scales to trillions of access control lists and millions of authorization requests per second to support services used by billions of people. It has maintained 95th-percentile latency of less than 10 milliseconds and availability of greater than 99.999% over 3 years of production use. Other bits not in the paper. Zanzibar Academy is a site dedicated to explaining how Zanzibar works.

• SpiceDB - An open source database system for managing security-critical application permissions inspired by Zanzibar.

• Permify - Another open-source authorization as a service inspired by Google Zanzibar, and see how it compares to other Zanzibar-inspired tools.

• Topaz - An open-source project which combines the policy-as-code and decision logging of OPA with a Zanzibar-modeled directory.

• Open Policy Administration Layer - Open Source administration layer for OPA, detecting changes to both policy and policy data in realtime and pushing live updates to OPA agents. OPAL brings open-policy up to the speed needed by live applications.

• Warrant - A relationship based access control (ReBAC) engine (inspired by Google Zanzibar) also capable of enforcing any authorization paradigm, including RBAC and ABAC.

AWS policy tools

Tools and resources exclusively targeting the AWS IAM policies ecosystem.

• An AWS IAM Security Tooling Reference - A comprehensive list of (maintained) tools for AWS IAM.

• Become an AWS IAM Policy Ninja - “In my nearly 5 years at Amazon, I carve out a little time each day, each week to look through the forums, customer tickets to try to find out where people are having trouble.”

• AWS IAM Roles, a tale of unnecessary complexity - The history of fast-growing AWS explains how the current scheme came to be, and how it compares to GCP's resource hierarchy.

• Policy Sentry - Writing security-conscious IAM Policies by hand can be very tedious and inefficient. Policy Sentry helps users to create least-privilege policies in a matter of seconds.

• IAM Floyd - AWS IAM policy statement generator with fluent interface. Helps with creating type safe IAM policies and writing more restrictive/secure statements by offering conditions and ARN generation via IntelliSense. Available for Node.js, Python, .Net and Java.

• IAMbic - GitOps for IAM. The Terraform of Cloud IAM. IAMbic is a multi-cloud identity and access management (IAM) control plane that centralizes and simplifies cloud access and permissions. It maintains an eventually consistent, human-readable, bi-directional representation of IAM in version control.

Macaroons

A clever curiosity to distribute and delegate authorization.

• Google's Macaroons in Five Minutes or Less - If I'm given a Macaroon that authorizes me to perform some action(s) under certain restrictions, I can non-interactively build a second Macaroon with stricter restrictions that I can then give to you.

• Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud - Google's original paper.

• Google paper's author compares Macaroons and JWTs - As a consumer/verifier of macaroons, they allow you (through third-party caveats) to defer some authorization decisions to someone else. JWTs don't.

Other tools

• Gubernator - High performance rate-limiting micro-service and library.

OAuth2 & OpenID

OAuth 2.0 is a delegated authorization framework. OpenID Connect (OIDC) is an authentication layer on top of it.

The old OpenID is dead; the new OpenID Connect is very much not-dead.

• Awesome OpenID Connect - A curated list of providers, services, libraries, and resources for OpenID Connect.

• An Illustrated Guide to OAuth and OpenID Connect - Explain how these standards work using simplified illustrations.

• OAuth 2 Simplified - A reference article describing the protocol in simplified format to help developers and service providers implement it.

• OAuth 2.0 and OpenID Connect (in plain English) - Starts with an historical context on how these standards came to be, clears up the innacuracies in the vocabulary, then details the protocols and its pitfalls to make it less intimidating.

• OAuth in one picture - A nice summary card.

• How to Implement a Secure Central Authentication Service in Six Steps - Got multiple legacy systems to merge with their own login methods and accounts? Here is how to merge all that mess by the way of OIDC.

• Open-Sourcing BuzzFeed's SSO Experience - OAuth2-friendly adaptation of the Central Authentication Service (CAS) protocol. You'll find there good OAuth user flow diagrams.

• OAuth 2.0 Security Best Current Practice - “Updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application”.

• Hidden OAuth attack vectors - How to identify and exploit some of the key vulnerabilities found in OAuth 2.0 authentication mechanisms.

• PKCE Explained - “PKCE is used to provide one more security layer to the authorization code flow in OAuth and OpenID Connect.”

• Hydra - Open-source OIDC & OAuth2 Server Provider.

• Keycloak - Open-source Identity and Access Management. Supports OIDC, OAuth 2 and SAML 2, LDAP and AD directories, password policies.

• Casdoor - A UI-first centralized authentication / Single-Sign-On (SSO) platform based. Supports OIDC and OAuth 2, social logins, user management, 2FA based on Email and SMS.

• authentik - Open-source Identity Provider similar to Keycloak.

• ZITADEL - An Open-Source solution built with Go and Angular to manage all your systems, users and service accounts together with their roles and external identities. ZITADEL provides you with OIDC, OAuth 2.0, login & register flows, passwordless and MFA authentication. All this is built on top of eventsourcing in combination with CQRS to provide a great audit trail.

• a12n-server - A simple authentication system which only implements the relevant parts of the OAuth2 standards.

• Logto - An IAM infrastructure for modern apps and SaaS products, supporting OIDC, OAuth 2.0 and SAML for authentication and authorization.

• Authgear - Open-source authentication-as-a-service solution. It includes the code for the server, AuthUI, the Portal, and Admin API.

SAML

Security Assertion Markup Language (SAML) 2.0 is a means to exchange authorization and authentication between services, like OAuth/OpenID protocols above.

Typical SAML identity provider is an institution or a big corporation's internal SSO, while the typical OIDC/OAuth provider is a tech company that runs a data silo.

• SAML vs. OAuth - “OAuth is a protocol for authorization: it ensures Bob goes to the right parking lot. In contrast, SAML is a protocol for authentication, or allowing Bob to get past the guardhouse.”

• The Difference Between SAML 2.0 and OAuth 2.0 - “Even though SAML was actually designed to be widely applicable, its contemporary usage is typically shifted towards enterprise SSO scenarios. On the other hand, OAuth was designed for use with applications on the Internet, especially for delegated authorisation.”

• What's the Difference Between OAuth, OpenID Connect, and SAML? - Identity is hard. Another take on the different protocol is always welcome to help makes sense of it all.

• How SAML 2.0 Authentication Works - Overview of the how and why of SSO and SAML.

• Web Single Sign-On, the SAML 2.0 perspective - Another naive explanation of SAML workflow in the context of corporate SSO implementation.

• The Beer Drinker's Guide to SAML - SAML is arcane at times. A another analogy might helps get more sense out of it.

• SAML is insecure by design - Not only weird, SAML is also insecure by design, as it relies on signatures based on XML canonicalization, not XML byte stream. Which means you can exploit XML parser/encoder differences.

• The Difficulties of SAML Single Logout - On the technical and UX issues of single logout implementations.

• The SSO Wall of Shame - A documented rant on the excessive pricing practiced by SaaS providers to activate SSO on their product. The author's point is, as a core security feature, SSO should be reasonably priced and not part of an exclusive tier.

Secret Management

Architectures, software and hardware allowing the storage and usage of secrets to allow for authentication and authorization, while maintaining the chain of trust.

• Secret at Scale at Netflix - Solution based on blind signatures. See the slides.

• High Availability in Google's Internal KMS - Not GCP's KMS, but the one at the core of their infrastructure. See the slides.

• HashiCorp Vault - Secure, store and tightly control access to tokens, passwords, certificates, encryption keys.

• Infisical - An alternative to HashiCorp Vault.

• sops - Editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP.

• gitleaks - Audit git repos for secrets.

• truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep into commit history.

Hardware Security Module (HSM)

HSMs are physical devices guaranteeing security of secret management at the hardware level.

• HSM: What they are and why it's likely that you've (indirectly) used one today - Really basic overview of HSM usages.

• Tidbits on AWS Cloud HSM hardware - AWS CloudHSM Classic is backed by SafeNet's Luna HSM, current CloudHSM rely on Cavium's Nitrox, which allows for partitionable "virtual HSMs".

• Keystone - Open-source project for building trusted execution environments (TEE) with secure hardware enclaves, based on the RISC-V architecture.

• Project Oak - A specification and a reference implementation for the secure transfer, storage and processing of data.

• Everybody be cool, this is a robbery! - A case study of vulnerability and exploitability of a HSM (in French, sorry).

Trust & Safety

Once you've got a significant user base, it is called a community. You'll then be responsible to protect it: the customer, people, the company, the business, and facilitate all interactions and transactions happening therein.

A critical intermediation complex driven by a policy and constraint by local laws, the Trust & Safety department is likely embodied by a cross-functional team of 24/7 operators and systems of highly advanced moderation and administration tools. You can see it as an extension of customer support services, specialized in edge-cases like manual identity checks, moderation of harmful content, stopping harassment, handling of warrants and copyright claims, data sequestration and other credit card disputes.

truncated — full list on GitHub