Chapter 5. Authentication and Authorization

From here on in, we will build our identity security skills to improve the security posture of our code and applications. We start with the fundamentals of authentication and authorization, followed by integrating these practices into automation and CI/CD pipelines in later chapters.

Authentication and authorization are often thought of as interchangeable but they’re very different concepts. Authentication (AuthN) is the process of verifying the identity of a user, ensuring they are who they claim to be. Usernames and passwords are familiar forms of authentication but as we’ll see here, they’re not enough to establish true identity. Authorization (AuthZ) is the granting or denying of access rights and permissions to resources after the user’s identity is authenticated. For example, your build manager may have root-level or superuser privileges to a build server while your access is restricted or withheld completely to keep the server secure.

If you ...