Welcome to the 13th episode of our Security Culture Campaign! On today’s show Matt Konda discusses least privilege.

Least Privilege is at first glance obvious and self defining. It means only giving users the access they actually need to perform a particular task in a system. On its face, it seems like you would never give users more privileges than they need so it should be something we do by default all the time.

Examples where we apply least privilege include:

  • Google Drive - who should be able to read, comment and edit on which drives and documents?
  • AWS - what services does a given application need?
  • Our custom code - what do the roles and privilege models look like?

In practice, applying least privilege can be difficult for a couple of reasons.

Learn more on the blog

Click here for the associated YouTube video.

The Jemurai Security Culture Campaign Series is a stream of topical content released every Thursday intended to help developers think about security in a particular area. The content will be available in associated videos, podcasts and blog posts.

Click here to request a topic.

Matt Konda

Matt is a software engineer. He's our CEO and former Chair & OWASP Board Member.