Part 7 of 11

Security at Scale

OAuth2, JWT, mTLS, DDoS.

Modules
10
Hours
4
Difficulty
Intermediate to Advanced
  1. 7.0intermediate

    Authentication vs Authorization: Identity, Permissions, and Access Models

    AuthN vs AuthZ, session vs token auth, and access control models: RBAC, ABAC, ReBAC with examples from SpiceDB, OpenFGA, and AWS IAM.

    25 min Spanner
  2. 7.1advanced

    OAuth 2.0 and OpenID Connect: Delegated Authorization and Identity Done Right

    The OAuth 2.0 authorization framework, OIDC identity layer, and the Authorization Code + PKCE flow that is the modern standard for web and mobile.

    25 min
  3. 7.2intermediate

    JWT Deep Dive: Signed Tokens, Claims, and the Revocation Problem

    How JSON Web Tokens work: JWS signing, JWE encryption, claim validation, key rotation, and the trade-offs of stateless auth.

    25 min
  4. 7.3advanced

    mTLS and Service-to-Service Authentication: SPIFFE, Service Mesh, and Zero Trust

    How mutual TLS, SPIFFE/SPIRE, and service meshes like Istio and Linkerd authenticate services without long-lived credentials.

    25 min EnvoyIstioConsul+1
  5. 7.4intermediate

    Secrets Management: Vault, KMS, and the End of Secrets in Config Files

    Managing API keys, passwords, and certificates with Vault, AWS Secrets Manager, KMS envelope encryption, and dynamic secrets.

    25 min
  6. 7.5intermediate

    DDoS Protection and WAFs: Mitigating Volumetric and Application Attacks

    Defending against L3/L4 and L7 DDoS with Cloudflare, AWS Shield, and WAFs; rate limiting, bot management, and the OWASP Top 10.

    25 min CloudflareAkamaiEnvoy+1
  7. 7.6advanced

    Data Residency and Compliance Architecture (GDPR, DPDP, CCPA, Right-to-Erasure)

    Designing multi-jurisdictional systems for GDPR, DPDP, CCPA, and LGPD with data classification, regional silos, crypto-shredding, and auditable erasure.

    30 min
  8. 7.7advanced

    Supply Chain Security: SBOM, SLSA, Sigstore, and Defending Against xz-utils

    Protecting the software supply chain with SBOMs, SLSA provenance, Sigstore signing, admission policies, and lessons from xz-utils and SolarWinds.

    25 min
  9. 7.8advanced

    Privacy-Preserving Systems (Differential Privacy, Federated Learning)

    Design systems that protect user data by construction: differential privacy, federated learning, secure aggregation, and an introduction to homomorphic encryption.

    30 min
  10. 7.9advanced

    Post-Quantum Cryptography: Migrating to ML-KEM, ML-DSA, and a Crypto-Agile Future

    Why harvest-now-decrypt-later makes PQC urgent, what NIST standardized in 2024, and how to migrate production TLS and long-lived secrets to hybrid post-quantum cryptography.

    25 min