Secure-by-Design Review of a Microservices Auth Subsystem
Overview
What this challenge is about.
Read the 18-page proposed auth-service design (Next.js BFF, FastAPI auth-service, Postgres for sessions + refresh, Redis for short-lived tokens, integration with Auth0 for OIDC). Run a structured review against OWASP ASVS Level 2 (around 130 controls, scoping out non-applicable ones). Score each control: present / partial / absent / not-applicable with evidence. Review JWT design (claim minimization, signature algorithm, key rotation, audience validation), session design (refresh-token rotation, family invalidation on reuse, idle vs absolute timeout), and OAuth2/OIDC flow choice (PKCE for SPA, code+secret for BFF, no implicit). Build a threat-coverage matrix mapping ASVS controls to STRIDE threats. Author a remediation backlog (top 20 items) with priority + effort. Draft a 3-page CTO + AppSec joint memo. Deliver review, threat-coverage matrix, remediation backlog, and joint memo.
The Brief
What you'll do, and what you'll demonstrate.
Run an OWASP ASVS Level 2 secure-by-design review on a microservices auth subsystem and produce a remediation backlog + joint CTO/AppSec memo.
Earning criteria — what you'll demonstrate
- Apply OWASP ASVS Level 2 to a real microservices auth design
- Review JWT + session + OAuth2/OIDC design rigorously
- Build a threat-coverage matrix linking controls to threats
- Communicate auth-design risk to a CTO + AppSec joint audience
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.