Practical Case Studies
Case Studies
A collection of case studies and implementation stories from various companies and teams, showcasing how they've tackled security and compliance challenges.
Identity¶
| Link | Notes |
|---|---|
| The building blocks of modern enterprise identity |
|
| Reimagining Access Management | Material's approach to access management, breaking it down into three categories: base access, just-in-time access, and tailored access ![]() |
| On Reviewing Employee Accesses Managed Through Okta | How Mercari's Security team approached the challenge of reviewing user access permissions in Okta, while dealing with legacy configurations and practices |
| Backend Authentication and Authorization Patterns: Benefits and Pitfalls of Each |
|
| Streamlining AWS access with Rippling at scale | Integrating IAM Identity Center and Just-In-Time access |
| Passkeys - Threat modeling and implementation considerations | Post reviewing the current state of the technology from a security standpoint and discussing some critical aspects of passkey implementation |
| Passkeys for Normal People | Post looking at how to set them up, how to use them on websites and in mobile apps, and talk about what some of their shortcomings are |
| The cryptography behind passkeys | Post examining the cryptography behind passkeys, the guarantees they do or do not give, and interesting cryptographic things you can do with them, such as generating cryptographic keys and storing certificates |
| Passwordless Authentication Series | Palantir went passwordless across their company, including corporate and production environments (Part 1, Part 2) |
| Access approvals considered harmful | If we're unsure about access being safe, adding an approval step can just be kicking the can down the road |
Code¶
| Link | Notes |
|---|---|
| How we organize and get things done with SERVICEOWNERS |
![]() |
| Uber The Path to Code Provenance | Strategy for ensuring we have a verifiable attestation of the origin of all code running in production |
| How DoorDash Ensures Velocity and Reliability through Policy Automation | How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments |
Infrastructure¶
| Link | Notes |
|---|---|
| Unfashionably secure: why we use isolated VMs | The Canary team shares a number of security choices they made that helped them achieve complete customer isolation |
| How Palantir Enables a Secure, Rapid Software Development Environment | This post provides background on why and how Palantir initiated their Software Supply Chain Security (SSCS) program, and focuses on the threat model behind our security controls and posture |
| How Palantir Secures Source Control | How Palantir protects source code, from zero-trust development to commit signing |
| Plaid’s journey to creating a key management system | Plaid's journey of creating and leveraging a secure Key Management System to protect sensitive data, including design, architecture, usage, and challenges |
| Building Uber’s Multi-Cloud Secrets Management Platform | How Uber built their own Secret Management Platform, solving key challenges and setting a new standard for secrets management |
Endpoints¶
| Link | Notes |
|---|---|
| Enforcing Device Trust on Code Changes | How the Figma security engineering team leveraged commit signatures and Okta Device Trust certificates to protect GitHub release branches |
| Designing for security and usability: Figma's modern endpoint strategy | How Figma is securing devices without slowing teams down—using tools like Santa, Opal, and smart MDM workflows |
| Rolling Out Santa Without Freezing Productivity: Tips from Securing Figma’s Fleet | Here's how Figma scaled Santa, an open-source binary authorization tool, across all their laptops to boost endpoint security while keeping workflows seamless |
| Scaling On-Prem Security at Palantir | How Palantir leverages Insight, Foundry, and Apollo to keep thousands of servers in check |
| Endpoint vulnerability management at scale | How Canva does endpoint vulnerability management on their endpoint fleet comprising over 5000 devices deployed across numerous countries worldwide |
Implementations¶
| Link | Notes |
|---|---|
| Inside Figma: securing internal web apps | A deep-dive into how Figma built a system for securing internal web applications that lets them require SSO authentication, enforce fine-grained authorization (via Okta groups), and support CLI tools, all using ALBs, AWS Cognito, and Okta |
| Inside Figma: getting out of the (secure) shell | A simple solution for zero-trust shell access on AWS, by leveraging AWS SSO and Systems Manager |
| Visibility at Scale: How Figma Detects Sensitive Data Exposure | Figma built Response Sampling, a real-time monitoring system that samples API responses to detect sensitive data exposure. It validates access permissions asynchronously, catches authorization bugs in staging and production, and integrates with their FigTag data categorization system to protect all sensitive fields |
| Catching Compromised Cookies | How Slack automatically detects stolen session cookies |



