The Hidden Access Paths to Smaug's Cavern
Ben Arent
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Developers and SREs accumulate access the way Tolkien's Smaug accumulates treasure — and the hidden pathways they create to get their jobs done become the backdoors that attackers exploit. Ben Arent, drawing on over a decade of experience building SaaS products in San Francisco, examined three classes of access risk — admin panel impersonation, production secrets in local environments, and unbounded background job permissions — and proposed a framework of security invariants, behavioral analytics, and "desire path" design to close them. ---
AI review
Developer-turned-security-practitioner talk about access creep and desire paths with a $250,000 salami attack as the centerpiece. The 'make the secure path the desire path' principle is the right organizing philosophy. The observation that finance caught the attack, not security tooling, is the most important data point.