E-banking security. Configured a dedicated hardware laptop with default network policy outgoing to denied. Manually configured a very limited set of IPs for the banks sites used (no DNS server allowed, static resolution in /etc/hosts) and OS packages. Second step (or factor) done on a dedicated phone hardware too (no sim card used). Automatic browser startup at session open with tabs open for the banks website.
Been operational for a few years. Minimal maintenance. Great peace of mind.
Worth to mention in the same area regarding authorization engine with APIs is OPA [1] which is relying on a Datalog inspired language: Rego.
I agree with you that authorization is lacking a set of standards allowing interoperability. The only known practical one XACML, has not seen wide adoption. OPA through its design and API allow useful feature for Enterprise use cases for which Styra [2] (founder of OPA) is selling a solution based on those APIs.
Your quote seems to be describing what Microsoft observed from the attackers on the compromised machines with SolarWinds Orion not how the software was compromised in the first place.
> In actions observed at the Microsoft cloud, attackers have either gained administrative access using compromised privileged account credentials (e.g. stolen passwords) or by forging SAML tokens using compromised SAML token signing certificates.
> Although we do not know how the backdoor code made it into the library, from the recent campaigns, research indicates that the attackers might have compromised internal build or distribution systems of SolarWinds, embedding backdoor code into a legitimate SolarWinds library with the file name SolarWinds.Orion.Core.BusinessLayer.dll.
You can find a lot of resources on his website among which lectures on the topic of Origami folding and algorithms. http://courses.csail.mit.edu/6.849/fall20/lectures/