Hello, I'm Sam Scott 👋. This website primarily focuses on my professional life.

My professional life can be broken down into three main themes: my time as the cofounder/CTO at Oso, my PhD in Cryptography, and my passion for Rust.

Cofounder of Oso

Between 2018 and 2025 I was the CTO and Cofounder of Oso. Oso is Authorization as a Service, designed primarily suitable for B2B companies with complex or fine-grained authorization requirements, and designed to work for monolith and microservice deployments.

I wrote Authorization Academy which has become the industry-standard reference on authorization.

On a technical level Oso Cloud is a globally-distributed, highly available, and low-latency system.It is effectively a compute platform that supports arbitrary logic through Polar, our logic language for authorization. Internally, it implements a datalog-style engine written in Rust and backed by SQLite.

Here's a blog post I wrote about Polar, and how we use it to evaluate queries distributed across multiple databases. And a post from a colleague on the core architecture.

PhD in Cryptography

Originally my background was in maths. I started out as a maths graduate and my first forays into cryptography were on number-theoretic side of field. I did my undergraduate thesis on Shor's algorithm, and worked mostly on lattice-based cryptography and novel attacks from number theory.

However, I was always more driven by the practical/applied side of things and later moved into a few different fields.

One area was exploring new cryptographic algorithms like the Pythia PRF service. The rough idea of Pythia was using cryptogrphic primitives to replicate the functionality from expensive hardware solutions (like HSMs), while also providing additional capabilities on top such as key rotation.

The other area was using formal methods to analyze the TLS 1.3 specification. In particular, I worked with the Tamarin Prover. My colleagues and I also found an attack on a draft version of TLS 1.3.

Here's me talking on Hanselminutes with Scott Hanselman about cryptograhy.

Rust

I learned about Rust while interning at Mozilla in 2015. At the time I had almost given up on being a programmer after struggling to be productive using C/C++. However, I found that the mental model of using Rust just clicked with me, and have since found it to be the most enjoyable and productive language for me.

While my early Rust code was way too overly smart -- using traits and generics wherever possible -- I've since found balance by writing the dumbest possible Rust to start with.

My main thesis about Rust is that there are really two kinds of Rust: Rust for library authors, and Rust for application builders. In the former camp, zero-cost abstractions is the name of the game. Traits and generics are the core tools to provide flexible and powerful APIs, and performance is a critical concern everywhere. For the latter folks, explicit and static is generally better than overly abstract, and performance only matters once you've measured it. You can clone away to your heart's content. This divide is fairly well captured in the thiserror vs anyhow split -- two error handling libraries from dtolnay which make different tradeoffs for different audiences.

Outside of using Rust at Oso, some projects I've worked on are:

• libpasta: Password storage algorithms for multiple languages. In which I spent way too much time thinking about how to make it easy to embed in other languages.
• serde_qs: Inspired by querystring from Rails (which I used a bunch prior to Rust). My most downloaded crate by a distance.
• rudy: tools for working with Rust debuginfo