WebApp Sec mailing list archives
Re: web application access control research
From: Ray Stirbei <me () highentropy org>
Date: Thu, 24 Apr 2003 00:51:09 -0400
I completely agree with Jeff and would just like to add: 1) the reference monitor (that deals to all references/requests to objects) is really the center of gravity for security. 2) the access control matrix is the focal point of an application's security policy. Things of less importance, but necessary, to think about in a policy: password length/aging/changes, what to do with inactive user ids, how to handle password compromise, etc. A comprehensive infosec policy (among other things) is what separates an amateur development team from the pros. 3) if an architect isn't very familiar with reference monitors, it might be best to buy instead of build. There are many competent commercial products in this space. 4) if it intent is to build regardless, one doesn't have to start from scratch; that is what design patterns are for. 'A system of patterns' (published by Wiley) is highly recommended and the patterns are platform independent. 'J2EE Design Patterns Applied' (published by Wrox) is obviously platform specific and includes source code. Look up the security patterns like 'single access point', 'check point', etc - they start on page 200. Hope that helps ray On Wednesday 23 April 2003 08:30 pm, Jeff Williams @ Aspect wrote:
Andy, I suspect that you will find a large number of papers that deal with identification and authentication, and very few that deal with access control (aka authorization) for any kind of sophisticated security policy on web apps. The reason is that in many web environments, the authentication mechanisms are centralized and standard, and the access control mechanisms are haphazard custom code. There is a tremendous body of literature on access control schemes for operating systems and databases. The only difference here is that the set of attributes on which access control decisions are made is a little different in the web application environment. Here's what I look for in a web app access control scheme... - tamperproof - always invoked - verifiable (minimize complexity) - flexible support for a broad range of subjects (thing that accesses) and objects (what gets accessed) - ability to group subject and object attributes for easier management - ability to express access control policy in the simplest form possible The vast majority of access control components out there allow decisions to be made based on the URL. Period. Not form data, not query string, not time of day, age of user, account number, last page visited, special deal in effect, session data, or anything else. Most developers end up coding a bunch of special rules into their code and it quickly spirals out of control. Access control mechanisms should be centralized. By the way, the first three requirements are properties of a 'reference monitor' -- anyone implementing an access control scheme who hasn't heard those words, should find out what they mean and why they're important. I've always found that thinking through the access control matrix (of subjects and objects) raises many issues and special cases that are often overlooked without a systematic approach. --Jeff Jeff Williams jeff.williams () aspectsecurity com Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: <absmith () cerias purdue edu> To: <webappsec () securityfocus com> Sent: Tuesday, April 22, 2003 6:46 PM Subject: web application access control researchAll, Besides the OWASP Guide, can anyone point me to papers/articles that deal with the issues of access control of web applications? I am looking to do a survey paper on this topic. Basically, I am looking for references that talk about access control in regards to web applications: current trends, research, tools, software, ideas, etc. Any help would be great. Thanks in advance! - Andy
Current thread:
- web application access control research absmith (Apr 22)
- Re: web application access control research Ray Stirbei (Apr 22)
- Re: web application access control research George W. Capehart (Apr 22)
- RE: web application access control research Gunter (Apr 23)
- Re: web application access control research Gary Gwin (Apr 23)
- Re: web application access control research Jeff Williams @ Aspect (Apr 23)
- Re: web application access control research Ray Stirbei (Apr 23)