|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: Fail Open Authentication and Parameter Injection
Date: Thu Mar 27 2003 - 15:22:20 EST
I think that Jeff's comments underpin the importance of reusing trusted security components across applications and externalizing security code from your application code where possible.
Frameworks like Jakarta Struts, for example, provide a nice way to leverage and implement trusted parameter checking code, and make the review process much easier by defining the control points for at least some of the form validation. Centralized application security architectures have a similar, but maybe more comprehensive goal, of removing the responsibility for authentication, access control, administration, and auditing from application code. Given the right structure, you could also automate some of your security policy authentication and access control rule testing.
Here's some recommended best practices from OpenHack 2002 that suggest some items to include in an application code security review:
http://www.eweek.com/article2/0,3959,633780,00.asp
I think this list is synergistic with the OWASP Tom 10 vulnerability list.
Gary
Jeff Williams @ Aspect wrote:
> Great example! We see bizarre stuff like this all the time. The
-- Gary Gwin http://www.cafesoft.com ***************************************************************** * * * The Cafesoft Access Management System, Cams, is security * * software that provides single sign-on authentication and * * centralized access control for Apache, Tomcat, and custom * * resources. * * * *****************************************************************Received on Thu Mar 27 15:57:34 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |