Re: web application access control research

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andy,

The access control section of OWASP guide is in the process of an overhaul and you should check the CVS repository next week becuase it will address some of these issues.

In terms of research, you'll find a great deal of papers here : http://citeseer.nj.nec.com/Security/AccessControl/

If you are building a web application, the general question to ask are: Should I use single sign on? What authentication model / authorization model? Should I build (ie. Java JAAS)? Should I purchase? (ie Tivoli, Access360, BMC, Courion, CA, Entact, etc) Pick what makes sense for your application and business requirements.

If you are testing a web application you can use scripts to test HTTP Basic/Digest/Forms authentication or packaged tools like Brutus, Entry, BeatLM, Hydra, etc.

I think the general trend in access and identity management is toward better integrated systems internally and towards federation externally. (Liberty Alliance / MS Passport). XML standards like SAML, XACML, XKMS DSML are critical here. Web based access management systems (like SiteMinder) are being increasingly used for centralized policy management. I'd be surprised if you can't Gartner (or other analysts) report on this topic. I found a synposis by Giga here while looking for something else: http://www.csoonline.com/analyst/report576.html

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Hope that helps

ray

On Tuesday 22 April 2003 06:46 pm, absmith@cerias.purdue.edu wrote:
> All,
>
> Besides the OWASP Guide, can anyone point me to papers/articles that deal
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+pdJwzejBliQ3SdsRAvBJAJsHRvf+9FC3WUzESOPIdFjtRitVIACcDkOr QcyGAMB3Ad8cqrTWGNsfx+M=
=+kTV
-----END PGP SIGNATURE----- Received on Tue Apr 22 20:17:16 2003